Thursday, July 2, 2015

Framework Information in Response Header

In today's blog post we will be discussing how framework version information is easily available to see on so many websites and how it can be luring to the attacker. We will also discuss how we can avoid leaking out such information.

Framework Information

Recently, I got to know about shodan - world's most dangerous search engine. Being an attacker's best friend, it helps find websites with vulnerabilities which are easier to hack.
There are many ways that the attacker can get information about the server and framework that your website is currently running on. Some of these frameworks have known vulnerabilities. Especially, the older it gets, the more vulnerabilities are known. For example, if your site is running on ASP.NET Version 1.1, its vulnerabilities are known here. This website called cvedetails has lot of information on known vulnerabilities and exploits.

In our ASP.NET web application, such information is visible in the response headers. If we look at our application and open up the Http Request for the webpage, we can see them like this:

Response Headers Visible in ASP.NET

So its telling me that the site is running on ASP.NET Version 4.0.30319 along with MVC Version.
Such type of information can be luring to the attacker and should be avoided from being sent out.
Imagine if it was some really old version with some known vulnerabilities which the hacker can easily use to his advantage.
I am not saying that hiding this information from response headers will prevent hacker from ever finding out that information or it will make our application safe from those attacks to which our framework is vulnerable. There might be other places where this information is being leaked out or hacker is able to figure these things out. But my point is, we are making it difficult for the attacker to find this information and security is all about decreasing the probability of getting hacked. By hiding such information, we are just adding another layer of protection.

In order to hide these response headers in ASP.NET MVC application, we need to follow these steps:

i) To remove X-AspNet-Version add this to web. config:

  <httpRuntime enableVersionHeader="false" />

ii) To remove X-Powered-By add this to web.config:

    <httpProtocol>

      <customHeaders>

        <remove name="X-Powered-By" />

      </customHeaders>

    </httpProtocol>

iii) To remove X-AspNetMvc-Version, in Global.asax.cs in Application_Start() method, add this line:

MvcHandler.DisableMvcResponseHeader = true;

By using these, now my response headers look like this:

Response Headers Hidden in ASP.NET


Conclusion

So we saw how exposing such information can be harmful and how we can prevent that in our ASP.NET MVC application.
For future updates to my weekly blog, please subscribe to my blog via the "Subscribe By Email" feature at the right and follow me on Twitter. Until then Happy Coding :)


No comments:

Post a Comment