Server Leaks Version Information via 'Server' HTTP Response Header Field

When developing a web application, it is essential to ensure that it is secure from vulnerabilities that may be exploited by attackers. One of the vulnerabilities that may exist in a web application is the 'Server Leaks Version Information via 'Server' HTTP Response Header Field.' This vulnerability occurs when the web server leaks information about the software and its version used in the application through the HTTP response header field, making it easier for attackers to find potential weaknesses to exploit. In this article, we will look at how to fix this vulnerability step-by-step.\]

‍

Step 1: Identify the Web Server Software

The first step in fixing this vulnerability is to identify the web server software used in the application. This information can be found in the HTTP response header field 'Server.' To view the HTTP response header field, you can use your web browser's developer tools or a command-line tool like cURL. For example, to use cURL, run the following command:

curl -I http://www.example.com/

This will return the HTTP response headers for the URL you entered. Look for the 'Server' field in the response headers, which will indicate the web server software and version being used.

‍

Step 2: Update the Web Server Software

Once you have identified the web server software, the next step is to update it to the latest version. This is important because newer versions of the web server software often include security fixes and enhancements that can help prevent vulnerabilities like the 'Server Leaks Version Information via 'Server' HTTP Response Header Field.' To update the web server software, you can follow the instructions provided by the vendor or the documentation for your hosting platform.

‍

Step 3: Remove the 'Server' Header Field

If updating the web server software is not possible or practical, the 'Server' header field can be removed entirely from the HTTP response headers. This can be done by modifying the configuration files for the web server software. The specific method for doing this will vary depending on the web server software being used.

For example, in Apache HTTP Server, the 'ServerTokens' directive can be used to control the information included in the 'Server' header field. By default, the 'ServerTokens' directive is set to 'Full,' which includes the web server software and version information in the 'Server' header field. To remove this information entirely, the 'ServerTokens' directive can be set to 'Prod,' which will only include the name of the web server software in the 'Server' header field. To modify the 'ServerTokens' directive, you can edit the Apache configuration file, typically located at '/etc/httpd/conf/httpd.conf.' The following line should be added to this file:
ServerTokens Prod
This will ensure that only the web server software name is included in the 'Server' header field.

‍

Step 4: Use a Web Application Firewall

Another option for fixing the 'Server Leaks Version Information via 'Server' HTTP Response Header Field' vulnerability is to use a web application firewall (WAF). A WAF can be configured to remove the 'Server' header field from HTTP responses, regardless of the web server software being used. In addition, a WAF can provide other security features, such as protection against common web application attacks like SQL injection and cross-site scripting (XSS).

There are several WAFs available, both open-source and commercial. Some examples of open-source WAFs are ModSecurity and NAXSI, while commercial WAFs include Akamai Kona Site Defender and Cloudflare WAF. The specific steps for configuring a WAF will vary depending on the product being used.

‍

Step 5: Test the Fix

After making any changes to the web server software configuration or adding a WAF, it is essential to test the application to ensure that the vulnerability has been fixed. You can use the same external vulnerability scanner or a tool like OWASP ZAP (Zed Attack Proxy) to test the application.

First, scan the application again to see if the vulnerability has been fixed. If the scanner no longer reports the vulnerability, then the fix has been successful. If the vulnerability is still present, you may need to revisit the previous steps to ensure that the fix was implemented correctly.

Second, use OWASP ZAP to verify that the 'Server' header field has been removed from HTTP response headers. To do this, open OWASP ZAP and navigate to the 'Sites' tab. Enter the URL for your application and click 'Attack.' After the scan is complete, navigate to the 'Alerts' tab and look for any 'Server Leaks Version Information' alerts. If there are no alerts, then the 'Server' header field has been successfully removed.

‍

Conclusion

The 'Server Leaks Version Information via 'Server' HTTP Response Header Field' vulnerability is a serious security issue that can be exploited by attackers to find potential weaknesses in a web application. Fortunately, fixing this vulnerability is relatively straightforward, and there are several options available, including updating the web server software, removing the 'Server' header field, or using a web application firewall. It is essential to test the application thoroughly after implementing any fixes to ensure that the vulnerability has been successfully addressed. By following these steps, you can ensure that your web application is secure from this common vulnerability.

‍