2

The ZAP scan report indicates that 2 proxy servers were detected or fingerprinted. It says it did both a GET and POST method to our url with attacks of TRACE, OPTIONS with Max-Forwards header, and TRACK method. We had already removed unnecessary headers such as Server and X-Powered-By ...as well as the asp.net version header in the responses, via web config changes or code changes, but we are still seeing this. Furthermore, the url mentioned only allows GET or POST, not the TRACE, OPTIONS, or TRACK methods. We even have the following in our web.config to prevent those verbs:

  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true">
        <verbs allowUnlisted="true">
          <add verb="OPTIONS" allowed="false" />
          <add verb="TRACK" allowed="false" />
          <add verb="TRACE" allowed="false" />
        </verbs>
      </requestFiltering>
    </security>
    <httpErrors errorMode="Custom">
      <remove statusCode="404" />
      <error statusCode="404" path="NotFound.html" responseMode="File" />
      <remove statusCode="500" />
      <error statusCode="500" path="Error.html" responseMode="File" />
    </httpErrors>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <add name="X-Frame-Options" value="SAMEORIGIN" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

So how can we get past this issue or is there anything else we could do to prevent this? Thanks

user1368182
  • 423
  • 7
  • 18
  • https://stackoverflow.com/questions/61485025/remove-response-server-header-on-azure-web-app-from-the-first-redirect-request-t/61494122#61494122 – Jason Pan Jun 11 '20 at 06:27
  • You can try my solution first to see if it meets your needs. I have tried it myself before. – Jason Pan Jun 11 '20 at 06:28
  • So we are also already removing the server header via an http module on presendrequestheaders as well. And we have the Https Only setting on the site in Azure turned on as well. I can see in the responses that the Server header is not being returned, nor is X-Powered-By (which is what we want). Also, if you were to send a request to any url on our site with an OPTIONS, TRACK, or TRACE, it responds with a 404 because those routes cannot be found with those verbs, only GET or POST - so those are not being allowed either. I can't figure out how a second proxy server is being detected either. – user1368182 Jun 11 '20 at 14:03
  • So you have removed response headers,right ? – Jason Pan Jun 11 '20 at 14:06
  • You want prevent `TRACE, OPTIONS, or TRACK ` methods now ? – Jason Pan Jun 11 '20 at 14:08
  • Yeah, I already had the site set up to remove those response headers, as well as already am preventing the TRACE, OPTIONS, or TRACK methods via the web.config. So we were already doing all that. Everything seems to be working fine as expected, yet we still got this result in a scan indicating that there were two servers detected using TRACE, OPTIONS, and TRACK, one called Unknown and the other Microsoft-IIS/10.0. It also lists that Unknown was identified as tweb/appication server. – user1368182 Jun 11 '20 at 14:15
  • https://stackoverflow.com/questions/61316149/how-to-remove-server-header-azure-app-service-when-requesting-with-connect-http – Jason Pan Jun 11 '20 at 14:31

1 Answers1

0

I think you can't solve the peoblem. I have studied this part, and I also raise ticket in portal.

This response is not coming from the server, it is handled by azure frontend and can't remove the specific header.

You don’t need to spend time to solve this problem, you also can raise a support issue with Microsoft Azure.

Jason Pan
  • 15,263
  • 1
  • 14
  • 29