GISS Review - Banner Grabbing and Version Disclosure
book
Article ID: 101648
calendar_today
Updated On:
Products
CA Infrastructure ManagementCA Infrastructure ManagementCA Performance Management - Usage and AdministrationCA Performance Management - Data Polling
Issue/Introduction
When a response is received after making a request to the application, the application also sends the banner having the details of the backend server supporting the application
When a response is received after making a request to the application, the application also sends the banner having the details of the backend server supporting the application. Malicious user can leverage the details (version used, framework) disclosed in the server banners and weak encrypted channels to reduce the scope of his testing and focus on the vulnerabilities of the server. They can try to exploit these vulnerabilities to compromise the web server and the application hosted on that server. It is recommended to configure the server in such a manner that it does not reveal any sensitive information i.e. hide the banner from server response. https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
In the jetty start.ini file for each service, please un-comment the line for: jetty.httpConfig.sendServerVersion and set the value to false. For CAPM 3.5 Release, we don't have an option to disable server header of Karaf.