Version Disclosure (ASP.NET)
Description
This web application exposes ASP.NET framework version information through the X-AspNet-Version HTTP response header or within the response body. This header is primarily used by development tools like Visual Studio and serves no functional purpose in production environments. Disclosing version information provides attackers with valuable reconnaissance data that can be used to identify known vulnerabilities specific to that ASP.NET version.
Remediation
Disable ASP.NET version disclosure by modifying the web.config file to suppress the version header. Add or update the httpRuntime element within the system.web section as follows:
<configuration>
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
</configuration>After applying this change, restart the application pool in IIS to ensure the configuration takes effect. Verify the fix by inspecting HTTP response headers using browser developer tools or a proxy tool to confirm the X-AspNet-Version header is no longer present. Additionally, review response bodies to ensure no version information is inadvertently included in error messages or comments.