Products

Solutions

Resources

Search for API Security Tests

/

/

Server Version Exposed Via Response Header In an Invalid Request

Server Version Exposed Via Response Header In an Invalid Request

Attacker can obtain information about the software version and other identifying details of the server software running on a remote system.

Server Version Disclosure (SVD)

"The endpoint appears to be vulnerable to server version disclosure attack. The original request was replayed by modifying it with an invalid url. The server response contained a header named Server which contained information about the server software and its version number. "<b>Background:</b> Server version disclosure vulnerabilities are often considered low-risk compared to other types of security flaws. However, they can still provide attackers with valuable information that aids in the planning and execution of subsequent attacks. For example, knowing the specific version of a web server software can help an attacker identify publicly known vulnerabilities associated with that version and exploit them to gain unauthorized access to the server or compromise its integrity.

"The endpoint appears to be vulnerable to server version disclosure attack. The original request was replayed by modifying it with an invalid url. The server response contained a header named Server which contained information about the server software and its version number. "<b>Background:</b> Server version disclosure vulnerabilities are often considered low-risk compared to other types of security flaws. However, they can still provide attackers with valuable information that aids in the planning and execution of subsequent attacks. For example, knowing the specific version of a web server software can help an attacker identify publicly known vulnerabilities associated with that version and exploit them to gain unauthorized access to the server or compromise its integrity.

Impact of the vulnerability

Impact of the vulnerability

Knowing the specific version of a web server software can help an attacker identify publicly known vulnerabilities associated with that version and exploit them to gain unauthorized access to the server or compromise its integrity

Knowing the specific version of a web server software can help an attacker identify publicly known vulnerabilities associated with that version and exploit them to gain unauthorized access to the server or compromise its integrity

How this template works

APIs Selection

The template uses API selection filters to specify the criteria for selecting the API to test. In this case, it filters based on the response code, ensuring that it is between 200 and 300, indicating a successful response. It also extracts the URL from the response and assigns it to the variable "urlVar".

Execute request

The template executes a single request by modifying the URL with an invalid test URL. This is done using the "modify_url" action and the value of the "urlVar" variable. This allows the template to simulate a server version disclosure attack by replaying the original request with an invalid URL.

Validation

After executing the request, the template validates the response. It checks that the response code is between 200 and 300, indicating a successful response. It also checks the response headers to ensure that there is a header named "Server" and extracts the server software version number using a regular expression. This validation helps confirm if the server is vulnerable to server version disclosure by checking if the response contains the expected header and version number.

Frequently asked questions

What is the purpose of the "Server Version Exposed Via Response Header In an Invalid Request" test

How does the test modify the original request to simulate an invalid URL

What is the impact of server version disclosure vulnerabilities

What is the severity level assigned to this vulnerability

What are the tags associated with this vulnerability

Are there any references or resources available for further information on this vulnerability

Loved by security teams!

Loved by security teams!

Product Hunt Badge

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Loom Company logo

Security team,

Loom

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Loom Company logo

Security team,

Loom

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Rippling Company logo

Security team,

Rippling

Suggest API security tests

Suggest API security tests

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.