Technical information leak - Headers - Java

Technical information leak - Headers - Java

Need

Prevention of technical information leakage through server response headers

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet for building Java web applications with Servlet technology
  • Usage of javax.servlet.http for handling HTTP requests and responses in Java Servlet applications

Description

Non compliant code

        import javax.servlet.*;
import javax.servlet.http.*;

public class VulnerableServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // Server response headers
        response.setHeader("Server", "Apache/2.4.7 (Ubuntu)");
        response.setHeader("X-Powered-By", "PHP/5.5.9-1ubuntu4.14");
    }
}
        
        

The above code defines a Servlet that sets two headers in the HTTP response: Server and X-Powered-By. These headers are used to provide information about the server and the technology stack that powers the application.

The Server header reveals that the server is running Apache version 2.4.7 on Ubuntu. The X-Powered-By header reveals that the application is powered by PHP version 5.5.9-1ubuntu4.14.

This is a vulnerability because it leaks technical information about the server and the application. An attacker can use this information to look for known vulnerabilities in these specific versions of Apache and PHP, and exploit them to compromise the server or the application.

For instance, if there is a known vulnerability in Apache version 2.4.7, an attacker can use that knowledge to craft a specific attack against the server. Similarly, if there is a known vulnerability in PHP version 5.5.9-1ubuntu4.14, an attacker can use that knowledge to craft a specific attack against the application.

Therefore, it is recommended to remove or obscure these headers to prevent leakage of technical information.

Steps

  • Avoid including sensitive technical information in the server response headers.
  • Remove or obfuscate any headers that reveal technology names or component versions.
  • Consider using a generic or custom header instead of specific technology-related headers.
  • Regularly review and update the server response headers to ensure they do not leak any sensitive information.

Compliant code

        import javax.servlet.*;
import javax.servlet.http.*;

public class SecureServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // Server response headers
        response.setHeader("Server", "Secure Server");
        response.setHeader("X-Powered-By", "Secure Technology");
    }
}
        
        

The original code was vulnerable because it was revealing sensitive technical information such as the server type and the technology powering the server. This information can be used by attackers to exploit known vulnerabilities in these technologies.

The fixed code removes this vulnerability by replacing the specific server and technology names with generic names. This prevents potential attackers from gaining valuable information about the server and the technology it uses.

The setHeader method is used to set the HTTP response headers. In the original code, this method was used to set the "Server" header to "Apache/2.4.7 (Ubuntu)" and the "X-Powered-By" header to "PHP/5.5.9-1ubuntu4.14". These headers reveal that the server is running Apache version 2.4.7 on Ubuntu, and that it is powered by PHP version 5.5.9-1ubuntu4.14.

In the fixed code, the "Server" header is set to "Secure Server" and the "X-Powered-By" header is set to "Secure Technology". These generic names do not reveal any specific technical information that could be exploited by attackers.

It's important to regularly review and update the server response headers to ensure they do not leak any sensitive information. This includes not only the "Server" and "X-Powered-By" headers, but also any other headers that might be used by the server.

References