How to remediate – HTTP Header Information Disclosure

1. Introduction

HTTP Header Information Disclosure occurs when a web server reveals unnecessary details about its configuration in HTTP response headers. This can aid attackers in gathering information for further exploitation, such as identifying software versions and technologies used. It typically affects publicly accessible web servers and applications. A successful exploit could lead to information disclosure, potentially impacting confidentiality.

2. Technical Explanation

The vulnerability arises from the server not being configured to hide sensitive information in HTTP headers. An attacker can send a simple HTTP request and examine the response headers to identify the web server software, operating system details, or other internal technologies. This information is then used to target known vulnerabilities specific to those versions or configurations. The Common Weakness Enumeration (CWE) ID for this issue is 200.

• Root cause: Detailed information about the underlying web server and its components are included in HTTP response headers.
• Exploit mechanism: An attacker sends an HTTP request to a vulnerable server, then analyzes the returned headers using tools like `curl` or browser developer tools.
• Scope: Affected platforms include any web servers (e.g., Apache, Nginx, IIS) and applications that generate HTTP responses with excessive header information.

3. Detection and Assessment

You can confirm vulnerability by inspecting the headers returned from a web server. A thorough method involves using a dedicated security scanner.

• Quick checks: Use `curl -I ` to view HTTP response headers. Look for headers like `Server`, `X-Powered-By`, or custom headers revealing internal details.
• Scanning: Nessus plugin ID 69458 can detect HTTP header information disclosure. Burp Suite’s passive scanner also identifies this issue. These are examples only.
• Logs and evidence: Web server access logs may show the requests made by attackers attempting to fingerprint the server. Look for unusual patterns or repeated requests.

curl -I https://example.com

4. Solution / Remediation Steps

Modify the web server configuration to remove or obfuscate sensitive information from HTTP headers. Only include steps that apply to this vulnerability.

4.1 Preparation

• Ensure you have access to modify the web server’s main configuration file. A roll back plan is to restore the original configuration file.
• Change windows may be needed for production systems and require approval from security or system owners.

4.2 Implementation

1. Step 1: Edit your web server’s main configuration file (e.g., `httpd.conf` for Apache, `nginx.conf` for Nginx).
2. Step 2: Add or modify directives to remove sensitive headers. For example, in Apache, use `ServerTokens Prod`.
3. Step 3: Restart the web server service to apply the changes.

4.3 Config or Code Example

Before

ServerTokens Full

After

ServerTokens Prod

4.4 Security Practices Relevant to This Vulnerability

• Least privilege: Limit the information accessible by web server processes to reduce the impact of potential disclosures.
• Secure headers: Implement security-related HTTP headers like `X-Frame-Options` and `Content-Security-Policy` to enhance overall security posture.
• Patch cadence: Regularly update your web server software to address known vulnerabilities, including those related to information disclosure.

4.5 Automation (Optional)

# Example Ansible task to modify Apache ServerTokens directive
- name: Set ServerTokens to Prod in Apache configuration
  lineinfile:
    path: /etc/httpd/conf/httpd.conf
    regexp: '^ServerTokens'
    line: 'ServerTokens Prod'
    state: present
  notify: Restart Apache

5. Verification / Validation

• Post-fix check: Run `curl -I ` again and confirm that the `Server` header only shows “Apache” or similar generic value, not detailed version numbers.
• Re-test: Re-run the initial detection method (e.g., Nessus scan) to verify that the vulnerability is no longer reported.
• Monitoring: Monitor web server logs for any unexpected errors or changes in header information.

curl -I https://example.com

6. Preventive Measures and Monitoring

• Baselines: Update your security baseline to include a requirement for minimizing HTTP header information disclosure. For example, CIS benchmarks provide guidance on secure web server configurations.
• Pipelines: Integrate SAST or DAST tools into your CI/CD pipeline to automatically identify excessive header information in application code and configuration files.
• Asset and patch process: Implement a regular patch management cycle for all web servers and applications, prioritizing security updates that address known vulnerabilities.

7. Risks, Side Effects, and Roll Back

• Roll back: Restore the original web server configuration file from backup and restart the service.

8. References and Resources

• Vendor advisory or bulletin: http://projects.webappsec.org/w/page/13246925/Fingerprinting
• NVD or CVE entry: Not applicable for this general vulnerability type.
• Product or platform documentation relevant to the fix: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers