Details
Alert ID 40025
Alert Type Active
Status beta
Risk Medium
CWE 200
WASC 45
Technologies Targeted All
Tags OWASP_2017_A06
OWASP_2021_A05
More Info Scan Rule Help

Summary

Solution

Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server. Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing). Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages. Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java