WebApp Sec mailing list archives
Re: [WEB SECURITY] Tomcat Security
From: Cyrill Brunschwiler <cyrill.brunschwiler () csnc ch>
Date: Sat, 13 Aug 2005 17:42:39 +0200
Hi Nate Im not sure whether it is possible to configure a different server banner by file. However, from the security point of view vendor, product and version info should be hidden from clients. Of course, practically is it possible to guess what application server is in use because of its appearance and behaviour (eg. JSESSIONID). Worms and Botz may lack this detection due to the programmatically effort that must be done to detect it and as long as there are enough weak sites your fine. How ever it is at least possible to overwrite the server banner by application. httpservletresponse.setHeader("Server", ""); This allows to create a filter servlet which simply removes the server from each resonse header. The built filter should then be configured for each servlet (this is done by WEB-INF/web.xml). Application servers are also often placed behind an entry server or reverse proxy infrastructure. Most of these components allow to hidde server banners. Hope this helps Cyrill On Thursday 11 August 2005 17:44, Nathan Tobik wrote:
Are you changing the banner information in Tomcat as part of your security process? There was a discussion on this list a few months ago about the value of changing banners. From what I remember there is almost no security value added by changing a banner. I would work on making sure your application is secure and then it won't matter if an attacker knows you're running Java or not. Nate Tobik (412)661-5700 x206 VigilantMinds <snip>... One of my unanswered questions is how to change the banner information in Tomcat. Any info would be greatly appreciated, Thks, Andy </snip>
--
Current thread:
- RE: [WEB SECURITY] Tomcat Security Nathan Tobik (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Ryan Barnett (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Ron Forrester (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Cyrill Brunschwiler (Aug 14)
- <Possible follow-ups>
- RE: [WEB SECURITY] Tomcat Security Jason Radley (Aug 11)