Overview

The response headers of the HTTP request contains the name and the version details of the server and technology used.

```
Server: nginx/1.20.1
```

A security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.
https://cwe.mitre.org/data/definitions/16.html

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/login.jsp

Steps To Reproduce

STEP1: Please visit the URL and capture the REQUEST/RESPONSE in a proxy for e.g. BurpSuite.

STEP2: Observe the response Header and note the exposed information in the response header

[Screen Recording 2024-04-14 at 4.02.51 PM.mov](https://api.us.cobalt.io/v1/attachments/att_4BZrGAG/preview)

Severity

low

CVSS Score: 3.9 Low

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

OWASP: (A6) Likelihood is 1 and business impact 2 (1-5, 5 being high).

Suggested Fix

Please make sure that the version is not exposed in the response header and update to the latest version

Prerequisites

HTTP Request

Cobalt URL

#PT22584_2