Skip to main content

Posts

Showing posts from May, 2011

Webcache Version Information is displayed part of Server Header

To view header information you can use iehttpheaders utility along with your IE or Mozilla.

http://www.blunck.info/iehttpheaders/iehttpheaders.html -- This is a free utility which can be easily installed on IE or Mozilla.

Once this is installed, activate the utility and try accessing your applications, My web applications lists the header as below,

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Set-Cookie: JSESSIONID=2a7e464c4de0a32e4a6e8addb59919a8af244f235ecc37aa185866437ac9d56b.e3iOb3eMbheMe34Mb30MbxuSa3f0n6jAmljGr5XDqQLvpAe; path=/
Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.3.0 (N;ecid=77909460152,0)
Content-Length: 166
Date: Tue, 10 May 2011 08:02:09 GMT


If you look at header "Server", this lists both Application Server version and Web Cache server version.

To know how to remove Application Server (9iAS/10gAS) follow my article Application …

Application Reveals Webserver name and Version in HTTP Response Or WebServer Banner Not Masked

 Application Reveals Webserver name and Version in HTTP Response or WebServer Banner NOT Masked.

One of many security vulnerabilities that a web server faces is revealing webserver name and its version. Often hackers use this information understand the version and induce vulnerabilities applicable to a specific version.

Oracle Application's is one of the most affected as it uses a lower version of Apache web server on till 11i.

Following information can be seen either using iehttpdheaders for IE or yslow for mozilla.

HTTP/1.1 200 OK
Date: Mon, 26 Jul 2010 05:11:47 GMT
Server: Oracle HTTP Server Powered by Apache/1.3.19
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=US-ASCI
I

Here if you notice it gives in a lot of information than it should.

To mask this banner set the following parameter in your httpd.conf file.

ServerTokens Prod


Once this parame…