Fix DAST Issue : Proxy Disclosure

[Facetorushikesh]

Scan Date: Wed, 1 May 2024 01:44:12 URLs Impacted:

• https://tuesday-roja-vm-9591.fyre.ibm.com:12443
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/assets
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/assets/index-CwQHAIbY.js
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/assets/index-MHRXnbQb.css
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/config.js
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/favicon.svg
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/robots.txt
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/sitemap.xml

DAST Scan Results

CWE ID	Severity	Description	Location	Evidence	Solution
200	Medium	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.	Method: GET Parameter:		Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server. Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing). Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages. Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.

[Facetorushikesh]

Scan Date: Wed, 1 May 2024 01:44:12 URLs Impacted:

• https://tuesday-roja-vm-9591.fyre.ibm.com:12443
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/assets
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/assets/index-CwQHAIbY.js
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/assets/index-MHRXnbQb.css
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/config.js
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/favicon.svg
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/robots.txt
• https://tuesday-roja-vm-9591.fyre.ibm.com:12443/sitemap.xml

DAST Scan Results

CWE ID	Severity	Description	Location	Evidence	Solution
200	Medium	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.	Method: GET Parameter:		Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server. Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing). Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages. Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.