Vulnerability Fixation
Error Page Disclosure

Manual Ways

1. We could type an incorrect URL (ex. non-existent URL) / submitting invalid data in form (ex. submitting a form having missing data). The server would provide us an error page. Check this error page for any server version information.
2. Checking the HTML source code of an error page for any server version information.
3. Check for server version information in server headers and footers.

Using Proxy -

Use any proxy tool like Burp Suite to intercept and inspect HTTP requests and responses. Analyze the error page intercepted by proxy to check for presence of server version information in response headers or body.

Scanning Tools -

Using tool like OWASP ZAP to scan the web application for vulnerabilities including server version disclosure.

Error Page Analysis -

Some error pages may include default templates disclosed by the web server software which could disclose web server information.

How to prevent Apache server from disclosing web server information?

1. In Apache server’s configuration file which is ‘httpd.conf’, ensure the presence of following directives.
   ServerSignature Off – Ensures server signature is disabled.
   ServerTokens Prod – Ensures minimum information is provided by the server in the server response header.
2. Creating custom error page for common HTTP error codes and remove any references to server version or operating system.
3. Configuring firewall rules to restrict access to server sensitive information.

How to prevent IIS server from disclosing web server information?

1. Modifying Response Headers

• Open IIS Manager.
• Select the required website from the connections panel on left.
• Double click on ‘HTTP Response Headers’ feature.
• Click on ‘Add…’ in the Actions pane.
• Enter ‘Server’ as the name and leave the value blank.
• Click OK to add the header.
• You could (optionally) remove any unnecessary headers which could reveal any server information.

2. Modifying configuration file

• Open your application’s ‘web.config’ file in a text editor.
• Proceed to section within this file. If this section is absent, create this section.
• Add/modify element within this section using the following code:

<configuration>
  <system.webServer>
    <httpErrors existingResponse="PassThrough" />
  </system.webServer>
</configuration>

• Save the 'web.config' file.
• This would lead to the remote users not being able to access the detailed error pages.
• So, the unauthorized users won’t have an access to this privileged information.

How to prevent Tomcat server from disclosing web server information?

1. Modifying Response Headers

• In your Tomcat installation, open the ‘web.xml’ file in the ‘conf’ directory.
• Proceed to element for ‘ResponseHeader’ filter. If this element is absent, create this section under element.
• Configure ‘ResponseHeader’ filter to remove server headers.

<filter>
  <filter-name>RemoveServerHeaderFilter</filter-name>
  <filter-class>org.apache.catalina.filters.SetAllHeadersFilter</filter-class>
  <init-param>
    <param-name>setServer</param-name>
    <param-value>false</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>RemoveServerHeaderFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

2. Modify Server Configuration

• In your Tomcat installation, open the ‘server.xml’ file in the ‘conf’ directory.
• Proceed to element which defines the ports on which Tomcat server listens. (8080 for HTTP and 8443 for HTTPS)
• Add server="", serverInfo="", xpoweredBy="false" attributes in this element.

<Connector port="8080" protocol="HTTP/1.1"
  connectionTimeout="20000"
  redirectPort="8443"
  server=""
  serverInfo=""
  xpoweredBy="false" />

3. Disable server information in error page

• In your Tomcat installation, open the ‘web.xml’ file in the ‘conf’ directory.
• Proceed to element.
• Configure custom error pages and ensure that they do not reveal server information.

<error-page>
  <error-code>500</error-code>
  <location>/errors/500.html</location>
</error-page>

<error-page>
  <error-code>404</error-code>
  <location>/errors/404.html</location>
</error-page>