Description
The presence of the X-AspNet-Version and X-AspNetMvc-Version headers exposes the version of ASP.NET used by the web server, providing valuable information to attackers. This disclosure can aid attackers in identifying vulnerabilities and planning their attacks more effectively.
Test for ASP.NET Version Disclosure Vulnerability with SmartScanner
Donwload FREE!Recommendation
To mitigate this issue:
- To remove the
X-AspNet-Versionheader, add the following line in yourweb.configwithin the<system.web>section:
<httpRuntime enableVersionHeader="false" />
- To remove the
X-AspNetMvc-Versionheader, add the following line inGlobal.asax:
MvcHandler.DisableMvcResponseHeader = true;
References
- OWASP: Web Server Security
- Microsoft: Remove Server Header
- CWE-16
- CWE-200
- CAPEC-118
- OWASP 2021-A1
- OWASP 2021-A5
Related Issues
- ViewState is not Encrypted - Vulnerability
- X-Powered-By Header Found - Vulnerability
- PHP Version Disclosure - Vulnerability
- Server Version Disclosure - Vulnerability
- Tags:
- HTTP Headers
- Information Disclosure
- Application Misconfiguration
- ASP.NET
- Web Server
Anything's wrong? Let us know Last updated on May 13, 2024