HTTP header manipulation


#1

I thought i’d use a different thread instead of stealing Paul’s…

HTTP-header manipulation is another type of exploit which does relate
to the webserver. On that, how can i prevent nginx from sending the
server name? I.e., given this:

[…]
GET / HTTP/1.1
Host: localhost
Accept: text/html

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Feb 2009 22:08:31 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive

I’d like to remove or spoof that “Server …” line. I’ve done these
changes on my files:

/etc/nginx/nginx.conf
[…]
http {
[…]
server_tokens off;
[…]

/etc/nginx/fastcgi_params
[…]
fastcgi_param SERVER_SOFTWARE apache; #or whatever string
fastcgi_param SERVER_NAME again… some string here;

I’m also fiddling with error pages so they present my error pages,
which also includes “msie_padding on;” in .conf but this is its
default setting anyway.

However, the server name does still go out in the respose header. Am i
missing something in the config? Do i have to reboot/reHUP the server
again? Have to use PHP or something to filter the headers?

Nuno Magalhães
LU#484677


#2

Hello!

On Fri, Feb 20, 2009 at 10:17:41PM +0000, Nuno Magalhães wrote:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Feb 2009 22:08:31 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive

I’d like to remove or spoof that “Server …” line. I’ve done these
changes on my files:

No way. Switching off server_tokens is the only thing you may do
without nginx source code modification.

Personally I think that even switching off server_tokens is wrong
way to go. It doesn’t give you extra security but instead false
sense of it - at the cost of much more complicated debugging and
defeating your own security analysis. It’s much better to keep
your software up-to-date instead.

BTW, charset in the example above is wrong. There is no “utf8”
charset, it’s called “utf-8”. Full list of registered character
sets can be found here:

http://www.iana.org/assignments/character-sets.

fastcgi_param SERVER_NAME again… some string here;
You don’t trust even your own fastcgi apps? Funny. :slight_smile:

Maxim D.


#3

No way. Â Switching off server_tokens is the only thing you may do
without nginx source code modification.

However “nginx” does still appear in a 403 (i’m in the process of
editing the error pages). Eventually i added “add_headers Server
weee;” to my conf, but that didn’t have any effect, even with a 200
OK.

Personally I think that even switching off server_tokens is wrong
way to go. Â It doesn’t give you extra security but instead false
sense of it

It doesn’t secure anything per se, but it’s harder for people to
figure out which webserver is running and thus harder to find exploits
for said server.

BTW, charset in the example above is wrong. Â There is no “utf8”
charset, it’s called “utf-8”.

Thanks!

You don’t trust even your own fastcgi apps? Â Funny. :slight_smile:

Being an internal service? Meh…

Nuno Magalhães
LU#484677


#4

On Fri, Feb 20, 2009 at 4:48 PM, Nuno Magalhães
removed_email_address@domain.invalidwrote:

Personally I think that even switching off server_tokens is wrong
way to go. It doesn’t give you extra security but instead false
sense of it

It doesn’t secure anything per se, but it’s harder for people to
figure out which webserver is running and thus harder to find exploits
for said server.

HTTP fingerprinting is a very low wall. If someone seriously capable is
attempting to exploit you, spoofing or removing your server string won’t
matter in the least as they will employ fingerprinting techniques. I’m
just
gonna leave this here…
http://www.net-square.com/httprint/httprint_paper.html

-Merlin