Technical information leak - Content response - Java

Technical information leak - Content response - Java

Need

Prevention of unauthorized disclosure of technical information

Context

  • Usage of Java for building robust and scalable applications
  • Usage of HttpServletResponse for handling HTTP responses in Java Servlets
  • Usage of javax.servlet.http.HttpServlet for handling HTTP requests in Java Servlets
  • Usage of javax.servlet.ServletException for handling servlet-related exceptions
  • Handling of IOException in Java Input/Output operations

Description

Non compliant code

        import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.ServletException;
import java.io.IOException;

public class InfoLeakServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        response.setHeader("Server", "Apache/2.4.41 (Ubuntu)");
        response.setHeader("X-Powered-By", "PHP/7.4.3");
    }
}

This is a simple Java Servlet that sets HTTP response headers to include specific server and technology stack information. In this case, it's revealing that the server is running Apache version 2.4.41 on Ubuntu, and that PHP version 7.4.3 is also in use.

When a client makes a GET request to the server, the doGet() method is invoked, which in turn sets these headers in the HTTP response. This information is then visible to the client.

This constitutes a technical information leak, as it's providing potential attackers with valuable information about the server's technology stack. With this information, an attacker could look for known vulnerabilities in these specific versions of Apache and PHP and exploit them.

Steps

  • Avoid exposing sensitive technical information in the response headers.
  • Remove or obfuscate any headers that reveal specific server component versions or configuration details.
  • Consider disabling or modifying default server headers that may disclose sensitive information.
  • Regularly update and patch server components to minimize the risk of information leakage.
  • Implement proper error handling and error messages to prevent unintentional disclosure of technical information.

Compliant code

        import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.ServletException;
import java.io.IOException;

public class InfoLeakServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // Removed headers that reveal server component versions
    }
}

The original code was vulnerable because it was setting headers in the HTTP response that revealed specific server component versions. This information can be used by an attacker to exploit known vulnerabilities in those specific versions.

The fixed code removes these headers, thus preventing the leakage of this sensitive information.

It's important to note that this is just one part of the solution. In addition to this, you should also:

- Regularly update and patch server components to minimize the risk of information leakage.
- Implement proper error handling and error messages to prevent unintentional disclosure of technical information.
- Consider disabling or modifying default server headers that may disclose sensitive information.

Remember, security is not a one-time fix but an ongoing process. Always be vigilant about the information your server is exposing and take steps to minimize it.

References