ASP.NET Version Disclosure

Description

The presence of the X-AspNet-Version and X-AspNetMvc-Version headers exposes the version of ASP.NET used by the web server, providing valuable information to attackers. This disclosure can aid attackers in identifying vulnerabilities and planning their attacks more effectively.

Recommendation

To mitigate this issue:

• To remove the X-AspNet-Version header, add the following line in your web.config within the <system.web> section:

<httpRuntime enableVersionHeader="false" />

• To remove the X-AspNetMvc-Version header, add the following line in Global.asax:

MvcHandler.DisableMvcResponseHeader = true;

References

• OWASP: Web Server Security
• Microsoft: Remove Server Header
• CWE-16
• CWE-200
• CAPEC-118
• OWASP 2021-A5

Related Issues

• PHP Version Disclosure - Vulnerability
• Apache Version Disclosure - Vulnerability
• Nginx Version Disclosure - Vulnerability
• Server Version Disclosure - Vulnerability

Tags:

HTTP Headers

Information Disclosure

Application Misconfiguration

ASP.NET

Web Server