Information Disclosure via X-OneAgent-JS-Injection Header

Description

The 'X-OneAgent-JS-Injection' header is often used by application performance monitoring (APM) tools such as Dynatrace to inject JavaScript agents for monitoring client-side interactions. By exposing this header, attackers gain insights into the specific monitoring solution in use, potentially identifying known issues or configuration weaknesses tied to the tool. Furthermore, malicious actors might attempt to manipulate or bypass monitoring scripts if they learn how the injection process works. Ultimately, disclosing internal APM details can lead to more targeted attacks against the application's observability layer and undermine effective monitoring and incident response efforts.

Remediation

Remove or obscure the 'X-OneAgent-JS-Injection' header to prevent unauthorized clients from learning about the APM tool in use. Configure your APM solution or server settings to suppress identifying headers. If reverse proxies or load balancers are present, ensure they do not preserve or re-inject these headers. Keep your APM agent and server software updated to address known vulnerabilities or configuration flaws. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect malicious traffic that exploits APM tool internals. Regularly audit your monitoring setup to ensure sensitive agent injection details remain private and secure.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification