Details
Alert ID 10009
Alert Type Passive
Status beta
Risk Low
CWE 497
WASC 13
Technologies Targeted All
Tags CWE-497
OWASP_2017_A06
OWASP_2021_A05
POLICY_PENTEST
POLICY_QA_STD
SYSTEMIC
WSTG-V42-INFO-02
More Info Scan Rule Help

Summary

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Solution

Configure the server to prevent such information leaks. For example: Under Tomcat this is done via the "server" directive and implementation of custom error pages. Under Apache this is done via the "ServerSignature" and "ServerTokens" directives.

Other Info

There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.

References

Code

org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRule.java