Improper Assets Management - Version in HTTP Header

Description

Improper Assets Management vulnerability occurs when the version information of software or frameworks is exposed in HTTP headers, allowing attackers to identify outdated or vulnerable components. This information leakage aids attackers in targeting known vulnerabilities in specific versions of software, increasing the risk of exploitation. Mitigation involves removing or obfuscating version details from HTTP headers and regularly updating software to patch known vulnerabilities.

Remediation

Remove or mask version details from HTTP response headers (e.g., 'Server', 'X-Powered-By') to avoid exposing software or framework versions. Keep all software components and frameworks up to date with security patches and maintain a clear inventory of assets to identify when versions are outdated. Employ a vulnerability scanning tool to detect known exploits in exposed components. If older versions must remain for compatibility, isolate them in segmented environments and enforce strict access controls. Use a Web Application Firewall (WAF) or intrusion detection system to detect and block suspicious requests exploiting version-specific vulnerabilities. Periodically audit your configuration to ensure no version identifiers are unintentionally disclosed.

References

Severity

Owasp

Code: A06:2021

Category: Vulnerable and Outdated Components

Classification