Information Disclosure via X-Old-Content-Length Header

Description

The 'X-Old-Content-Length' header can reveal previous or alternative content sizes that were once associated with a resource. Attackers who discover this header may infer details about potential content manipulation, partial data exposure, or inconsistencies in how the application processes requests and responses. In some scenarios, leveraging outdated or mismatched content length information could lead to exploits such as request smuggling or cache poisoning when combined with other misconfigurations. Overall, disclosing historical or alternative content length data increases the application’s attack surface by providing hints about internal handling of resources and potentially enabling traffic-based attacks.

Remediation

Remove or mask the 'X-Old-Content-Length' header to avoid leaking information about previously stored or transmitted content sizes. Configure your server or application framework to strip or rewrite headers that do not serve a legitimate external purpose. If proxies, CDNs, or load balancers are in place, ensure they do not propagate this header externally. Keep your server software and frameworks updated with relevant security patches to mitigate known request/response handling vulnerabilities. Additionally, consider deploying a Web Application Firewall (WAF) or intrusion detection system to detect malicious attempts leveraging incorrect or outdated content length data. Regularly audit your response headers to confirm that internal details are not inadvertently exposed.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification