Technical information leak - Headers
Need
Prevention of technical information leakage through server response headers
Context
- Usage of Scala 2.13.6 for building scalable and functional applications
- Usage of play.api.mvc for handling HTTP requests and responses in Play Framework
Description
Non compliant code
import play.api.mvc._
object Application extends Controller {
def index = Action {
Ok("Welcome to our application!").withHeaders(
"Server" -> "Play Framework 2.8.8",
"X-Powered-By" -> "Scala 2.13.6"
)
}
}
The vulnerable part of the code is in the response headers of the index action. Here, the Server and X-Powered-By headers are being set to reveal the technology stack used by the server. The Server header is being set to Play Framework 2.8.8 and the X-Powered-By header is being set to Scala 2.13.6. This information leakage can be exploited by an attacker to understand the technology stack of the server and target specific vulnerabilities associated with these technologies.
Steps
- Remove or modify the 'Server' header to avoid disclosing the Play Framework version.
- Remove or modify the 'X-Powered-By' header to avoid disclosing the Scala version.
Compliant code
import play.api.mvc._
object Application extends Controller {
def index = Action {
Ok("Welcome to our application!").withHeaders(
"Server" -> "Play Framework",
"X-Powered-By" -> "Scala"
)
}
}
The original code was revealing sensitive information about the server and the technology used in the application through the response headers. This information can be used by an attacker to exploit known vulnerabilities of these specific versions.
The 'Server' header was disclosing the version of the Play Framework used in the application, and the 'X-Powered-By' header was revealing the version of Scala used.
In the fixed code, we have removed the version information from these headers. Now, the 'Server' header only indicates that the server uses the Play Framework, and the 'X-Powered-By' header only shows that the application is powered by Scala. This way, we are still providing some information about the technologies used, but without revealing the specific versions, which makes it harder for an attacker to exploit potential vulnerabilities.