The ZAP scanner discovered proxy-like behavior through which an attacker may access arbitrary content on the Web. This can cause an unwitting victim to be directed at malicious content, or may enable an attacker to carry out a remote file inclusion attack (whereby a web application is tricked into incorporating remote, malicious content through a file include operation). An example URL includes:
It is recommended that this proxy behavior be carefully restricted. For example, a white list approach (in which only pre-screened URLs are accepted for the proxying behavior) may be very effective. Other options are possible; the best solution depends on the Web application's need, of course.
The ZAP scanner discovered proxy-like behavior through which an attacker may access arbitrary content on the Web. This can cause an unwitting victim to be directed at malicious content, or may enable an attacker to carry out a remote file inclusion attack (whereby a web application is tricked into incorporating remote, malicious content through a file include operation). An example URL includes:
https://staging.njcoast.us/proxy/?url=http%3A%2F%2Fwww.google.com%2F
It is recommended that this proxy behavior be carefully restricted. For example, a white list approach (in which only pre-screened URLs are accepted for the proxying behavior) may be very effective. Other options are possible; the best solution depends on the Web application's need, of course.
Please see the ZAP report for detailed findings:
https://baldin.crc.nd.edu/CRC-Restricted/ScanResults/CyberEye-NJ/2018/ZAP_CyberEye-NJ_2-21-18.html
Original Ticket in Redmine: https://redmine.crc.nd.edu/redmine/issues/9584