Menu

Saturday 11 July 2020

Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss).


Vulnerable Response from the Jboss application server headers.
  • Server: Apache-Coyote/1.1
  • X-Powered-By: JSP/2.2

Change 1: for (Server: Apache-Coyote/1.1)

File Name: standalone.xml
*************************************************************

<system-properties>
        <property name="org.apache.coyote.http11.Http11Protocol.SERVER" value="DONTKNOW"/>
        <property name="org.jboss.as.sendServerHeader" value="false"/>
</system-properties>

*************************************************************



Change 2: for (X-Powered-By: JSP/2.2)

File Name: standalone.xml
*************************************************************

<subsystem xmlns="urn:jboss:domain:web:1.5" default-virtual-server="default-host" native="false">
            <configuration>
                <jsp-configuration x-powered-by="false" display-source-fragment="false"/>
            </configuration>
            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
            <virtual-server name="default-host" enable-welcome-root="false">
                <alias name="localhost"/>
<subsystem/>

*************************************************************


Thanks 😊

No comments:

Post a Comment