Information Disclosure via X-B3-Sampled Header

Description

The 'X-B3-Sampled' header is commonly used in distributed tracing (e.g., Zipkin, OpenTracing) to indicate whether a particular request should be sampled. By exposing this header to unauthorized parties, attackers can gain insights into an application's tracing or debugging strategies, which might help them evade monitoring or detection. Additionally, learning about how sampling decisions are made could enable adversaries to craft malicious requests that remain unsampled, potentially leaving fewer clues in logs or trace data. Ultimately, disclosing this header can weaken observability and complicate incident response efforts by revealing part of the system's internal monitoring architecture.

Remediation

Remove or mask the 'X-B3-Sampled' header in production responses, ensuring it is not exposed outside trusted channels. Configure your tracing libraries to limit trace header propagation to only the necessary internal services. If load balancers or reverse proxies are in place, set them to drop or sanitize trace headers before sending responses to clients. Implement a Web Application Firewall (WAF) or intrusion detection system to monitor for attempts to manipulate or exploit trace information. Regularly audit your logging and telemetry configurations to confirm that no sensitive headers or data are inadvertently leaked, thus maintaining robust visibility and security.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification