Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-108

Web Security: WEB BANNER REVEALS VERSION INFO

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: High
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have
    • Sprint:
      ST Sprint 1

      Description

      Praetorian discovered this vulnerability while manually monitoring the data sent to the application in the server responses. The web banner revealed the application server software name and version number.

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          samir Samir created issue -
          samir Samir made changes -
          Field Original Value New Value
          Assignee Niteen Surwase [ niteen.surwase ]
          samir Samir made changes -
          Status New Request [ 10029 ] Pending for Approval [ 10002 ]
          samir Samir made changes -
          Status Pending for Approval [ 10002 ] Approved for Development [ 10003 ]
          samir Samir made changes -
          Priority Medium [ 3 ] High [ 2 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Attachment iis_stripheaders_module_1.0.4.msi [ 14591 ]
          Attachment Server header remove Help.txt [ 14592 ]
          Hide
          Permalink
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited

          Commented code : SharedFunctionWebTier\SharedFunctionWebTier\Modules\SharedSessionModule.cs

          This code is commented because for this patch, changes made in IIS Configuration Editor at Web Server.

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited Commented code : SharedFunctionWebTier\SharedFunctionWebTier\Modules\SharedSessionModule.cs This code is commented because for this patch, changes made in IIS Configuration Editor at Web Server.
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Attachment After Configure.jpg [ 14593 ]
          Attachment Before Configure.jpg [ 14594 ]
          Hide
          Permalink
          niteen.surwase Niteen Surwase (Inactive) added a comment -

          Path to Test:
          Open Login Page --> Right Click --> Inspect Element --> "Network" Tab --> Ctrl+F5 --> Click on files from list, you will get file details at Right side.

          To Check :
          In earlier scenario,

          In the file details there was Server attribute which reveals Server Version Info

          Now, this attribute is removed for all files

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - Path to Test : Open Login Page --> Right Click --> Inspect Element --> "Network" Tab --> Ctrl+F5 --> Click on files from list, you will get file details at Right side. To Check : In earlier scenario, In the file details there was Server attribute which reveals Server Version Info Now, this attribute is removed for all files
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Amit Gude [ amitg ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Approved for Development [ 10003 ] In Development [ 10007 ]
          samir Samir made changes -
          Sprint ST Sprint 1 [ 1 ]
          samir Samir made changes -
          Rank Ranked higher
          Hide
          Permalink
          amitg Amit Gude (Inactive) added a comment -

          Assigning to Zeeshan

          Show
          amitg Amit Gude (Inactive) added a comment - Assigning to Zeeshan
          amitg Amit Gude (Inactive) made changes -
          Assignee Amit Gude [ amitg ] Zeeshan Chishty [ zeeshan.chishty ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified as Server Banner is removed from responses.

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified as Server Banner is removed from responses.
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          samir Samir made changes -
          Issue Importance Must Have [ 11800 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Niteen Surwase [ niteen.surwase ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Component/s BenAdmin [ 10100 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Labels Security
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Module Parent values: BenAdmin(10100) Parent values: BenAdmin(10100)Level 1 values: Security(10112)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Zeeshan Chishty [ zeeshan.chishty ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          rakeshr Rakesh Roy (Inactive) made changes -
          Developer Niteen Surwase [ niteen.surwase ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified that server header does not appear in response on stage.

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified that server header does not appear in response on stage.
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Stage Testing [ 10201 ] Pending for Production Approval [ 10301 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Production Approval [ 10301 ] Approved for production [ 10034 ]
          Hide
          Permalink
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited

          Zeeshan Chishty

          Deployed on Production on all 3 Web Servers.
          Please check carefully. If you found any Response Header related to this ticket please let us know.
          Removed Response Headers:

          1. Server
          2. X-Powered-By
          3. X-Aspnet-Version
          4. X-AspNetMvc-Version

          NOTE : Check this headers only for WORKTERRA Resources

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited Zeeshan Chishty Deployed on Production on all 3 Web Servers. Please check carefully. If you found any Response Header related to this ticket please let us know. Removed Response Headers: Server X-Powered-By X-Aspnet-Version X-AspNetMvc-Version NOTE : Check this headers only for WORKTERRA Resources
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Confirmed that server header does not appear in response on Production Server's response

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Confirmed that server header does not appear in response on Production Server's response
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Deepali Tidke [ deepalit ]
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment -

          as discussed with Niteen no functional testing is involved here , can close this ticket.

          Show
          deepalit Deepali Tidke (Inactive) added a comment - as discussed with Niteen no functional testing is involved here , can close this ticket.
          deepalit Deepali Tidke (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Production Complete(10222)Level 1 values: Closed(10223)
          deepalit Deepali Tidke (Inactive) made changes -
          Status Approved for production [ 10034 ] Production Testing [ 10202 ]
          deepalit Deepali Tidke (Inactive) made changes -
          Resolution Fixed [ 1 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          deepalit Deepali Tidke (Inactive) made changes -
          Status Production Complete [ 10028 ] Closed [ 6 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Link This issue relates to DEV-13718 [ DEV-13718 ]
          Transition Time In Source Status Execution Times
          Samir made transition -
          New Request Pending for Approval
          		11s 1
          Samir made transition -
          Pending for Approval Approved for Development
          		3s 1
          Niteen Surwase (Inactive) made transition -
          Approved for Development In Development
          		4d 22h 37m 1
          Niteen Surwase (Inactive) made transition -
          In Development In LB Testing
          		22d 23h 50m 1
          Zeeshan Chishty (Inactive) made transition -
          In LB Testing Pending for Stage Approval
          		2d 2h 35m 1
          Niteen Surwase (Inactive) made transition -
          Pending for Stage Approval Approved for Stage
          		51d 21h 1m 1
          Rakesh Roy (Inactive) made transition -
          Approved for Stage Stage Testing
          		55m 59s 1
          Zeeshan Chishty (Inactive) made transition -
          Stage Testing Pending for Production Approval
          		1h 8m 1
          Niteen Surwase (Inactive) made transition -
          Pending for Production Approval Approved for production
          		2d 19h 34m 1
          Deepali Tidke (Inactive) made transition -
          Approved for production In Production Testing
          		7d 2h 47m 1
          Deepali Tidke (Inactive) made transition -
          In Production Testing Production Complete
          		4s 1
          Deepali Tidke (Inactive) made transition -
          Production Complete Closed
          		1s 1

            People

            Assignee:
            deepalit Deepali Tidke (Inactive)
            Reporter:
            samir Samir
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: