Version Disclosure (ASP.NET)
Severity: Low
Summary #
Invicti identified a version disclosure (ASP.NET) in the target web server's HTTP response.
This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of ASP.NET.
Impact #
An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
Remediation #
Apply the following changes to your
web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses. <System.Web>
<httpRuntime enableVersionHeader="false" />
<customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
<error statusCode="403" redirect="~/error/Forbidden.aspx" />
<error statusCode="404" redirect="~/error/PageNotFound.aspx" />
<error statusCode="500" redirect="~/error/InternalError.aspx" />
</customErrors>
</System.Web>
Classifications #
CAPEC-170; CWE-205; HIPAA-164.306(a), 164.308(a); ISO27001-A.18.1.3; WASC-13; OWASP 2013-A5; OWASP 2017-A6
Netsparker Security Insights #
- What is server-side request forgery (SSRF) and how can you prevent it?
- What the OWASP Top 10 2021 categories mean for OWASP compliance
- The new OWASP Top 10 is not what you think
- Invicti Supports the OWASP Lightning Event “How to Turn your Cybersecurity Hobby into a Career – An Introduction to Bug Bounties”
- Predicting the Most Common Security Vulnerabilities for Web Applications in 2021
Helpful Use Cases #
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
