Exfiltrate sensitive information from block pages of web proxy security vendors
- The Zscaler security team became aware that under specific configurations, an attacker would be able to obtain sensitive information from the block pages of several web proxy security vendors.
- Zscaler service default configuration does not include any sensitive information in the block pages (company name, logo, and block category).
- Zscaler service custom configuration allows a redirect to the customer configured domain hosting customized block page content. This configuration is not vulnerable to the reported issue.
Zscaler security team became aware of an issue through a blog published by an external researcher which allows an attacker to craft a malicious HTML page that when visited by the target user via a web proxy will allow the attacker to exfiltrate the block page information.
Zscaler service allows customers to select ‘Default’ or ‘Custom’ notification types while configuring end-user notifications.
Under Default settings, Zscaler service allows the customer to include the following information in the block page with some display (CSS) customization:
Sample block page:
The attacker can craft a malicious page to exfiltrate the block page information listed above. However, there is no sensitive information available by default in these block notifications. Customers are advised not to add any static details that might be considered sensitive to the block notification message.
Under Custom settings, Zscaler service allows customers to redirect to an external site hosting the customized end user notification page content controlled by the customer’s IT team. In this case, the service will not be vulnerable to this attack.