WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

IIS 7 Header Block Module - Released

From: Context IS - Disclosure <disclosure () contextis co uk>
Date: Thu, 12 May 2011 13:52:22 +0100
Context Information Security have released a module for IIS 7 to block information leakage from HTTP headers.  A 
standard web application penetration test recommends the removal of any version number information.  Previously the IIS 
urlscan tool could be used to block this information, however, for IIS 7 this is no longer possible, therefore Context 
have released this module to block this information.
 
HTTP headers are name/value sets of data that are transmitted between the client (web browser) and the web server. HTTP 
headers are used to transmit key data such as HTTP cookies. 
 
Excessive HTTP headers can aid an attacker by either identifying particular technologies used within a web application 
or presenting specific software version information. Whilst minimising the attack surface by preventing information 
leakage is not a panacea it is a step towards improving security. 
 
With the introduction of new Microsoft frameworks such as ASP.Net and MVC it appears that the number of HTTP headers 
returned by the IIS web server is increasing. An example of these headers is shown below: 
 
Server: Microsoft-IIS/7.5 
X-AspNetMvc-Version: 2.0 
X-AspNet-Version: 4.0.30319 
X-Powered-By: ASP.NET 
 
The commonly recommended method for removing HTTP headers within a Microsoft environment involves a combination of 
URLScan, application web.config changes and changes via the IIS Manager application. However, this is not convenient 
for large scale infrastructures and it should also be noted that the Server header cannot be removed by any of these 
methods for IIS 7. With the increased popularity of the Microsoft IIS7 web server, it is important that specific 
security recommendations can be applied to the latest web server technologies. 
 
HeaderBlock is a .Net module that presents an easy way to remove key HTTP headers before they are transmitted from the 
web server to the client. The module will block the Server, X-AspNet-Version
and X-AspNetMvc-Version headers.
 
The module comes in both binary and source formats so the code can be modified by the user if required.
 
Download from: http://www.contextis.co.uk/resources/tools/headerblock/
 


This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: