id: x-backend-server-header-detect

info:
  name: X-Backend-Server Header - Exposure
  author: pussycat0x
  severity: low
  description: |
    Detected that the website returned the X-Backend-Server header, which included potentially internal or hidden IP addresses or hostnames. By exposing these values, attackers might have attempted to circumvent security proxies and access these hosts directly.
  remediation: disable revealing the X-Backend-Server header value.
  reference:
    - https://docs.gitlab.com/user/application_security/dast/browser/checks/16.4/
    - https://www.zaproxy.org/docs/alerts/10039/
  metadata:
    verified: true
    max-request: 1
    shodan-query: "X-Backend-Server"
  tags: headers,misconfig,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/en"

    matchers:
      - type: word
        part: header
        words:
          - "X-Backend-Server"

    extractors:
      - type: regex
        part: header
        name: hostname
        group: 1
        regex:
          - 'X-Backend-Server: ([A-Za-z0-9.-]+)'
# digest: 4a0a00473045022100af20a9ac0db7e1343fae75521798cda74c5eb0f56f998aa4397e124efc662966022061001162e755607ae1a896e664c949f13dd8c5e77d96a66a50186cb06bd1f0d1:922c64590222798bb761d5b6d8e72950