GISS Review - Banner Grabbing and Version Disclosure

book

Article ID: 101648

calendar_today

Updated On:

Products

CA Infrastructure Management CA Infrastructure Management CA Performance Management - Usage and Administration CA Performance Management - Data Polling

Issue/Introduction

When a response is received after making a request to the application, the application also sends the banner having the details of the backend server supporting the application

When a response is received after making a request to the application, the application also sends the banner having the details of the backend server supporting the application. Malicious user can leverage the details (version used, framework) disclosed in the server banners and weak encrypted channels to reduce the scope of his testing and focus on the vulnerabilities of the server. They can try to exploit these vulnerabilities to compromise the web server and the application hosted on that server. It is recommended to configure the server in such a manner that it does not reveal any sensitive information i.e. hide the banner from server response. https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Environment

PERFORMANCE MANAGEMENT, Release: 3.5, Operating System: RHEL 7.4 

Resolution


In the jetty start.ini file for each service, please un-comment the line for: jetty.httpConfig.sendServerVersion and set the value to false. 
For CAPM 3.5  Release, we don't have an option to disable server header of Karaf. 

Additional Information

https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/