Information Disclosure via X-CalculatedBETarget Header
Description
The 'X-CalculatedBETarget' header may disclose backend routing or load-balancing information, such as the hostname or internal server identifier. Attackers can leverage this data to identify server clusters, map internal networks, or exploit known vulnerabilities tied to those backend instances. By obtaining insights into routing decisions, malicious actors might reroute requests, perform targeted attacks on specific nodes, or bypass security measures designed for external interfaces only. Ultimately, revealing backend target details broadens the attack surface and can undermine security-by-obscurity measures aimed at protecting internal infrastructure.
Remediation
Remove or sanitize the 'X-CalculatedBETarget' header so it is not disclosed to external clients. Adjust your application server, reverse proxy, or load balancer configurations to strip or rewrite headers that reveal internal server details. Regularly update and patch your backend systems to minimize the window of opportunity for exploits against disclosed targets. Consider deploying a Web Application Firewall (WAF) or intrusion detection system to detect suspicious requests that may exploit backend routing information. Periodically review response headers to ensure no unintended internal details leak into publicly accessible traffic.
References
https://owasp.org/www-community/attacks/Information_exposurehttps://developer.mozilla.org/en-US/docs/Web/HTTP/HeadersSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3