HTTP Headers Exposing Sensitive Information

  • 16 February 2021
  • 0 replies
  • 207 views
MillaZ
Userlevel 5
Badge +20
 

HTTP Headers Exposing Sensitive Information

kbt144697

PRODUCT
K2 Five
K2 smartforms 4.6.11 to 4.7
BASED ON
K2 smartforms 4.6.11
This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice. This article is not considered official documentation for K2 software and is provided "as is" with no warranties.
LEGACY/ARCHIVED CONTENT
This article has been archived, and/or refers to legacy products, components or features. The content in this article is offered "as is" and will no longer be updated. Archived content is provided for reference purposes only. This content does not infer that the product, component or feature is supported, or that the product, component or feature will continue to function as described herein.

Issue

If you are performing penetration test on your SmartForms, you may encounter a warning about how the HTTP response headers returned contains information about the web server which could be useful to attackers.

Symptoms

Penetration test report highlights the following HTTP headers that pose security issues:

  • X-AspNet-Version
  • X-AspNetMvc-Version 
  • X-Powered-By 
  • Server

 

Image

<h3 class=""Resolution

Please note that these headers are not added by K2, but inserted automatically by IIS and .NET Framework.

 

To remove the X-AspNet-Version, X-AspNetMvc-Version, and Server headers:

  1. If you are using Forms STS for authentication, go to [Program Files]K2 blackpearlWebServicesIdentityStsForms.
  2. Alternatively, if you are using Windows STS, go to [Program Files]K2 blackpearlWebServicesIdentityStsWindows.
  3. Open Global.asax with a text editor
  4. Append the following line and save:
     
    <script runat="server">
     protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
     {
       HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
       HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
       HttpContext.Current.Response.Headers.Remove("Server");
     }
    </script>

 

 

To remove the X-Powered-By header:

  1. Open IIS Manager
  2. Expand Sites > [Your K2 Site] > Identity > Sts
  3. Select Forms if you are using Forms STS for authentication. Otherwise, select Windows if you are using Windows STS.
  4. Select HTTP Response Headers

    Image
     
  5. Remove X-Powered-By:

    Image

 

Once you are done, perform a IISRESET, clear browser cache, and check again if the headers appear.

]]> 7aa9901e-7d38-401e-9a3f-cd150b80d3cd Resolution Memo3
Check out these Nintex University Learning paths: https://community.nintex.com/p/NintexUniversity

0 replies

Be the first to reply!

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings