Security: HTTP headers that expose web application / server vulnerabilities

Today's blog post will cover how ASP.net response HTTP headers can expose security holes in your web application and servers. The post will also contain steps on how to remove this headers and mitigate chances of getting attacked using C# and ASP.net MVC.

Problem

When an attacker performs an attack on a web server, the first thing he /she needs to do is to identify the profile of his target. To profile a target web application / server, an attacker would have to perform the following steps:

  • Identify the address of the web application.
  • Identify the OS where the web application resides
  • Identify the type of server (IIS, Apache, etc) that was hosting the web application
  • Identify the frameworks (ASP.net MVC, PHP, JSF) used by the applications

After an attacker gathers the following information, the attacker would proceed on using penetration tools (Kali's Metasploit and Websploit) to perform different kinds of attacks to disrupt the target which could mean:

  • Defacing the application
  • Performing denial of service attacks
  • Disabling of web server itself
  • Kidnapping of database server for ransom

ASP.NET MVC Solution Github

One way to delay an attacker from executing an attack on your server is to remove HTTP headers that identify IIS and ASP.net powered applications. Below are the list of HTTP headers that needs to be removed from your applications response headers:

  • Server
  • X-AspNetMvc-Version
  • X-AspNet-Version
  • X-Powered-By

These HTTP headers can be removed by configuring an IIS server manually. This approach is OK but infeasible because the most common cause of an attack to a web server is scaling (Adding of servers / load balancers in a web farm) without configuring the additional machine. Sometimes, IT people in-charge of configuring newly added server nodes forget to disable the inclusion of these headers to the application's response objects. To make things worst, newbies are clueless with the existence of these headers. As responsible developers, we find this annoying and simply unacceptable.

To prevent hackers from retrieving HTTP server information headers, we can implement a class that would strip all these headers from all the responses emitted by an ASP.net application. The class below does the trick:

Clone it from Github

using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace ServerIdentityHttpHeaderStripping
{
    /// <summary>
    /// Class that implements methods used for
    /// stripping out HTTP response headers.
    /// </summary>
    public class ServerIdentityStripper
    {
        #region Public Methods
        /// <summary>
        /// Method that strips out HTTP response headers 
        /// from response.
        /// execution.
        /// </summary>
        /// <param name="context">
        ///     Http context associated with the response 
        ///     that would be stripped of server identity 
        ///     headers.
        /// </param>
        public void Execute(HttpContext context)
        {
            var serverHeaders = GetServerIdentityHeaders();
            StripServerHeaders(context.Response, serverHeaders);
        }
        #endregion
        #region Private Methods
        private bool CheckIfHttpHeaderExists(HttpResponse response, string header)
        {
            return response.Headers
                           .AllKeys
                           .Any(k => k == header);
        }
        private List<string> GetServerIdentityHeaders()
        {
            return new List<string>
            {
                "Server",
                "X-AspNetMvc-Version",
                "X-AspNet-Version"
            };
        }
        private void StripServerHeaders(HttpResponse response, List<string> headers)
        {
            foreach (var header in headers)
            {
                if (CheckIfHttpHeaderExists(response, header))
                    response.Headers.Remove(header);
            }
        }
        #endregion
    }
}

You also have to add the following code on Global.Asax's Application_EndRequest event.

        protected void Application_EndRequest()
        {
            var stripper = new ServerIdentityStripper();

            stripper.Execute(HttpContext.Current);
        }

X-Powered-By

Unfortunately, the class can strip all necessary headers except for the "X-Powered-By" header. This happens because IIS is the one that attaches this HTTP header after the application release the response object. To ensure that this HTTP header would be removed from your server's response headers. You can add the configuration below on your application's web.config file.

   <system.webServer>
    <httpProtocol>
    <customHeaders>
    <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

Result

Comments

  1. Way cool! Some extremely valid points! I appreciate you writing this post plus the rest of the site is also press very good.

    ReplyDelete
  2. it is really a great and helpful piece of info. I am glad that you shared this helpful information with us. Please keep us informed like this. Thank you for sharing.

    malaysia visa

    ReplyDelete
  3. I enjoyed over read your blog post. This was actually what i was looking for and i am glad to came here!
    Website: Antique jewellery wholesale

    ReplyDelete
  4. Amazing Article,Really useful information to all So, I hope you will share more information to be check and share here.thanks for sharing .
    Website: Vietnam Adventure Tours

    ReplyDelete
  5. very cool, informative, in the field of safety, and to attract people I use https://soclikes.com/

    ReplyDelete
  6. it is really a great and helpful piece of info. I am glad that you shared this helpful information with us. Please keep us informed like this. Thank you for sharing.
    Website: Punjab state lottery

    ReplyDelete
  7. I am really enjoying reading your well written articles. I think you spend numerous effort and time updating your blog.
    online electronics shopping sites in india

    ReplyDelete
  8. I always like to read a quality content having accurate information regarding the subject and the same thing I found in this post.

    Website : Website Development Company |

    ReplyDelete
  9. Great information, i was searching of this kind of information, thank you very much for sharing with us.

    Website :
    Craigslist Posting Service for Car Dealers |

    ReplyDelete
  10. This is really amazing website that I have been found on google regarding website Blog Commenting sites. and I would like to thank admin who also given us to post the link on his side.

    Website : Lubbock moving company |

    ReplyDelete
  11. This was something I was looking for, really helpful, and great work is done. Thank you so much for sharing such valuable information.

    Website : Car Auction Software |

    ReplyDelete
  12. It’s really a cool and helpful piece of information. I am glad that you shared this useful information with us. Please keep us up to date like this. Thanks for sharing.

    Website : Best CRM for Small Businesses |

    ReplyDelete
  13. I am really like it very much for the interesting info in this blog that to this website is providing the wonderful info in this blog that to utilize the great technology in this blog.

    Website : Web Development Company in Gwalior |

    ReplyDelete
  14. Fabulous blog with lots of information. I am glad to visit this, waiting for more updates.
    Web Development Course in Chennai

    ReplyDelete
  15. Home Security Systems, This particular is usually apparently essential and moreover outstanding truth along with for sure fair-minded and moreover admittedly useful My business is looking to find in advance designed for this specific useful stuffs…

    ReplyDelete
  16. Thank you for sharing. Excellent post...! It is a very great idea and unique content. Thank you so much.
    Malaysia passport renewal

    ReplyDelete
  17. I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading.
    Website: metal roofing company near me

    ReplyDelete
  18. Thank you for sharing. Excellent post...! It is a very great idea and unique content. Thank you so much.
    first copy mens watch omega

    ReplyDelete
  19. I am very glad to here it is very good post. Thanks for sharing
    Website: Dear lotteries

    ReplyDelete
  20. I read this article fully on the topic of the difference of most up-to-date and earlier technologies, it’s awesome article.
    Website: online renew passport malaysia

    ReplyDelete
  21. Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Very Interesting Post! I regularly follow this kind of Blog.
    scottishkiltcollection

    ReplyDelete
  22. Thank you for providing the community with useful information. get best best website development services By Experienced Developer.
    white label website builder

    ReplyDelete
  23. Can someone Take My Online Class For Me? Yes, we’ve been helping students since 2010. The process of taking a class at our end is so very easy and quick. Hire our experts to Take My Online Class on your behalf and get guaranteed A grade. Don't hesitate to contact us to get the best online class experts.
    Take My Online Class

    ReplyDelete
  24. Though we are a small company yet we truly believe in quality. All the products which we sell are premium quality triple AAA swiss replica first copy with all necessary markings in it and lowest price guaranteed always. Be aware of poor quality watch sellers who sell poor watches at much lower rates. Also, we are the stockist of premium triple AAA quality Swiss replica watches . Be aware of zero stock seller.
    omega watch price in india

    ReplyDelete
  25. I Would like to thank you for this article. From this article I got more and more useful information. This is so helpful to me. Keep updating more articles.
    Ubs accounting
    Myob Singapore
    Best Accounting software Singapore

    ReplyDelete
  26. This comment has been removed by the author.

    ReplyDelete
  27. Need fence repair and staining services? We are reputed fence Repair Company that offers wide range of affordable fence replacement, fence repair and installation and much more!

    residential fence specialist Frisco

    ReplyDelete

  28. Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Nice post ! I love its your site after reading ! thanks for sharing.
    professional graphic installation

    ReplyDelete
  29. I am very happy to have seen your website and hope you have so many entertaining times reading here. Thanks for all the details. Nice Post thanks for the information, good information & very helpful for others. you sharing such a useful post. Very Interesting Post! I regularly follow this kind of Blog.
    company registration in delhi

    ReplyDelete
  30. Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Nice post ! I love its your site after reading ! thanks for sharing.
    Water heater service in Nagpur

    ReplyDelete
  31. Great article! This is the type of information that are meant to
    be shared across the internet. Thank you for sharing such a useful post. Nice post ! I love its your site after reading ! thanks for sharing.

    Website: eligibility for gmat

    ReplyDelete
  32. Need fence repair and staining services? We are reputed fence Repair Company that offers wide range of affordable fence replacement, fence repair and installation and much more!
    fence replacement in mckinney tx

    ReplyDelete
  33. I am very happy to have seen your website and hope you have so many entertaining times reading here. Thanks for all the details. Nice Post thanks for the information, good information & very helpful for others. you sharing such a useful post. Very Interesting Post! I regularly follow this kind of Blog.
    Website: milan kalyan satta matka

    ReplyDelete
  34. Riverside Chevrolet is one of the best Used Car Dealers Peoria Il. Visit our website and check out our inventory of new and used vehicles. We are your one-stop shop for all your automobile needs.
    Visit here - Used Car Dealers Peoria Il

    ReplyDelete
  35. Thanks for Sharing this Valuable Information with us: this is very useful for me. Keep it Up. Trending Blogs India 2021, Most Popular Blog Topics India 2021, Trending Topics in India 2021
    Visit here - viral news india

    ReplyDelete
  36. Thanks for Sharing..Keep Update…

    Web Hosting is the process of buying space for a website on the World Wide Web.

    What is Web Hosting
    Web Hosting for Beginners

    ReplyDelete
  37. Very nice post. I just came across your blog and want to say that I really enjoyed browsing your blog posts. Getting a Turkey evisa from Turkey used to be one of the most difficult tasks for travelers, but now you can get a Turkey e visa online.

    ReplyDelete
  38. Great blog! This is really helpful for my reference. Do share more such posts and keep us updated. Looking forward to more informative blogs from you.
    Cloud Computing Training in Chennai
    Cloud Computing Online Course
    Cloud Computing Training in Coimbatore

    ReplyDelete

  39. More impressive Blog!!! Its more useful for us...Thanks for sharing with us...
    Why is Big Data Important?
    Why Big Data

    ReplyDelete
  40. This comment has been removed by the author.

    ReplyDelete
  41. Great work.. Thanks for this post. Foreign travelers who wish to apply for Azerbaijan visa must check the Azerbaijan visa requirement before filling the application.

    ReplyDelete
  42. Great Post!!! Thanks for the data update and waiting for your new updates.
    what does .net framework do
    do i need .net framework

    ReplyDelete
  43. Great job, this is essential information that is shared by you. This information is meaningful and very important for us to increase our knowledge about it. Always keep sharing this type of information. Thanks once again for sharing it. Information security auditors

    ReplyDelete
  44. Nice Blog, it is very Impressive. keep sharing good information with us.

    AWS Online Course
    AWS Course in Chennai
    AWS Course in Bangalore

    ReplyDelete
  45. I read your blog now share great information here. Popular Bloggers

    ReplyDelete
  46. Gandhi Brothers Lottery Group was founded by Mr Manmeet Singh when he was 12 years old and today, it has been developed as a very reputed the well-established business firm of providing secure Lottery of Punjab State Lottery since the last 36 years. It has two Lottery system. Bumper Prizes weekly Prizes. The biggest jackpot hit from the Punjab State Lottery is New Year Bumper 2012 on 19-01-12 amounting Rs.2.00 crore Monthly Lottery Bumper 2012 held on 23-07-12 amounting Rs. 51 Lakhs distributed over prize money. Gandhi Brother’s lottery is Authorized and legal, assuring each player of a fair playing lottery.
    Monthly lottery

    ReplyDelete
  47. It was a great blog with so much information of the beautiful places to visit.
    Pest control provider in Nagpur

    ReplyDelete
  48. Nice Blog, it is very Impressive. keep sharing good information with us.
    how to pitch to investors

    ReplyDelete
  49. This is very useful software for you and me. No errors were found during the check.
    You can use it. I hope you like it.
    Marketing and Advertising Graphics

    ReplyDelete

Post a Comment

Popular posts from this blog

Building Simple API Gateways with Ocelot and ASP.net Core

API Gateway: Response Aggregation with Ocelot and ASP.net Core

API Gateway in a Nutshell