| Details | |
|---|---|
| Alert ID | 10056 |
| Alert Type | Passive |
| Status | release |
| Risk | Low |
| CWE | 200 |
| WASC | 13 |
| Technologies Targeted | All |
| Tags |
CWE-200 OWASP_2017_A03 OWASP_2021_A01 WSTG-V42-ERRH-01 |
| More Info |
Scan Rule Help |
Summary
The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.
Solution
Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).Other Info
By accessing a URL in the form https://target_host/_profiler/token_value (i.e.: https://example.com/_profiler_/123ab4), you may gain access to the profiler and further leaked information.References
- https://symfony.com/doc/current/cookbook/profiler/profiling_data.html
- https://symfony.com/blog/new-in-symfony-2-4-quicker-access-to-the-profiler-when-working-on-an-api