Information Disclosure via Powered-By Header

Description

The 'Powered-By' header reveals the underlying technology, framework, or platform used by the application. Disclosing this information can help attackers tailor their methods to known vulnerabilities or exploit unpatched components. Such insights may also enable more effective social engineering, as adversaries can craft targeted phishing campaigns or impersonate support communications for that specific platform. In some cases, merely knowing the technology stack can guide malicious users to default administrative interfaces or configuration files. Overall, exposing the 'Powered-By' header increases your application's attack surface by advertising the internal framework to potential threats.

Remediation

Remove or obfuscate the 'Powered-By' header at the server or application level. This typically involves updating the server configuration or modifying framework-specific settings to hide or rename the header. Keep your application and underlying platform updated with the latest security patches to reduce the risk of exploits targeting known issues. If using a reverse proxy or load balancer, ensure it does not inadvertently add or pass through technology-specific headers. Implement a Web Application Firewall (WAF) or intrusion detection system to monitor for suspicious requests targeting the disclosed platform. Regularly review your security posture to ensure unnecessary headers are not being leaked, thereby minimizing information exposure.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification