Information Disclosure via X-Envoy-Original-Dst-Host Header
Description
The 'X-Envoy-Original-Dst-Host' header is added by Envoy Proxy to identify the original destination host of a request. If leaked externally, this header can reveal internal routing details or hostnames that attackers can target. Malicious actors might use this information to discover hidden services, guess internal domain naming schemes, or bypass security controls designed for external traffic. Ultimately, exposing this header provides unauthorized insight into your backend infrastructure and can be used to craft more precise attacks or reconnaissance operations.
Remediation
Remove or mask the 'X-Envoy-Original-Dst-Host' header before sending responses to untrusted clients. Adjust your Envoy Proxy configuration and any reverse proxies or load balancers to sanitize or drop this header. Keep Envoy and associated backend services updated with the latest patches to minimize known exploits. Employ a Web Application Firewall (WAF) or intrusion detection system to detect suspicious traffic patterns aiming to leverage or guess internal hosts. Regularly review your infrastructure and logging configurations to ensure that no sensitive routing or host data is inadvertently disclosed to external entities.
References
https://www.envoyproxy.io/https://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3