etag - Nginx Inode Information Leakage

Question

I came across a word in the Burp Suite response section that I had never seen or noticed before. ETag. I did some research on what this was, but unfortunately I couldn't understand anything because I was not knowledgeable in the theoretical part of the job.

As time progresses, I will learn what ETag is. But what I want to ask now is a little different.

The two values ??in the Burp Suite request are:

If-Modified-Since: Wed, 30 Dec 2020 08:46:04 GMT
If-None-Match: W / "5f ***** c-d **" (I hid it on purpose)

And this one in response:

ETag: "5f ***** c-d **"

Note: Server: nginx / 1.14.0 (Ubuntu)

Is this a vulnerability? If it is a vulnerability, how can attackers take advantage of it?

I am very curious if this is indeed a reportable thing.

Answer 1

The inode is the server's internal information specific to a file, so many security scanning software would report this as a vulnerability.

However, there is very little information you can find on the web on how this can translate to a real hack. It may assist in discovering things that a file A is a hard-link (same file, on the same filesystem) as a file B, not much more.

Apache at one point included the inode of a file as part of the value of the ETag header (which is configurable and possible to disable). Apache stopped this inclusion by default since version 2.4. NGINX itself never used the inode of a file as part of its ETag header.

However, security scanning software would still report NGINX as leaking inode info just because they never know whether it's proxying old Apache or other software that actually leaks inode info.

So you can say it's a false positive if you are running an NGINX-only setup. And if you don't, you can still say that it is false positive, because "OK, this is internal to the server, but nobody ever was able to do anything with it".