DE

How to Prevent Web Server Information Leakage

In this article:

Obtaining information about the used web server is crucial for any attacker. There may be vulnerabilities in a certain web server version that allow an attacker easy access to the server. Learn how you can prevent them!



Web Server Information Leakage Security Assessment

Security Assessment Prevent Web Application Framework Information Leakage

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Web Server Information Leakage Vulnerability Information

Obtaining information about the used web server is crucial for any attacker. There may be vulnerabilities in a certain web server version that allow an attacker easy access to the server. To complicate the information gathering process for attackers, the webserver should not provide information about itself, such as its name or version.

This scanner addresses the OWASP Top 10 vulnerability of “Using components with known vulnerabilities.” While making sure you use the latest version of your webserver is crucial, it is an added layer of security if you can prevent attackers from knowing which webserver – and which version you are running.

How to Prevent Web Server Information Leakage

Use one of the following guides to disable information leakage for your webserver:

  • Apache
  • Apache 2.2
  • nginx

Apache

To disable the server signature, which usually contains the name and version of an Apache web server, do the following:

Open the Apache configuration file on your system. This file is usually located at:

  • /etc/apache2/apache2.conf (Debian, Mint, Ubuntu)
  • /etc/httpd/conf/httpd.conf (Arch, Fedora, CentOS, RHEL).

Depending on the server configuration, there might also be additional configuration files that take care of security configuration, such as /etc/apache2/conf-enabled/security.conf.

Apply the following settings:

Apache prevent webserver leakage 1

https://github.com/crashtest-security/gist/blob/master/fingerprinting/apache_settings

Then reload the webserver configuration:

Apache prevent webserver leakage 2

https://github.com/crashtest-security/gist/blob/master/fingerprinting/apache_configuration

Apache 2.2

In addition to the server signature, Apache version 2.2 has another feature that can leak its version. A header image for the standard installation contains the version information. The problematic image(s) are usually located in/usr/share/apache2/icons/. They are linked to being publicly available as/iconsby an alias configuration. To stop them from being delivered, edit the configuration file/etc/apache2/mods-available/alias.confand remove the following lines:

Apache 2.2 prevent webserver leakage

https://github.com/crashtest-security/gist/blob/master/fingerprinting/apache2.2_settings

Nginx

To disable the version string, which is usually sent by Nginx, update the configuration file, which is usually located at /etc/nginx/nginx.conf , and add to the html section:

nginx prevent webserver leakage 1

https://github.com/crashtest-security/gist/blob/master/fingerprinting/nginx_html_settings

To also disable that the server name is sent, you need the HttpHeadersMoreModule. Run the following command(s) for installation:

nginx prevent webserver leakage 2
nginx prevent webserver leakage 2

https://github.com/crashtest-security/gist/blob/master/fingerprinting/nginx_server_name_disable

For other systems (such as CentOS or RHEL), you must compile the package from the sources described in the installation notes.

Then also add the following line to the config file within the html section and choose a server name of your liking:

nginx prevent webserver leakage 3

https://github.com/crashtest-security/gist/blob/master/fingerprinting/nginx_new_server_name

Limiting Information Provided by IIS

The IIS server also will expose its version in HTTP responses. Microsoft provides UrlScan, which may be used to remove server information from HTTP responses sent by IIS. UrlScan requires IIS6 Metabase compatibility to work. Additionally, the configuration made to IIS is global. If you would like to set up this configuration on a site-by-site basis, check out the UrlScan Setup article by Microsoft.

Enable Metabase Compatibility. find out how to enable Metabase Compatibility using Microsoft’s Installing Metabase Compatibility Support article.
Install UrlScan.

Open the UrlScan.ini file with a text editor. The file is typically located in the %windir%\system32\inetsrv\UrlScan directory.

Search for the key RemoveServerHeader, which by default is set to 0. Set the worth to 1 to remove the Server header.

Get a quick security audit of your website for free now

We are analyzing https://example.com
Scanning target https://example.com
Scan status: In progress
Scan target: http://example.com/laskdlaksd/12lklkasldkasada.a
Date: 23/09/2022
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.