Information Disclosure via X-B3-SpanId Header

Description

The 'X-B3-SpanId' header is used in distributed tracing systems (e.g., Zipkin, OpenTracing) to uniquely identify the current span of a request. If exposed to unauthorized clients, it provides insights into the application’s internal request flow and service topology. Attackers could potentially manipulate or inject their own span IDs, making it harder for defenders to trace malicious actions or isolate performance issues. Additionally, leaking span IDs might allow adversaries to correlate traffic across multiple services, aiding in advanced reconnaissance or replay attacks. Overall, disclosing 'X-B3-SpanId' lowers the barrier to forging or interfering with the application’s observability and complicates incident response.

Remediation

Remove or mask the 'X-B3-SpanId' header in production environments to prevent unauthorized clients from seeing internal trace information. Adjust your tracing libraries or frameworks to avoid including this header in responses to public-facing endpoints. If you utilize proxies or load balancers, configure them to drop or sanitize distributed tracing headers when relaying responses externally. Deploy a Web Application Firewall (WAF) or intrusion detection system to monitor for attempts at leveraging or manipulating trace data. Regularly review your logging and observability configurations to ensure that only essential data is exposed to trusted parties, maintaining a robust and tamper-resistant tracing setup.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification