https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #3 from Rob Winch <rwi...@gmail.com> ---
Thank you for the responses.
> It is also worth noting that because many system admins fake the server
> header, most attackers try scanning for all known vulnerabilities anyway.
Some hackers may target specific applications. If that is the approach they are
taking, they are likely to try all exploits against the victim. As already
mentioned, exposing information will likely help them prioritize the exploits
to find something more quickly which will increase the likely hood that they go
undetected.
Hackers don't always target a specific victim. Another method of attack is to
have a known set of vulnerabilities and actively searching for victims.
Exposing any unnecessary information makes it easier for the attacker to find
victims in an automated way.
> In short, hiding the server header is a waste of time (even for instances
> running insecure versions) that would be better spend upgrading insecure
> instances to secure versions.
This isn't always possible. For example, there may be a 0-day exploit that has
no patched version or was just released & users have not had the opportunity to
update. Hackers are going to easily be able to find victims if the Server
header is exposed.
> Indeed, this provides absolutely no value :)
> In short, hiding the server header is a waste of time (even for instances
> running insecure versions) that would be better spend upgrading insecure
> instances to secure versions.
These seem like pretty bold claims. I'd be very interested in seeing some
citations.
I can provide countless credible citations that recommend removing the Server
header. I have provided a few additional examples below.
= OWASP
I provided this citation on the original report. However, since OWASP is such
an important part of web application security, I felt like this should be
emphasized.
OWASP states that "Information Leakage" is a class of vulnerability [1]. It is
described as:
Revealing system data or debugging information helps an adversary learn
about the system and form a plan of attack. An information leak occurs
when system data or debugging information leaves the program through an
output stream or logging function.
>From my perspective, the Server header is revealing unnecessary information.
This means it fits the OWASP description of "Information Leakage" and should be
removed.
= Troy Hunt (Microsoft MVP for Developer Security, etc)
I an excellent article by Troy Hunt (Microsoft MVP for Developer Security, etc)
on why you should remove unnecessary HTTP headers from the response [2]. Some
highlights of the article include:
* Why removing headers is not "security through obscurity"
* A concrete example of how exposing headers can help find victims of 0-day
exploits
* Additional citations on why headers that leak information should be removed
= RFC-2616 "15.1.2 Transfer of Sensitive Information"
The IETF recommends that server implementations SHOULD make the Server header a
configurable option [3].
Revealing the specific software version of the server might allow the
server machine to become more vulnerable to attacks against software
that is known to contain security holes. Implementors SHOULD make the
Server header field a configurable option.
[1] https://www.owasp.org/index.php/Information_Leakage
[2] http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
[3] http://www.rfc-base.org/txt/rfc-2616.txt
Regards,
Rob Winch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
