Information Disclosure via X-B3-ParentSpanId Header

Description

The 'X-B3-ParentSpanId' header is utilized in distributed tracing systems (such as Zipkin or OpenTracing) to associate requests with a parent span. When disclosed, this header can provide insights into the structure and flow of backend services, potentially revealing topology details or correlation data that attackers could use for reconnaissance. By knowing the parent span, malicious parties might target specific microservices or craft exploits to manipulate tracing data, complicating incident response or concealment of unauthorized activities. In some cases, exposed trace headers could facilitate more advanced attacks, such as replaying or forging requests to mimic legitimate traffic in a microservices environment.

Remediation

Remove or sanitize the 'X-B3-ParentSpanId' header before returning responses to untrusted clients. Configure your distributed tracing libraries or frameworks to avoid exposing internal trace headers in production, or ensure they are only accessible in secure debugging environments. If proxies or load balancers are used, set them to drop or sanitize trace-related headers that do not need to reach the client. Employ a Web Application Firewall (WAF) or intrusion detection system to detect and block suspicious requests attempting to leverage trace information. Regularly audit your observability and logging setups to confirm that internal trace data remains protected from public exposure.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification