Security misconfiguration – server headers

Revealing specific details about the operating system and the platform you are using to host your website can make it more vulnerable.

While knowing that you’re using Windows/Linux as the operating system or IIS/Apache/nginx as your application server won’t make it less secure, it does help an attacker tailor his attack vector against your system.

This type of vulnerability is detailed in the Owasp top 10: A5. Revealing information about your system may help an attacker.

Keep your system up to date

If a 0 day exploit is published, your system is vulnerable until the exploit is fixed and you apply it in your system. To ensure you’re safe, install all security updates as soon as they are released.

Use custom error pages

exception

When your application throws an error, a generic message should be displayed and no details of the error should be revealed. A stack trace can reveal a lot of information that can be exploited by an attacker.

In ASP.Net you can change the web.config and set custom error pages:

<customErrors mode="On" defaultRedirect="/Error500.html" redirectMode="ResponseRewrite" />

Note that this is perfectly acceptable to have disabled in your development environment. You can disable this setting in development and transform your config file when deploying to production.

Remove HTTP headers

HTTP headers contain information about your solution and environment. The “Server” header gives information about your server platform.

You can use the Remove ASP.Net headers (nuget package) module to remove the HTTP headers from your ASP.Net application. It is available as a nuget module that you can install in your project.

You can find the source in Github and issue pull requests/fork it: https://github.com/nimeshjm/RemoveASPNETheaders

server-headers

Asp.Net advertises its name and version by default. This can help attackers attack your system.

remove-asp-net-headers-2

After installing the nuget package, the information is no longer displayed.

Test your environment

You should always test your environment against known vulnerabilities. You can use tools to perform an initial self-assessment, such as Netsparker Community Edition and/or engage a 3rd party to perform the tests for you, such as Beyond Security