Application Reveals Webserver name and Version in HTTP Response or WebServer Banner NOT Masked.
One of many security vulnerabilities that a web server faces is revealing webserver name and its version. Often hackers use this information understand the version and induce vulnerabilities applicable to a specific version.
Oracle Application's is one of the most affected as it uses a lower version of Apache web server on till 11i.
Following information can be seen either using iehttpdheaders for IE or yslow for mozilla.
HTTP/1.1 200 OK
Date: Mon, 26 Jul 2010 05:11:47 GMT
Server: Oracle HTTP Server Powered by Apache/1.3.19
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=US-ASCII
Here if you notice it gives in a lot of information than it should.
To mask this banner set the following parameter in your httpd.conf file.
ServerTokens Prod
Once this parameter is set, the header will not display Apache version information.
HTTP/1.1 200 OK
Date: Mon, 26 Jul 2010 05:11:47 GMT
Server: Oracle HTTP Server Powered by Apache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=US-ASCII
To know more about this parameter CLICK HERE
To entirely remove "Server" entry from the header
Add the following line at the end of httpd.conf file and restart Apache services.
ServerHeader Off
Once this is done check the header information using iehttpheaders,
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Set-Cookie: JSESSIONID=2a7e464c4de0a32e4a6e8addb59919a8af244f235ecc37aa185866437ac9d56b.e3iOb3eMbheMe34Mb30MbxuSa3f0n6jAmljGr5XDqQLvpAe; path= Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Content-Length: 166
Date: Tue, 10 May 2011 08:02:09 GMT
One of many security vulnerabilities that a web server faces is revealing webserver name and its version. Often hackers use this information understand the version and induce vulnerabilities applicable to a specific version.
Oracle Application's is one of the most affected as it uses a lower version of Apache web server on till 11i.
Following information can be seen either using iehttpdheaders for IE or yslow for mozilla.
HTTP/1.1 200 OK
Date: Mon, 26 Jul 2010 05:11:47 GMT
Server: Oracle HTTP Server Powered by Apache/1.3.19
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=US-ASCII
Here if you notice it gives in a lot of information than it should.
To mask this banner set the following parameter in your httpd.conf file.
ServerTokens Prod
Once this parameter is set, the header will not display Apache version information.
HTTP/1.1 200 OK
Date: Mon, 26 Jul 2010 05:11:47 GMT
Server: Oracle HTTP Server Powered by Apache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=US-ASCII
To know more about this parameter CLICK HERE
To entirely remove "Server" entry from the header
Add the following line at the end of httpd.conf file and restart Apache services.
ServerHeader Off
Once this is done check the header information using iehttpheaders,
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html
Set-Cookie: JSESSIONID=2a7e464c4de0a32e4a6e8addb59919a8af244f235ecc37aa185866437ac9d56b.e3iOb3eMbheMe34Mb30MbxuSa3f0n6jAmljGr5XDqQLvpAe; path= Connection: Keep-Alive
Keep-Alive: timeout=5, max=999
Content-Length: 166
Date: Tue, 10 May 2011 08:02:09 GMT
Comments