question

MichelePalese-2504 avatar image
1 Vote"
MichelePalese-2504 asked MichelePalese-2504 commented

Azure Application Gateway Proxy Disclosure

The Azure Application Gateway WAF V2 is vulnerable to Sensitive Data Exposure, because it responds with the Server header equal to Microsoft-Azure-Application-Gateway/v2 if it is invoked with the http TRACE method and Max-Forwards header = 0. This information helps a potential attacker to determine
- A list of targets for an attack against the application.
- Potential vulnerabilities on the proxy servers that service the application.
- The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

as described in OWASP.

Is there any way to avoid this and thus be owasp compliant?

azure-application-gatewayazure-web-application-firewall
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered MichelePalese-2504 commented

It is possible to remove this header from Application Gateway responses using Header ReWrites.

If the 'Server' header is the one you would like to remove, create a rewrite action that removes that header:

34761-image.png



image.png (110.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is this solution really working? I tried to use a Rewrite rule to either set the Server header response to 'Unknown' or to remove it (as suggested here) and it works for all HTTP methods but not for the TRACE method (which is the method that typically will be fired by a hacker or during a penetration tests session).
See also https://stackoverflow.com/questions/64647900/rewrite-rules-defined-on-azure-application-gateway-does-not-seem-to-work-on-trac

0 Votes 0 ·

This solution doesn't work with TRACE.
I also tried to block the TRACE method, but it doesn't work that way either

0 Votes 0 ·