HTTP Headers Exposing Sensitive Information

  • 16 February 2021
  • 0 replies
  • 29 views

Userlevel 4
Badge +16




 








HTTP Headers Exposing Sensitive Information





























This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice. This article is not considered official documentation for K2 software and is provided "as is" with no warranties.






LEGACY/ARCHIVED CONTENT


This article has been archived, and/or refers to legacy products, components or features. The content in this article is offered "as is" and will no longer be updated. Archived content is provided for reference purposes only. This content does not infer that the product, component or feature is supported, or that the product, component or feature will continue to function as described herein.




Issue



If you are performing penetration test on your SmartForms, you may encounter a warning about how the HTTP response headers returned contains information about the web server which could be useful to attackers.

Symptoms



Penetration test report highlights the following HTTP headers that pose security issues:





  • X-AspNet-Version


  • X-AspNetMvc-Version 


  • X-Powered-By 


  • Server




 



Image





<h3 class=""Resolution

Please note that these headers are not added by K2, but inserted automatically by IIS and .NET Framework.



 



To remove the X-AspNet-Version, X-AspNetMvc-Version, and Server headers:





  1. If you are using Forms STS for authentication, go to [Program Files]K2 blackpearlWebServicesIdentityStsForms.


  2. Alternatively, if you are using Windows STS, go to [Program Files]K2 blackpearlWebServicesIdentityStsWindows.


  3. Open Global.asax with a text editor


  4. Append the following line and save:



    <script runat="server">
     protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
     {
       HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
       HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
       HttpContext.Current.Response.Headers.Remove("Server");
     }
    </script>






 



 



To remove the X-Powered-By header:





  1. Open IIS Manager


  2. Expand Sites > [Your K2 Site] > Identity > Sts


  3. Select Forms if you are using Forms STS for authentication. Otherwise, select Windows if you are using Windows STS.


  4. Select HTTP Response Headers

    Image



  5. Remove X-Powered-By:

    Image




 



Once you are done, perform a IISRESET, clear browser cache, and check again if the headers appear.



]]> 7aa9901e-7d38-401e-9a3f-cd150b80d3cd Resolution Memo3







0 replies

Be the first to reply!

Reply