Information Disclosure via X-dtInjectedServlet Header

Description

The 'X-dtInjectedServlet' header is used by Dynatrace or similar APM tools to facilitate servlet-level instrumentation. When exposed in responses, it can reveal internal details about the monitoring setup or servlet injection process. Attackers who discover this header may attempt to manipulate or disable the instrumentation, conceal malicious activity, or trigger false positives in application monitoring. Ultimately, leaking this header undermines observability by allowing adversaries to gain deeper insight into your instrumented servlets, enabling more targeted attacks against the application’s performance and security posture.

Remediation

Remove or mask the 'X-dtInjectedServlet' header from production responses. Configure your Dynatrace (or equivalent APM) agent and server settings so that proprietary tracing or instrumentation headers are not exposed externally. If you use a reverse proxy, load balancer, or CDN, ensure it does not preserve or re-inject this header when responding to clients. Keep your APM solution up to date with the latest patches to address known vulnerabilities. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect suspicious requests attempting to exploit or interfere with servlet instrumentation. Regularly review logs and configuration files to confirm that sensitive APM-related details are protected.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification