I have a standard C# MVC project it is live and we have an open bug bounty program, a user has mentioned we are showing a Version information leak using headers, as in they can see:
X-AspNet-Version: 4.0.30319
They have said:
"The version of aspnet is leaked. Which will help attacker to find vulnerable CVEs and exploit the vulnerability"
I should be aiming to not show this, I have my site hosted with an external company so my question is how do I not show this to external users? Any know thanks in advance :)
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
None
0 Points
2 Posts
My application is showing the Version information using headers
Sep 09, 2020 11:09 AM|JessSimms1|LINK
I have a standard C# MVC project it is live and we have an open bug bounty program, a user has mentioned we are showing a Version information leak using headers, as in they can see:
X-AspNet-Version: 4.0.30319
They have said:
"The version of aspnet is leaked. Which will help attacker to find vulnerable CVEs and exploit the vulnerability"
I should be aiming to not show this, I have my site hosted with an external company so my question is how do I not show this to external users? Any know thanks in advance :)
Contributor
2830 Points
839 Posts
Re: My application is showing the Version information using headers
Sep 10, 2020 07:46 AM|Sean Fang|LINK
Hi JessSimms1,
Add this to
web.config(In the root of your project) to get rid of theX-AspNet-Versionheader:Besides, you might be bothered by other unexpected headers:
web.config<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeadersHope this can help you.
Best regards,
Sean
None
0 Points
2 Posts
Re: My application is showing the Version information using headers
Sep 20, 2020 08:07 PM|JessSimms1|LINK
Will close this I think as our site is externally hosted and we aren't able to configure the webservers to solve this anyway, many thanks