3

We use Security Metrics for our PCI compliance scans. Haven't had any issues in the past but our most recent scan said we failed due to "HTTP Reverse Proxy Detection". I'm guessing this has to do with either static assets or the way heroku routes behind the scenes. Either way I'm not really sure where to go. Did some searching and I can't find anything. Heroku support has been useless.

We are using Rails 4 on Ruby 2. Below is the entire reported errors from Security Metrics. Any help would be appreciated.

TCP 443 https 5.8 Description: HTTP Reverse Proxy Detection Synopsis: A transparent or reverse HTTP proxy is running on this port. Impact: This web server is reachable through a reverse HTTP proxy. Data Received: The GET method revealed those proxies on the way to this web server : HTTP/1.1 vegur Resolution: n/a Risk Factor: Medium/ CVSS2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE: CVE-2004-2320 Additional CVEs: CVE-2007-3008 CVE-2005-3498 CVE-2005-3398

TCP 80 http 5.8 Description: HTTP Reverse Proxy Detection Synopsis: A transparent or reverse HTTP proxy is running on this port. Impact: This web server is reachable through a reverse HTTP proxy. Data Received: The GET method revealed those proxies on the way to this web server : HTTP/1.1 vegur Resolution: n/a Risk Factor: Medium/ CVSS2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE: CVE-2004-2320 Additional CVEs: CVE-2007-3008 CVE-2005-3498 CVE-2005-3398

Adam
  • 131
  • 1
  • 3

1 Answers1

1

Please read the referenced CVE bulletins.

The risk basically boils down to: "the HTTP TRACE method is enabled".

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

source: CERT

To resolve that you simply need to disable the HTTP TRACE method.

For Heroku see for instance: https://stackoverflow.com/questions/17473760/disabled-http-methods-on-heroku

Community
  • 1
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • Thanks for the response. I disabled TRACE as shown in the linked article and reran the scan which failed again due to the same error. Any other thoughts? – Adam Nov 01 '14 at 21:25
  • I know this is late to the party, but I was in the same boat. I just called them up, sent them some info about heroku router and reverse proxy, and let them know I had blocked TRACE on the application layer, and they are now in the process as marking it as a false positive. Will update if it goes through. – rovermicrover Jun 09 '16 at 16:18