My application is showing the Version information using headers[Answered] RSS

• • Reply
  JessSimms1

  None

  0 Points

  2 Posts

  My application is showing the Version information using headers

  Sep 09, 2020 11:09 AM|JessSimms1|LINK

  I have a standard C# MVC project it is live and we have an open bug bounty program, a user has mentioned we are showing a Version information leak using headers, as in they can see:

  X-AspNet-Version: 4.0.30319

  They have said:

  "The version of aspnet is leaked. Which will help attacker to find vulnerable CVEs and exploit the vulnerability"

  I should be aiming to not show this, I have my site hosted with an external company so my question is how do I not show this to external users? Any know thanks in advance :)

• • Reply
  Sean Fang

  Participant

  1950 Points

  572 Posts

  Re: My application is showing the Version information using headers

  Sep 10, 2020 07:46 AM|Sean Fang|LINK

  Hi JessSimms1, 

    

  Add this to web.config (In the root of your project) to get rid of the X-AspNet-Version header: 

  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>

    

  Besides, you might be bothered by other unexpected headers:

  • X-Powered-By: is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config

    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <remove name="X-Powered-By" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>

    This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders

    

  Hope this can help you.

  Best regards,

  Sean

• • Reply
  JessSimms1

  None

  0 Points

  2 Posts

  Re: My application is showing the Version information using headers

  Sep 20, 2020 08:07 PM|JessSimms1|LINK

  Will close this I think as our site is externally hosted and we aren't able to configure the webservers to solve this anyway, many thanks