HTTP Header Leaks Software Version Details

[gregkeys]

Crossbar leaks software name and version details in HTTP responses: Server: Crossbar/0.12.1

This information can be used by an attacker during the reconnaissance phase of an attack. It allows the attacker to determine possible attack vectors and vulnerabilities in the web server and application.

Can you add an option to turn this off?

[oberstet]

This a a current response:

HTTP/1.1 101 Switching Protocols
Server: Crossbar/0.12.1
X-Powered-By: AutobahnPython/0.12.1
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Protocol: wamp.2.json
Sec-WebSocket-Accept: GwCnvxuYOCaZOZ2N84URp5klaq8=
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits=13

We might consider adding an option to remove the version string, but I would like to retain the Server: Crossbar header.

[oberstet]

FWIW, here is a response from https://google.de:

alt-svc:quic=":443"; ma=2592000; v="33,32,31,30,29,28,27,26,25"
alternate-protocol:443:quic
cache-control:private, max-age=0
content-encoding:gzip
content-type:text/html; charset=UTF-8
date:Mon, 02 May 2016 06:00:05 GMT
expires:-1
server:gws
status:200
x-frame-options:SAMEORIGIN
x-xss-protection:1; mode=block

Here is https://nginx.com

cache-control:max-age=10800
content-encoding:gzip
content-type:text/html; charset=UTF-8
date:Mon, 02 May 2016 05:59:25 GMT
expires:Mon, 02 May 2016 08:59:25 GMT
link:<https://www.nginx.com/wp-json/>; rel="https://api.w.org/"
link:<https://www.nginx.com/>; rel=shortlink
link:<https://www.nginx.com/wp-json>; rel="https://github.com/WP-API/WP-API"
server:nginx
set-cookie:geoip=DE,02
status:200
strict-transport-security:max-age=31536000
vary:Accept-Encoding
x-pingback:https://www.nginx.com/wordpress/xmlrpc.php

Here is https://mozilla.org

cache-control:max-age=600
cf-cache-status:EXPIRED
cf-ray:29c944d74e670f63-FRA
content-length:0
content-type:text/html; charset=utf-8
date:Mon, 02 May 2016 06:03:14 GMT
expires:Mon, 02 May 2016 06:13:14 GMT
location:https://www.mozilla.org/de/
server:cloudflare-nginx
status:301
vary:Accept-Encoding
x-backend-server:e52e009d5d2a.bedrock-prod.eu-west.moz.works
x-frame-options:DENY
x-robots-tag:noodp

---

So having the server type (not version, right) in the response is "best practice" ..

[oberstet]

Funny how people are trying to save every single byte;) Notice the missing spaces. Valid of course.

[meejah]

I agree we shouldn't leak the version, at least by default. Shall we just remove the /0.0.0 (from both AutobahnPython and Crossbar) or make it optional (i.e. maybe for some reason you'd like to turn the version on?)

[gregkeys]

i can see the value in getting the version for debugging, can we add it when debug is enabled or better yet add an about end point that can return that sort of info, which could also be restricted in the authorizer / config On May 4, 2016 2:29 PM, "meejah" notifications@github.com wrote:

I agree we shouldn't leak the version, at least by default. Shall we just remove the /0.0.0 (from both AutobahnPython and Crossbar) or make it optional (i.e. maybe for some reason you'd like to turn the version on?)

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/crossbario/crossbar/issues/770#issuecomment-217009539

[meejah]

@gregkeys you're thinking a WAMP meta-API enhancement, e.g. something like wamp.router.get_info ..?

(Which would return a dict including e.g. version: "crossbar/0.13.2")

[oberstet]

We could have a new WebSocket transport option in the crossbar node config to suppress full version on http response headers ..

[meejah]

@oberstet yeah that's what I was originally thinking (or, conversely: default is that it just reports "Crossbar" as that's the safer option and you have to turn it on to get full version output, e.g. for debugging etc usecases).

Just for the record, I don't think it's worth completely suppressing the "Server:" header as it's likely pretty easy to fingerprint what sort of server you're talking to anyway (as justification I point to oberstet's previously-posted results, and note that popular web-server nginx has no way to turn off reporting "Server: nginx" but does allow you to stop reporting the precise version)

[oberstet]

Feature is implemented on trunk now

[haizaar]

This fix does seem to work for websocket transport, but not for web transport.

With:

  transports:
  - type: websocket
    endpoint:
      type: tcp
      port: 8080
  - type: web
    endpoint:
      type: tcp
      port: 8081
    paths:
      ws:
        type: websocket

I get the following results:

$ curl -sv -o /dev/null localhost:8080 2>&1 |grep Server
< Server: Crossbar
$ curl -sv -o /dev/null localhost:8081 2>&1 |grep Server
< Server: Crossbar/18.9.2

Looks like web transport indeed does not support (undocumented) show_server_version options:

crossbar.common.checkconfig.InvalidConfigException: 'show_server_version' unknown in Web transport 'options'

Using docker image crossbario/crossbar:pypy3-18.9.2