RESTful API Discloses "X-Asp-Net-Version" Fingerprinting Header
Description
The API sets the "X-Asp-Net-Version" header in its responses. This header discloses information about the ASP.NET version of the server hosting the API. An attacker can use this data to identify known vulnerabilities affecting that particular ASP.NET release and attempt to compromise the server. Review the Additional Information section for details about how this violation was detected.
Remediation
Remove or mask the 'X-Asp-Net-Version' header from all API responses to avoid revealing platform details. Adjust your ASP.NET application configuration (or server settings) to suppress technology-identifying headers. If you use a reverse proxy, CDN, or load balancer, ensure it does not re-add or preserve these headers. Keep your ASP.NET installation up to date with the latest security patches and regularly audit any third-party libraries to mitigate known issues. Consider employing a Web Application Firewall (WAF) or intrusion detection system to detect suspicious requests aiming at version-specific flaws. Periodically review response headers to confirm no unnecessary information is leaked.
References
https://docs.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-7.0https://owasp.org/www-community/attacks/Information_exposureSeverity
LOWOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
3.1
3.1