Server Version Exposed Via Response Header In an Invalid Request

Attacker can obtain information about the software version and other identifying details of the server software running on a remote system.

Server Version Disclosure (SVD)

Impact of the vulnerability

Knowing the specific version of a web server software can help an attacker identify publicly known vulnerabilities associated with that version and exploit them to gain unauthorized access to the server or compromise its integrity

How this template works

APIs Selection

The template uses API selection filters to specify the criteria for selecting the API to test. In this case, it filters based on the response code, ensuring that it is between 200 and 300, indicating a successful response. It also extracts the URL from the response and assigns it to the variable "urlVar".

Execute request

The template executes a single request by modifying the URL with an invalid test URL. This is done using the "modify_url" action and the value of the "urlVar" variable. This allows the template to simulate a server version disclosure attack by replaying the original request with an invalid URL.

Validation

After executing the request, the template validates the response. It checks that the response code is between 200 and 300, indicating a successful response. It also checks the response headers to ensure that there is a header named "Server" and extracts the server software version number using a regular expression. This validation helps confirm if the server is vulnerable to server version disclosure by checking if the response contains the expected header and version number.

Frequently asked questions

What is the purpose of the "Server Version Exposed Via Response Header In an Invalid Request" test

How does the test modify the original request to simulate an invalid URL

What is the impact of server version disclosure vulnerabilities

What is the severity level assigned to this vulnerability

What are the tags associated with this vulnerability

Are there any references or resources available for further information on this vulnerability

Loved by security teams!

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

Security team,

Loom

Security team,

Loom

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "