Technical information leak - Headers - C-Sharp

Technical information leak - Headers - C-Sharp

Need

Protection of sensitive technical information in server response headers

Context

  • Usage of C# 7.0 for modern language features and enhancements
  • Usage of Microsoft.AspNetCore for building web applications with .NET Core
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
  • Usage of Microsoft.AspNetCore.StaticFiles for serving static files in ASP.NET Core
  • Usage of Microsoft.Extensions.Hosting for hosting and managing .NET Core applications
  • Usage of Microsoft.Extensions.Logging for logging in .NET applications
  • Usage of Microsoft.Extensions.Options for managing and accessing configuration options in a .NET application

Description

Non compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });
}
        
        

In the above code, the application is configured to use various middleware components such as HTTPS redirection, static files, routing, and authorization. However, the code does not include any steps to remove or customize the server's response headers.

As a result, the server might include headers in its responses that reveal technical information about the application, such as the server's software version, the technologies used by the application, or other potentially sensitive information.

For example, a response from this server might include headers like these:

Server: Kestrel X-Powered-By: ASP.NET

These headers tell an attacker that the server is running the Kestrel web server and using ASP.NET, which could help the attacker find or exploit vulnerabilities specific to these technologies.

Therefore, the code is vulnerable to a technical information leak through the server's response headers.

Steps

  • Remove or modify the default exception handling middleware to avoid exposing technical information in the response headers.
  • Configure custom exception handling middleware to handle exceptions in a secure manner.
  • Ensure that sensitive information such as technology names or component versions are not included in the response headers.
  • Regularly update and patch the application and its dependencies to address any known vulnerabilities.

Compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });

    // Remove server header
    app.Use(async (context, next) =>
    {
        context.Response.OnStarting(() =>
        {
            if (context.Response.Headers.ContainsKey("Server"))
            {
                context.Response.Headers.Remove("Server");
            }
            return Task.CompletedTask;
        });

        await next.Invoke();
    });
}
        
        

The above code is a modification of the original code to fix the vulnerability of leaking technical information through the server response headers.

The modification includes a middleware function that is invoked for every request to the server. This function checks if the response headers contain a "Server" header, which often contains information about the server technology and version. If such a header is found, it is removed before the response is sent back to the client.

This way, we ensure that sensitive information such as technology names or component versions are not included in the response headers, thus mitigating the risk of information leakage.

In addition to this, it is recommended to regularly update and patch the application and its dependencies to address any known vulnerabilities. This includes updating the ASP.NET Core framework to its latest version, as well as any other libraries or components used by the application.

Remember, security is not a one-time task but a continuous process. Regular code reviews and security audits can help identify and fix potential vulnerabilities before they can be exploited.

References