Technical information leak - Scala

Technical information leak - Scala

Need

Protection of sensitive technical information from unauthorized access or disclosure

Context

  • Usage of Scala 2.13.3 for building scalable and high-performance applications
  • Usage of play.api.mvc for handling HTTP requests and responses in Play Framework
  • Usage of HTTP/1.1 protocol in the play.api.http.HttpProtocol module

Description

Non compliant code

        import play.api.mvc._
import play.api.http.HttpProtocol.HTTP_1_1

class HomeController @Inject()(cc: ControllerComponents) extends AbstractController(cc) {

  def index() = Action { implicit request: Request[AnyContent] =>
    Ok("Welcome to the Home Page").withHeaders(
      "Server" -> "Play Framework 2.8.7",
      "X-Powered-By" -> "Scala 2.13.3"
    )
  }
}
        
        

In the above Scala code snippet, we have a simple controller named HomeController which is using Play Framework.

The index() method is an HTTP endpoint that responds with a welcome message. However, it also includes some HTTP headers that disclose sensitive information about the server and technology stack.

Specifically, the Server header reveals the version of the Play Framework being used ( 2.8.7), and the X-Powered-By header reveals the version of Scala being used ( 2.13.3).

This is a technical information leak vulnerability because attackers could use this information to exploit known vulnerabilities in these specific versions of the Play Framework and Scala.

Moreover, this type of information disclosure could also be used to inform more targeted attacks, as the attacker knows more about the underlying technologies in use. Thus, it is generally a good practice to avoid revealing such specific information in production environments.

Steps

  • Remove or modify the 'Server' header to avoid disclosing the specific version of the Play Framework.
  • Remove or modify the 'X-Powered-By' header to avoid disclosing the specific version of Scala.
  • Consider disabling the disclosure of technical information in the HTTP headers altogether.
  • Regularly update the Play Framework and Scala versions to ensure you are using the latest secure versions.

Compliant code

        import play.api.mvc._
import play.api.http.HttpProtocol.HTTP_1_1

class HomeController @Inject()(cc: ControllerComponents) extends AbstractController(cc) {

  def index() = Action { implicit request: Request[AnyContent] =>
    Ok("Welcome to the Home Page").withHeaders(
      "Server" -> "Play Framework",
      "X-Powered-By" -> "Scala"
    )
  }
}
        
        

The updated code removes the specific version numbers of the Play Framework and Scala from the HTTP headers. This prevents potential attackers from gaining technical information about the server's configuration, which could be used to exploit known vulnerabilities in those specific versions.

The 'Server' header now simply states "Play Framework" instead of disclosing the specific version "Play Framework 2.8.7". Similarly, the 'X-Powered-By' header now only states "Scala" instead of revealing the specific version "Scala 2.13.3".

It's also recommended to consider disabling the disclosure of technical information in the HTTP headers altogether, as this can further reduce the risk of information leakage.

Lastly, it's important to regularly update the Play Framework and Scala versions to ensure you are using the latest secure versions. This can help protect against vulnerabilities that have been fixed in more recent versions.

References