Version Disclosure

Introduction

Version disclosure is when the application discloses the version of the server/platform etc., Then the attacker will know the version and narrow down the attacks with known vulnerabilities of the version.

How to test

To identify the webserver version, by simply looking server field in the HTTP response header of the website.

Method 1

By this, we can manually check the request and response by any browser.

1. Right-click on the particular page and go to inspect element.

2. Then, go to the Network tab and click on any network available on the webpage.

3. Go to the headers tab, we can see the server/platform version is disclosed in the response.

Inspect Element

Method 2

In the method, we can use the tool called netcat. netcat is a simple Unix utility which reads and writes data across network connections.

$ nc 202.41.76.251 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 16 Jun 2003 02:53:29 GMT
Server: Apache/1.3.3 
Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT
ETag: "1813-49b-361b4df6"
Accept-Ranges: bytes
Content-Length: 1179
Connection: close
Content-Type: text/html

In the Server field, we can understand that the server is Apache, version 1.3.3. By the same way, we can see all the server headers in the website.

Solutions

PHP

For PHP, we can use the function called header_remove(). This function is available from PHP 5.3.0.(we have to implement in each .php file)

<?php
header_remove("X-Powered-By"); 
?>

ASP.NET:

In web.config file, include the following code to remove server and ASP.NET version details.

<configuration>
  <system.web>
    <httpRuntime enableVersionHeader="false"/>
  </system.web>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader ="true" />
     </security>
   </system.webServer>
</configuration>

In IIS Manager:

Do the following to remove the Server version details:

1. Go to IIS Manager and click on the site.

2. Double click on “URL Rewrite” (it should be installed).

3. Click View Server Variable.

4. Add "RESPONSE_Server"(This variable will allows URLRewrite to access to Response headers).

5. Click "Add Rule(s)…" on the right hand side and then select Outbound Rules > Blank rule and click Ok.

6. Create the rule by using the following settings:

Name: Remove Server Header
Precondition: None
Matching Scope: Server Variable
Variable Name: RESPONSE_Server
Variable Value: Matches the Pattern
Using: Regular Expressions
Pattern: .+
Ignore case: Checked
Action type: Rewrite
Value: (blank)
Replace existing server variable value: Checked
Stop processing of subsequent rules: Unchecked

7. Click “Apply” on the right side.

NGINX

To remove the HTTP response header, go to nginx/conf and add the code in nginx.conf under server section then restart the server.

server_tokens off;

APACHE

For Apache, we use unset argument for removing the HTTP response header. The Header directive could be used in server config httpd.conf, virtual host, or site specific .htaccess

Header unset Server
ServerSignature Off
ServerTokens Prod

NODE.JS

For Node.js, we use removeHeader() function for removing HTTP response header.We have to change in config.js file. This function was added in v0.4.0.

response.removeHeader('Content-Encoding');

EXPRESS.JS

For Express.js, we use removeHeader() function for removing HTTP response header.

app.use(function (req, res, next) {
  res.header('Pragma', 'no-cache');
  res.removeHeader('Pragma');
  next();
});

HTTP/API

1. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

2. Create a registry "DisableServerHeader" and add parameter with DWORD with the value of 2.

After the registry change, reboot the server to let the chance go into effect.

References

1. https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)
2. https://docs.liquit.com/docs/en/lws-appendix-web-server-remove-the-httpapi-20-header