Skip to main content


Showing posts from May, 2011

Webcache Version Information is displayed part of Server Header

To view header information you can use iehttpheaders utility along with your IE or Mozilla. -- This is a free utility which can be easily installed on IE or Mozilla. Once this is installed, activate the utility and try accessing your applications, My web applications lists the header as below, HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Set-Cookie: JSESSIONID=2a7e464c4de0a32e4a6e8addb59919a8af244f235ecc37aa185866437ac9d56b.e3iOb3eMbheMe34Mb30MbxuSa3f0n6jAmljGr5XDqQLvpAe; path=/ Connection: Keep-Alive Keep-Alive: timeout=5, max=999 Server: Oracle-Application-Server-10g/ Oracle-HTTP-Server OracleAS-Web-Cache-10g/ (N;ecid=77909460152,0) Content-Length: 166 Date: Tue, 10 May 2011 08:02:09 GMT If you look at header "Server", this lists both Application Server version and Web Cache server version. To know how to remove Application Server (9iAS/10gAS) follow my ar

Application Reveals Webserver name and Version in HTTP Response Or WebServer Banner Not Masked

 Application Reveals Webserver name and Version in HTTP Response or WebServer Banner NOT Masked. One of many security vulnerabilities that a web server faces is revealing webserver name and its version. Often hackers use this information understand the version and induce vulnerabilities applicable to a specific version. Oracle Application's is one of the most affected as it uses a lower version of Apache web server on till 11i. Following information can be seen either using iehttpdheaders for IE or yslow for mozilla. HTTP/1.1 200 OK Date: Mon, 26 Jul 2010 05:11:47 GMT Server: Oracle HTTP Server Powered by Apache/1.3.19 Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Keep-Alive: timeout=15 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=US-ASCI I Here if you notice it gives in a lot of information than it should. To mask this banner set the following parameter in your httpd.conf file. ServerTok