Information Disclosure via X-Atmosphere-first-request Header
Description
The 'X-Atmosphere-first-request' header is used by the Atmosphere framework to indicate that a particular request is the first in a series for a real-time connection (e.g., WebSockets, SSE). Exposing this header can reveal internal session or handshake details to unauthorized parties, potentially allowing attackers to infer usage patterns or intercept the initial state of a streaming session. In some cases, knowledge about the first request could be leveraged alongside other vulnerabilities or misconfigurations to manipulate application workflows, hijack connections, or gather sensitive information about session management. Ultimately, disclosing 'X-Atmosphere-first-request' can assist attackers in orchestrating more precise or damaging exploits in real-time communication environments.
Remediation
Remove or redact the 'X-Atmosphere-first-request' header in production environments unless it is strictly required. Verify that the Atmosphere framework or any related libraries are configured to limit header exposure to only what is necessary. If reverse proxies or load balancers are in use, ensure they do not inadvertently preserve or re-inject this header. Implement a Web Application Firewall (WAF) or intrusion detection system to block or scrutinize suspicious traffic targeting real-time connections. Regular reviews of response headers and debug configurations can help prevent accidental disclosures of session or connection details.
References
https://github.com/Atmosphere/atmospherehttps://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3