Security: HTTP headers that expose web application / server vulnerabilities

Today's blog post will cover how ASP.net response HTTP headers can expose security holes in your web application and servers. The post will also contain steps on how to remove this headers and mitigate chances of getting attacked using C# and ASP.net MVC.

Problem

When an attacker performs an attack on a web server, the first thing he /she needs to do is to identify the profile of his target. To profile a target web application / server, an attacker would have to perform the following steps:

  • Identify the address of the web application.
  • Identify the OS where the web application resides
  • Identify the type of server (IIS, Apache, etc) that was hosting the web application
  • Identify the frameworks (ASP.net MVC, PHP, JSF) used by the applications

After an attacker gathers the following information, the attacker would proceed on using penetration tools (Kali's Metasploit and Websploit) to perform different kinds of attacks to disrupt the target which could mean:

  • Defacing the application
  • Performing denial of service attacks
  • Disabling of web server itself
  • Kidnapping of database server for ransom

ASP.NET MVC Solution Github

One way to delay an attacker from executing an attack on your server is to remove HTTP headers that identify IIS and ASP.net powered applications. Below are the list of HTTP headers that needs to be removed from your applications response headers:

  • Server
  • X-AspNetMvc-Version
  • X-AspNet-Version
  • X-Powered-By

These HTTP headers can be removed by configuring an IIS server manually. This approach is OK but infeasible because the most common cause of an attack to a web server is scaling (Adding of servers / load balancers in a web farm) without configuring the additional machine. Sometimes, IT people in-charge of configuring newly added server nodes forget to disable the inclusion of these headers to the application's response objects. To make things worst, newbies are clueless with the existence of these headers. As responsible developers, we find this annoying and simply unacceptable.

To prevent hackers from retrieving HTTP server information headers, we can implement a class that would strip all these headers from all the responses emitted by an ASP.net application. The class below does the trick:

Clone it from Github

using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace ServerIdentityHttpHeaderStripping
{
    /// <summary>
    /// Class that implements methods used for
    /// stripping out HTTP response headers.
    /// </summary>
    public class ServerIdentityStripper
    {
        #region Public Methods
        /// <summary>
        /// Method that strips out HTTP response headers 
        /// from response.
        /// execution.
        /// </summary>
        /// <param name="context">
        ///     Http context associated with the response 
        ///     that would be stripped of server identity 
        ///     headers.
        /// </param>
        public void Execute(HttpContext context)
        {
            var serverHeaders = GetServerIdentityHeaders();
            StripServerHeaders(context.Response, serverHeaders);
        }
        #endregion
        #region Private Methods
        private bool CheckIfHttpHeaderExists(HttpResponse response, string header)
        {
            return response.Headers
                           .AllKeys
                           .Any(k => k == header);
        }
        private List<string> GetServerIdentityHeaders()
        {
            return new List<string>
            {
                "Server",
                "X-AspNetMvc-Version",
                "X-AspNet-Version"
            };
        }
        private void StripServerHeaders(HttpResponse response, List<string> headers)
        {
            foreach (var header in headers)
            {
                if (CheckIfHttpHeaderExists(response, header))
                    response.Headers.Remove(header);
            }
        }
        #endregion
    }
}

You also have to add the following code on Global.Asax's Application_EndRequest event. 

        protected void Application_EndRequest()
        {
            var stripper = new ServerIdentityStripper();

            stripper.Execute(HttpContext.Current);
        }

X-Powered-By

Unfortunately, the class can strip all necessary headers except for the "X-Powered-By" header. This happens because IIS is the one that attaches this HTTP header after the application release the response object. To ensure that this HTTP header would be removed from your server's response headers. You can add the configuration below on your application's web.config file. 

   <system.webServer>
    <httpProtocol>
    <customHeaders>
    <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

Result

Comments

  1. technorokMarch 15, 2020 at 10:10 PM

    Way cool! Some extremely valid points! I appreciate you writing this post plus the rest of the site is also press very good.

    ReplyDelete
  2. riya singhOctober 16, 2020 at 11:05 PM

    I enjoyed over read your blog post. This was actually what i was looking for and i am glad to came here!
    Website: Antique jewellery wholesale

    ReplyDelete
  3. buyonline123January 29, 2021 at 7:52 PM

    I am really enjoying reading your well written articles. I think you spend numerous effort and time updating your blog.
    online electronics shopping sites in india

    ReplyDelete
  4. Saurabh DevFebruary 12, 2021 at 2:46 AM

    Fabulous blog with lots of information. I am glad to visit this, waiting for more updates.
    Web Development Course in Chennai

    ReplyDelete
  5. renewpassportApril 25, 2021 at 7:40 PM

    Thank you for sharing. Excellent post...! It is a very great idea and unique content. Thank you so much.
    Malaysia passport renewal

    ReplyDelete
  6. UnknownMay 3, 2021 at 10:03 AM

    I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading.
    Website: metal roofing company near me

    ReplyDelete
  7. ran smithMay 22, 2021 at 5:01 AM

    I read this article fully on the topic of the difference of most up-to-date and earlier technologies, it’s awesome article.
    Website: online renew passport malaysia

    ReplyDelete
  8. AkilaJune 3, 2021 at 12:58 AM

    Great post. keep sharing such a worthy information

    Cloud Computing Training in Chennai  

    Cloud  Training in Chennai   

    ReplyDelete
  9. AkilaJune 12, 2021 at 4:04 AM

    Great post. keep sharing such a worthy information
     Digital Marketing Course in Chennai 
      Best digital marketing course online 
     Digital Marketing Courses in Bangalore 

    ReplyDelete
  10. rajJune 14, 2021 at 3:10 AM

    Great post. keep sharing such a worthy information
     Python Training in Chennai 
     Python Training in Bangalore   

    ReplyDelete
  11. ramyapranauvJune 25, 2021 at 12:39 AM

    Good Blog!! Keep sharing...
    SEO Training in Bangalore
    SEO Course in Bangalore
    SEO Training Institute in Chennai
    SEO Classes in Chennai
    Best SEO Training in Chennai





    ReplyDelete
  12. ScottishkiltJune 26, 2021 at 12:30 PM

    Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Very Interesting Post! I regularly follow this kind of Blog.
    scottishkiltcollection

    ReplyDelete
  13. SamyJuly 3, 2021 at 5:40 AM

    Great post. keep sharing such a worthy information
    Digital Marketing Training in Chennai
    Digital marketing online course

    ReplyDelete
  14. AkilaJuly 4, 2021 at 2:47 AM

    Great post. keep sharing such a worthy information
    DevOps course in Chennai
    DevOps Course in Bangalore

    ReplyDelete
  15. PappuJuly 6, 2021 at 2:04 AM

    Nice info!
    RPA course in Chennai
    Rpa training online

    ReplyDelete
  16. ApoorvaAugust 6, 2021 at 2:52 AM

    some points are extremely valid.
    Web Development Easy With AngularJS

    ReplyDelete
  17. monsingh32August 7, 2021 at 12:23 AM

    This comment has been removed by the author.

    ReplyDelete
  18. monsingh32August 7, 2021 at 12:24 AM

    Need fence repair and staining services? We are reputed fence Repair Company that offers wide range of affordable fence replacement, fence repair and installation and much more!

    residential fence specialist Frisco

    ReplyDelete
  19. reena singhAugust 10, 2021 at 1:31 AM


    Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Nice post ! I love its your site after reading ! thanks for sharing.
    professional graphic installation

    ReplyDelete
  20. Neeraj52August 13, 2021 at 9:11 PM

    Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Nice post ! I love its your site after reading ! thanks for sharing.

    Website: eligibility for gmat

    ReplyDelete
  21. monsingh32August 14, 2021 at 11:44 AM

    Need fence repair and staining services? We are reputed fence Repair Company that offers wide range of affordable fence replacement, fence repair and installation and much more!
    fence replacement in mckinney tx

    ReplyDelete
  22. Shiva ShakthiSeptember 15, 2021 at 2:35 AM


    More impressive Blog!!! Its more useful for us...Thanks for sharing with us...
    Why is Big Data Important?
    Why Big Data

    ReplyDelete
  23. Shiva ShakthiSeptember 18, 2021 at 3:03 AM

    This comment has been removed by the author.

    ReplyDelete
  24. VidhyamenonSeptember 29, 2021 at 2:56 AM

    Nice Blog, it is very Impressive.keep sharing good information with us.

    Swift Online Course
    Swift Developer Certification Training in Chennai
    Swift Developer Training in Bangalore

    ReplyDelete
  25. HemapriyaOctober 6, 2021 at 5:46 AM

    Great Post!!! Thanks for the data update and waiting for your new updates.
    what does .net framework do
    do i need .net framework

    ReplyDelete
  26. Ana CyberOctober 14, 2021 at 1:17 PM

    Great job, this is essential information that is shared by you. This information is meaningful and very important for us to increase our knowledge about it. Always keep sharing this type of information. Thanks once again for sharing it. Information security auditors

    ReplyDelete
  27. bruce wayneOctober 20, 2021 at 4:51 AM

    Great blog.thanks for sharing such a useful information
    best german language institute in chennai

    ReplyDelete
  28. manmeet1November 18, 2021 at 3:14 AM

    Gandhi Brothers Lottery Group was founded by Mr Manmeet Singh when he was 12 years old and today, it has been developed as a very reputed the well-established business firm of providing secure Lottery of Punjab State Lottery since the last 36 years. It has two Lottery system. Bumper Prizes weekly Prizes. The biggest jackpot hit from the Punjab State Lottery is New Year Bumper 2012 on 19-01-12 amounting Rs.2.00 crore Monthly Lottery Bumper 2012 held on 23-07-12 amounting Rs. 51 Lakhs distributed over prize money. Gandhi Brother’s lottery is Authorized and legal, assuring each player of a fair playing lottery.
    Monthly lottery

    ReplyDelete
  29. priya singhNovember 21, 2021 at 1:22 AM

    It was a great blog with so much information of the beautiful places to visit.
    Pest control provider in Nagpur

    ReplyDelete
  30. ritu singhNovember 23, 2021 at 9:56 PM

    This is very useful software for you and me. No errors were found during the check.
    You can use it. I hope you like it.
    Marketing and Advertising Graphics

    ReplyDelete
  31. manmeet singhDecember 24, 2021 at 9:29 AM

    Thank you for sharing such a useful post. Very Interesting Post! I regularly follow this kind of Blog.
    Website Punjab state dear lohri makar sankranti bumper lottery

    ReplyDelete
  32. deepaks42December 28, 2021 at 9:30 PM

    Thank you for sharing so insightful article. Rozana.in has a far-reaching presence across various cities in India.
    Visit for more info groceries stores

    ReplyDelete
  33. jamesc32December 30, 2021 at 1:49 AM

    Hello there, You have done a great job. As we all know how much Bill of Sale being used. This document is usually used for sale and purchase between two parties like Buyer & seller.
    Visit here IL Bill of sale

    ReplyDelete
  34. Web Development IndiaJanuary 28, 2022 at 1:43 AM

    Nice post
    Web development company
    Website Development company in india

    ReplyDelete
  35. MuzhumathiJanuary 31, 2022 at 3:50 AM


    Nice blog, it is very impressive.

    Swift Developer Training in chennai
    Swift Online Training
    Swift Developer Course in Bangalore

    ReplyDelete
  36. Pavithra DeviFebruary 4, 2022 at 9:39 PM

    This post is so interactive and informative.keep update more information...
    Software testing Training in Velachery
    Software testing training in chennai

    ReplyDelete
  37. Ana CyberFebruary 11, 2022 at 12:36 PM

    Impressive content sharing, reading your blog gives me a clear understanding of cyber security. Thanks for sharing valuable information. network security companies in india

    ReplyDelete
  38. alamFebruary 22, 2022 at 5:57 AM

    This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post! B2B Cyber Security

    ReplyDelete
  39. brokerwhitelabelsolutionApril 8, 2022 at 9:08 AM

    These tips may help me in the future about Mobile Manager App For Forex Brokers .

    ReplyDelete
  40. AnonymousApril 15, 2022 at 1:35 PM

    I am impressed with your work and skills visit also App development companies UAE .

    ReplyDelete
  41. zeusifyApril 20, 2022 at 4:56 PM

    Thanks for sharing this valuable information about Domain Registration Usa. I have gone through your post and got meaningful information.

    ReplyDelete
  42. GB Network Solutions Sdn BhdApril 21, 2022 at 3:26 PM

    Thank you for sharing good knowledge and information about dedicated server malaysia. It's very helpful and understanding. as we have been looking for this information for a long time.

    ReplyDelete
  43. tripmegamartApril 21, 2022 at 3:31 PM

    I am very thankful to you that you have shared this information with us. I got some different kinds of knowledge from your web page, and it is really helpful for everyone. Thanks for sharing it. Read more info about travel portal development cost online

    ReplyDelete
  44. Trusted Business SolutionsApril 22, 2022 at 4:26 AM

    It is truly a practical blog to discover some various resource to include my knowledge. Telstra Business Phone system

    ReplyDelete
  45. enligne-argentApril 28, 2022 at 9:05 PM

    I always like to read a quality content having accurate information regarding the subject.

    gagner de l'argent sur internet

    ReplyDelete
  46. Rosy SMay 6, 2022 at 5:18 AM

    Perfect post with amazing information and thanks for sharing!!
    Swift Developer Course in Mumbai
    Swift Developer Course in Pune
    Swift Developer Course in Gurgaon

    ReplyDelete
  47. Syskode TechnologiesMay 7, 2022 at 2:18 PM

    Wow, your post is really very useful thanks for sharing about Maintenance Management Software Bahrain. It's really informative. keep sharing more with us.

    ReplyDelete
  48. hostmonstaMay 7, 2022 at 4:50 PM

    Writing a post is really important for the growth of your websites. Thanks for sharing amazing tips about Buy Hosting with Perfect Money. Following these steps will transform the standard of your post for sure.

    ReplyDelete
  49. AnonymousMay 17, 2022 at 2:57 PM

    Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach about Bluehost Shared Hosting Online Review ? I’ve got an undertaking that I am simply now operating on, and I have been on the lookout for such info.

    ReplyDelete
  50. HostylusMay 18, 2022 at 8:48 AM

    This post is Awesome. It’s helped me a lot. Please keep up your good work. We are always with you and Waiting for your new interesting articles. Visit also Cloud Vps Hosting Services Provider

    ReplyDelete
  51. LR MediaMay 21, 2022 at 8:52 AM

    This post is Awesome. It’s helped me a lot. Please keep up your good work. We are always with you and Waiting for your new interesting articles. Visit also Dansk marketing bureau

    ReplyDelete
  52. Let Buy BestMay 31, 2022 at 12:55 PM

    This is very informative and interesting for me. thank you for such a wonderful post and for sharing. God bless you. we also provide service. Cost Effective Monitors for Programming for more info visit our website.

    ReplyDelete
  53. Software Recommendation platformJuly 28, 2022 at 10:26 PM

    This comment has been removed by the author.

    ReplyDelete
  54. render4youAugust 23, 2022 at 10:14 AM

    This is a very interesting post. Your information related faster 3d GPU rendering service in North America is very important to me. Thanks for sharing.

    ReplyDelete
  55. TeachIT ProAugust 27, 2022 at 12:19 AM

    I learned some very valuable information from this article. After reading it, I believe you have a solid knowledge base. education resources for teachers Thank you for letting me know. Continue your amazing work.

    ReplyDelete
  56. Eagle Wing DigitalAugust 31, 2022 at 4:31 AM

    Amazing post, thanks for sharing such an informative article. The information provided in the article is among the most beneficial. website development firm tampa We appreciate you sharing it with us.

    ReplyDelete
  57. Immerse Languages InstituteSeptember 1, 2022 at 4:32 AM

    I read the above article and got some knowledge from your article which is about for us. It's actually great and useful data for us. Cantonese Lessons Hong Kong Thanks for sharing it.

    ReplyDelete
  58. CETA TranslationsSeptember 13, 2022 at 3:09 PM

    This comment has been removed by the author.

    ReplyDelete
  59. BoomikaSeptember 29, 2022 at 5:48 AM

    Very interesting, you have done a good job and thanks for sharing such a good blog. customized erp software in chennai

    ReplyDelete
  60. Safia JilaniNovember 1, 2022 at 9:14 PM

    Nice

    ReplyDelete
  61. Ronnie BillumNovember 3, 2022 at 2:53 AM

    I really enjoyed reading your blog post about software architecture and web development. I found it interesting that you mentioned an attacker needs to identify a server's HTTP headers in order to find security holes. I'm glad you shared this information with the community. Learn ASP.NET

    ReplyDelete
  62. repaircreditNovember 5, 2022 at 7:41 AM

    This post is Awesome. It’s helped me a lot. Please keep up your good work. We are always with you and Waiting for your new interesting articles. Visit also Credit Repair Consultant

    ReplyDelete
  63. Fortune RoboticsNovember 5, 2022 at 9:05 AM

    I like this post. I was searching about Humanoid Robots For Rental over search engines and found your post and it really helps thank you very much.

    ReplyDelete
  64. AnonymousNovember 10, 2022 at 4:15 AM

    This content is fantastic because it provides some excellent information that will prove quite helpful to me in the future. Thanks for sharing this Shopify developer. Please continue to uphold.

    ReplyDelete
  65. Environmental Data Management Key SolutionsDecember 20, 2022 at 7:24 AM

    I am looking at some of your posts on this website and I think this website is really instructive! Keep it up. Visit also Npdes Permit Analysis Service USA thank you

    ReplyDelete
  66. elvishs13December 26, 2022 at 9:27 AM

    This is great content for your readers. Thanks for sharing.
    GaleĆ³n Delrin Pratten Irish Flute 3 piece Tunable

    ReplyDelete
  67. ZiyaFebruary 21, 2023 at 8:22 PM

    I am glad to read this post, it's a good one. Best erp software in chennai

    ReplyDelete
  68. Cloud Security Solutions Pty LtdMarch 23, 2023 at 4:04 AM

    You have shared a great article Australia Cyber Security Centre because it provides a wealth of information that is exceptionally useful to me. Thank you for sharing that. Please continue to write.

    ReplyDelete
  69. Cloud Security SolutionsApril 3, 2023 at 4:19 AM

    Throughout this post learn hacking and cyber security, it provides me with some excellent information. The material you presented during this write-up was very useful. Keep posting.

    ReplyDelete
  70. AnonymousMay 26, 2023 at 10:52 PM

    Awesome post.
    Frontend development course in Pune

    ReplyDelete
  71. Curi HospitalJune 13, 2023 at 11:21 PM

    If you're searching for the best urologist in Chennai, look no further than Curi Hospital. Our team of highly skilled and experienced urologist doctors in Chennai provides comprehensive care for a range of urological conditions. As the best urologist hospital in Chennai, we are committed to providing the latest and most effective prostate cancer treatments, with the support of our top-notch oncologist.

    ReplyDelete
  72. JamesSeptember 4, 2023 at 7:35 AM

    Clan Muir tartan Pattern skillfully blend history and art, giving a classic elegance to many types of creations.

    ReplyDelete
  73. sowmiya sowmiyaOctober 13, 2024 at 7:51 AM

    It's clear you've put a lot of effort into ensuring readers can take away valuable insights.
    Amazon Store in Dubai

    ReplyDelete

Post a Comment

Popular posts from this blog

Building Simple API Gateways with Ocelot and ASP.net Core

Image
In the previous article , we've discovered what is an API gateway and the cool things that it brings. This article will demonstrate how to build a simple API gateway that routes incoming HTTP requests to the appropriate downstream services. Articles in the Series This article belongs to a series of articles that explains the importance of API gateways and how to build them using ASP.net Core. If you're interested to learn more about API gateways, it might be a good idea to spend some time reading the articles listed below. Part 1: API Gateway in a Nutshell. Part 2: Building Simple API Gateways with Ocelot. Part 3: API Response Aggregation using Ocelot Part 4: API Defense using Rate Limiting a...
Read more

API Gateway: Response Aggregation with Ocelot and ASP.net Core

Image
In the previous article , we've learned how to setup an API gateway using ASP.net Core and Ocelot. This article supplements the previous article by introducing downstream response aggregation through the use of API gateways. You can download the application used in this article by cloning it from GITHUB . Articles in the Series This article belongs to a series of articles that explains the importance of API gateways and how to build them using ASP.net Core. If you're interested to learn more about API gateways, it might be a good idea to spend some time reading the articles listed below. Part 1: API Gateway in a Nutshell. Part 2: Building Simple API Gateways with Ocelot. Part 3: API Response Aggregation using Ocelot P...
Read more

API Gateway in a Nutshell

Image
In this article, we will explore what are API gateways, the use-cases that you wanna solve with it and the benefits that you rip out of using them. This will be an introductory post to a series of articles that will showcase API gateway development using ASP.net Core, NodeJS and Docker. Articles in the Series This article belongs to a series of articles that explains the importance of API gateways and how to build them using ASP.net Core. If you're interested to learn more about API gateways, it might be a good idea to spend some time reading the articles listed below. Part 1: API Gateway in a Nutshell. Part 2: Building Simple API Gateways with Ocelot. Part 3: API Response Aggregation using Ocelot Part 4: API Def...
Read more