locked
My application is showing the Version information using headers RRS feed

  • Question

  • User-190152932 posted

    I have a standard C# MVC project it is live and we have an open bug bounty program, a user has mentioned we are showing a Version information leak using headers, as in they can see:

    X-AspNet-Version: 4.0.30319

    They have said:

    "The version of aspnet is leaked. Which will help attacker to find vulnerable CVEs and exploit the vulnerability"

    I should be aiming to not show this, I have my site hosted with an external company so my question is how do I not show this to external users? Any know thanks in advance :)

    Wednesday, September 9, 2020 11:09 AM

Answers

  • User-190152932 posted

    Will close this I think as our site is externally hosted and we aren't able to configure the webservers to solve this anyway, many thanks 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, September 20, 2020 8:07 PM

All replies

  • User-1330468790 posted

    Hi JessSimms1, 

      

    Add this to web.config (In the root of your project) to get rid of the X-AspNet-Version header: 

    <system.web>
      <httpRuntime enableVersionHeader="false" />
    </system.web>

      

    Besides, you might be bothered by other unexpected headers:

    • X-Powered-By: is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config
      <system.webServer>
        <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
        </httpProtocol>
      </system.webServer>
      This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders

      

    Hope this can help you.

    Best regards,

    Sean

    Thursday, September 10, 2020 7:46 AM
  • User-190152932 posted

    Will close this I think as our site is externally hosted and we aren't able to configure the webservers to solve this anyway, many thanks 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, September 20, 2020 8:07 PM