Technical information leak
Need
Protection of sensitive technical information from unauthorized access
Context
- Usage of Java for building cross-platform applications
- Usage of javax.servlet for building Java web applications
- Usage of javax.servlet.http for handling HTTP requests and responses in Java Servlets
Description
Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
public class InformationLeakServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//Setting HTTP headers with server information
response.setHeader("Server", "Apache/2.4.1 (Unix)");
//Setting specific configuration information
response.setHeader("php.ini", "allow_url_fopen=On");
response.setHeader("web.config", "<system.web><httpRuntime targetFramework=\\"4.5\\" /></system.web>");
//Rest of the code...
}
}
In the above code, we have a servlet that handles GET requests. In this servlet, we are setting HTTP response headers with technical information about the server and specific configuration settings.
The line response.setHeader("Server", "Apache/2.4.1 (Unix)");
is setting the Server
header with the version of the server software that is being used. This is leaking technical information about the server which can be used by an attacker to exploit known vulnerabilities in that specific version of the server software.
The lines response.setHeader("php.ini", "allow_url_fopen=On");
and response.setHeader("web.config", "<system.web><httpRuntime targetFramework=\\"4.5\\" /></system.web>");
are setting headers with specific configuration settings. This is leaking specific configuration information about the server which can be used by an attacker to exploit potential vulnerabilities in these settings.
This is a serious security vulnerability as it provides potential attackers with valuable information about the system, which can be used to plan and execute more targeted and effective attacks.
Steps
- Avoid exposing sensitive technical information in HTTP headers or response bodies.
- Remove or obfuscate any server or component version information from the response headers.
- Do not include specific configuration details in the response headers.
- Consider implementing a custom error page to handle error responses instead of exposing technical information.
- Regularly review and update the server and component configurations to ensure they are secure and up to date.
Compliant code
import javax.servlet.*;
import javax.servlet.http.*;
public class InformationLeakServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//Rest of the code...
}
}
The original code was leaking sensitive technical information through HTTP headers. This information included server component versions and specific configuration details. This is a security vulnerability as it provides potential attackers with useful information about the system, which they could use to exploit known vulnerabilities.
The fixed code removes these headers, thus preventing this information from being exposed.
Here are the changes made:
- Removed the line
response.setHeader("Server", "Apache/2.4.1 (Unix)");
which was setting the server version in the HTTP headers. - Removed the line
response.setHeader("php.ini", "allow_url_fopen=On");
which was exposing specific PHP configuration details. - Removed the line
response.setHeader("web.config", "<system.web><httpRuntime targetFramework=\\"4.5\\" /></system.web>");
which was exposing specific .NET configuration details.
In addition to these code changes, it is recommended to implement a custom error page to handle error responses. This prevents technical information from being exposed in the event of an error.
Also, it is important to regularly review and update the server and component configurations to ensure they are secure and up to date. This helps to protect against known vulnerabilities that may be present in older versions.