Technical information leak - Content response - Scala

Technical information leak - Content response - Scala

Need

Prevention of unauthorized access to technical information and server configuration details

Context

  • Usage of Scala 2.13 for building scalable and high-performance applications
  • Usage of play.api.mvc for handling HTTP requests and responses in Play Framework
  • Usage of play.api.mvc.ControllerComponents for handling HTTP requests in Play Framework
  • Usage of AbstractController in the play.api.mvc package for creating controllers in the Play Framework
  • Usage of play.api.mvc.Request for handling HTTP requests in Play Framework
  • Usage of play.api.mvc.AnyContent for handling various types of content in Play Framework

Description

Non compliant code

        import play.api.mvc._

class HomeController @Inject()(cc: ControllerComponents) extends AbstractController(cc) {

  def index() = Action { implicit request: Request[AnyContent] =>
    Ok("Welcome to our application").withHeaders(
      "Server" -> "Play",
      "X-Powered-By" -> "Play Framework 2.8.7",
      "X-Content-Type-Options" -> "nosniff"
    )
  }
}

The above code is a simple controller in a Scala Play Framework application. The index function is an action that returns a response with the text "Welcome to our application".

The vulnerability lies in the response headers. We are explicitly setting headers that give away technical information about our application:

- "Server" -> "Play": This tells an attacker that the server is running the Play Framework.
- "X-Powered-By" -> "Play Framework 2.8.7": This gives away the specific version of the Play Framework that we are using, which could be exploited if there are known vulnerabilities in that version.
- "X-Content-Type-Options" -> "nosniff": This is a security header that tells browsers not to try and guess the content type of the response, and only use the type given in the Content-Type header. While this is a good security practice, it also gives away information about our server configuration.

These headers make it easier for an attacker to gather information about our application and potentially exploit known vulnerabilities. This is known as an information leak.

Steps

  • Remove or modify the 'Server' header to avoid disclosing the server information.
  • Remove or modify the 'X-Powered-By' header to avoid disclosing the framework information.
  • Remove or modify any other headers that may disclose sensitive technical information.
  • Consider implementing a custom error handler to handle error responses and avoid leaking technical information.
  • Regularly update and patch the server components to minimize the risk of information leakage.

Compliant code

        import play.api.mvc._

class HomeController @Inject()(cc: ControllerComponents) extends AbstractController(cc) {

  def index() = Action { implicit request: Request[AnyContent] =>
    Ok("Welcome to our application").withHeaders(
      "X-Content-Type-Options" -> "nosniff"
    )
  }
}

The updated code removes the 'Server' and 'X-Powered-By' headers from the response. These headers were previously disclosing the server and framework information, which could potentially be used by an attacker to exploit known vulnerabilities specific to those versions.

The 'X-Content-Type-Options' header is left in place as it helps to protect against MIME type confusion attacks. It is not disclosing any sensitive information.

In addition to these changes, it is recommended to implement a custom error handler to handle error responses. This can help to avoid leaking technical information in the event of an error. Regularly updating and patching the server components can also help to minimize the risk of information leakage.

References