March 26, 2012 at 19:25Server HTTP header spoofing for various web servers
Hi, Habrachitateli.
Most (if not all) web servers, when responding to an HTTP request, declare themselves by default using the Server header, giving at best the name of the software used, and at best - the version, modules used, etc. They can be conveniently viewed using add-ons such as Server Spy for Mozilla Firefox.
But not all of the web servers allow explicitly turning off this behavior with a single directive. In my opinion, this is a potential security hole. This article shows how to disable the sending of the Server header or replace its value with an arbitrary one for Lighttpd, Nginx, Apache, G-WAN servers.
More details under the cut.
Lighttpd is the only server listed in the configuration file which provides for Server header spoofing. It looks like this:
More than once I met on the Web instructions on how to change the Server header in the Nginx web server. Everything is done in the forehead - with the help of a substitution of value in the source and recompilation. For example, www.xakep.ru/post/54168
There is a simpler method. You can achieve the result using a combination of the HttpHeadersModule and HttpHeadersMoreModule modules or an even simpler option using a single HttpHeadersMoreModule.
Using a combination of HttpHeadersModule and HttpHeadersMoreModule modules: Using a single HttpHeadersMoreModule:
On the Apache web server, the contents of the Server header are configured using ServerTokens.
The default value is Full. Showing information of the form Apache / 2.4.1 (Unix) PHP / 4.2.2 MyMod / 1.2 The
minimum that can be reduced is Apache. Using mod_header I tried to make a configuration similar to Nginx. Failed - Apache ignores the settings and continues to persistently set the Server value according to ServerTokens and ServerSignature.
I had to put mod_security and add the line to the configuration: It worked
.
In the case of G-WAN, the config as such does not exist. The C code in the handler looks like this: The subtleties of setting up G-WAN are not the topic of this article, so I don’t go into details.
This article discusses the web servers I work with, and for testing it was not necessary to install the software separately. If, by analogy, you configure any other web server, write, I will supplement the article.
Most (if not all) web servers, when responding to an HTTP request, declare themselves by default using the Server header, giving at best the name of the software used, and at best - the version, modules used, etc. They can be conveniently viewed using add-ons such as Server Spy for Mozilla Firefox.
But not all of the web servers allow explicitly turning off this behavior with a single directive. In my opinion, this is a potential security hole. This article shows how to disable the sending of the Server header or replace its value with an arbitrary one for Lighttpd, Nginx, Apache, G-WAN servers.
More details under the cut.
Lighttpd
Lighttpd is the only server listed in the configuration file which provides for Server header spoofing. It looks like this:
server.tag = "gws"Nginx
More than once I met on the Web instructions on how to change the Server header in the Nginx web server. Everything is done in the forehead - with the help of a substitution of value in the source and recompilation. For example, www.xakep.ru/post/54168
There is a simpler method. You can achieve the result using a combination of the HttpHeadersModule and HttpHeadersMoreModule modules or an even simpler option using a single HttpHeadersMoreModule.
Using a combination of HttpHeadersModule and HttpHeadersMoreModule modules: Using a single HttpHeadersMoreModule:
# Удаляем существующее значение заголовка Server
more_clear_headers 'Server';
# Задаем новое
add_header Server gws;# только HttpHeadersMoreModule
more_set_headers 'Server: my-server';Apache
On the Apache web server, the contents of the Server header are configured using ServerTokens.
The default value is Full. Showing information of the form Apache / 2.4.1 (Unix) PHP / 4.2.2 MyMod / 1.2 The
minimum that can be reduced is Apache. Using mod_header I tried to make a configuration similar to Nginx. Failed - Apache ignores the settings and continues to persistently set the Server value according to ServerTokens and ServerSignature.
I had to put mod_security and add the line to the configuration: It worked
SecServerSignature "gws".
G-wan
In the case of G-WAN, the config as such does not exist. The C code in the handler looks like this: The subtleties of setting up G-WAN are not the topic of this article, so I don’t go into details.
xbuf_xcat(get_reply(argv),
"HTTP/1.1 200 OK\r\n"
"Content-type: text/html\r\n"
"Content-Length: 20\r\n"
"Server: gws\r\n"
"Connection: keep-alive\r\n\r\n"
"Hello, World");
// set the HTTP reply code
int *pHTTP_status = (int*)get_env(argv, HTTP_CODE);
if(pHTTP_status)
*pHTTP_status = 200; // 200:OK
return 2;Remarks
This article discusses the web servers I work with, and for testing it was not necessary to install the software separately. If, by analogy, you configure any other web server, write, I will supplement the article.