Posts

Disable Excessive headers – IIS

Methods

1. Remove the Server header by adding the following code to the Global.asax.cs file in your project:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Set("Server","FooServer");
 }

2. To remove the X-AspNet-Version header set the following, in the Web.config:

<configuration>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
</configuration>

3. To remove X-AspNetMvc-Version, add the following line in the Application_Start event in Global.asax:

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
}

4. To remove the X-Powered-By header set the following in the Web.config file:

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

5. To suppress all the other headers ensure that the Web.config contains the following xml:


<configuration>
  <nwebsec>
    <httpHeaderModule>
      <suppressVersionHttpHeaders enabled="true" />
    <httpHeaderModule>
  </nwebsec>
</configuration>

6. Alternatively, follow the following instructions of IIS configuration:
https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Fingerprint Web Application Framework

Description

If a framework version number is being disclosed by the application in the response header, an attacker can use this information to find and exploit known vulnerabilities, specific to the used framework(s). This increases the likelihood of anattack and also allows an attacker to launch a more focused attack on the application.

Such headers might include: Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version and others.

For example:

excessive_headers

See how to fix it!

Read more

Preventing Directory Listing – Apache

Using httpd.conf or .htaccess

Add the following lines in httpd.conf or .htaccess

Options -Indexes
IndexIgnore *

Reference

http://wiki.apache.org/httpd/DirectoryListings

Preventing Directory Listing – ASP.NET

Method

Add the following lines to web.config:

<configuration>
  <location path=".">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

References

http://msdn.microsoft.com/en-us/library/ff649337.aspx
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-br…

Directory Listing

Description

Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory.

Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all.

For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or subdirectories. The improper configuration of this task might result in the unexpected and unintended enabling of listing of directories which contain sensitive information.

See how to fix it!

Read more

Setting Cookie Secure Flag – Apache

Method

Add the following line into section 1(Global Environment) of httpd.conf, this line will load the headers_module module, which provides directives to control and modify HTTP request and response headers.

LoadModule headers_module modules/mod_headers.so

After loading the headers_module module, add the following line into section 3(Main Server Config) of httpd.conf

Header edit Set-Cookie ^(.*)$ $1;Secure

Reference

https://www.owasp.org/index.php/SecureFlag

Setting Cookie Secure Flag – PHP

Method #1 By using ini_set function

Add the following code on the page

ini_set("session.cookie_secure", 1);

Method #2 By using session_set_cookie_params function

Add the following code on the page:

session_set_cookie_params(0, NULL, NULL, TRUE, NULL);

Method #3 By using setcookie function

Add the following code when creating cookie:

setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);

References

https://www.owasp.org/index.php/SecureFlag
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php

Setting Cookie Secure Flag – ASP.NET

Method #1 Setting Secure Property True

Create Cookie by setting secure property true:

HttpCookie cookie = new HttpCookie('name');
cookie.Secure = True;
cookie.Value = 'Value';

Method#2 Using web.config

Add the following codes to web.config

<system.web>
<httpCookies requireSSL="true" />
</system.web>

Reference

https://www.owasp.org/index.php/SecureFlag

Setting Cookie Secure Flag – Java

Method #1

Create secure cookie by calling setSecure method, which allows cookie to be secure

Cookie newCookie = new Cookie("name","value");
newCookie.setSecure(true);

Method #2

Add the following lines to web.xml file of the project to make the cookie secure.

<session-config>
 <cookie-config>
 <secure>true</secure>
 </cookie-config>
</session-config>

Reference

https://www.owasp.org/index.php/SecureFlag

Cookie Secure Flag

Description

When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.

See how to fix it!

Read more