ASP.NET Version Disclosure

Severity:: Informational

Description

The presence of the X-AspNet-Version and X-AspNetMvc-Version headers exposes the version of ASP.NET used by the web server, providing valuable information to attackers. This disclosure can aid attackers in identifying vulnerabilities and planning their attacks more effectively.

Test for ASP.NET Version Disclosure Vulnerability with SmartScanner

Donwload FREE!

Recommendation

To mitigate this issue:

To remove the X-AspNet-Version header, add the following line in your web.config within the <system.web> section:

<httpRuntime enableVersionHeader="false" />

To remove the X-AspNetMvc-Version header, add the following line in Global.asax:

MvcHandler.DisableMvcResponseHeader = true;

References

OWASP: Web Server Security
Microsoft: Remove Server Header
CWE-16
CWE-200
CAPEC-118
OWASP 2021-A5

Related Issues

PHP Version Disclosure - Vulnerability
Apache Version Disclosure - Vulnerability
Nginx Version Disclosure - Vulnerability
Server Version Disclosure - Vulnerability

Tags:: HTTP Headers; Information Disclosure; Application Misconfiguration; ASP.NET; Web Server

Anything's wrong? Let us know Last updated on May 13, 2024