• caglararli@hotmail.com
  • 05386281520

HttpResponse Headers Information Leakage on Server Error (Verbose Headers)

Çağlar Arlı      -    19 Views

HttpResponse Headers Information Leakage on Server Error (Verbose Headers)

In the past I have dealt with security issues related to Default Service Banners/Verbose Headers/Information Leakage via HttpResponse Headers. These issues are quite common, and usually look something like this for an Asp.Net - IIS Server.

Server:  Microsoft-IIS/10.0

X-AspNet-Version:  4.0.30319

X-Powered-By:  ASP.NET

These types of issues are very common, and usually quite trivial to deal with, typically a web.config update or an URLRewrite rule to remove the verbose headers.

However, one issue I stumbled upon lately, is when the Server encounters an error, these headers are not removed. For example a 404 (not found) error will still have these headers appended on. In fact most error responses are not able to properly remove the information leakage headers. I did some searching and found out this issue is not very well documented, in fact it has never come up in one of our Pen-Tests specifically.

I am curious if any other developers have dealt with this issue, specifically information leakage in HttpResponse Headers when the response code is an Error. If so, how did you fix it. I am using Microsoft, Asp.Net, IIS technologies, but still curious if other technologies/servers have this issue.