Information Disclosure via X-B3-TraceId Header

Description

The 'X-B3-TraceId' header is commonly used in distributed tracing systems (such as Zipkin or OpenTelemetry) to identify an entire trace across multiple services. When exposed, this header can reveal topology details, request flows, and potentially correlation identifiers that attackers could leverage to perform reconnaissance or inject malicious trace data. By mapping out service interactions, adversaries may craft exploits that evade detection or interfere with observability processes. Ultimately, leaking the trace ID compromises the confidentiality of internal tracing mechanisms and can undermine the accuracy and reliability of application monitoring and incident response.

Remediation

Remove or obfuscate the 'X-B3-TraceId' header in production environments to prevent external parties from accessing internal tracing information. Reconfigure your tracing libraries and frameworks to limit trace headers in public-facing responses, ensuring only essential data is exposed to trusted services. If you deploy proxies or load balancers, set them to drop or sanitize distributed tracing headers that are unnecessary for clients. A Web Application Firewall (WAF) or intrusion detection system can further guard against malicious attempts to manipulate or exploit trace data. Routinely review your logging and telemetry configurations to confirm that sensitive information remains concealed, thereby preserving observability and security.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification