This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SCG WS Apache"
| Line 2: | Line 2: | ||
== Summary == | == Summary == | ||
| + | |||
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors. | The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors. | ||
| Line 8: | Line 9: | ||
=== Server Token === | === Server Token === | ||
| + | |||
==== Description ==== | ==== Description ==== | ||
| + | |||
By Default Apache ServerToken directive revelas the below information. | By Default Apache ServerToken directive revelas the below information. | ||
| + | |||
<pre> | <pre> | ||
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 | Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 | ||
| − | <pre> | + | </pre> |
| + | |||
This allows attackers to identify webservers details greatly and increases the effieciency of any attack,as security vulnerabilities | This allows attackers to identify webservers details greatly and increases the effieciency of any attack,as security vulnerabilities | ||
are dependent upon specific software versions. | are dependent upon specific software versions. | ||
| + | |||
==== How to test ==== | ==== How to test ==== | ||
In order to test for ServerToken configuration, one should check the apache configuration file. | In order to test for ServerToken configuration, one should check the apache configuration file. | ||
| + | |||
==== Misconfiguration ==== | ==== Misconfiguration ==== | ||
| + | |||
ServerTokens Full | ServerTokens Full | ||
| + | |||
==== Remediation ==== | ==== Remediation ==== | ||
| + | |||
Configure the ServerTokens directive in the apache configurattion to value of Prod or ProductOnly | Configure the ServerTokens directive in the apache configurattion to value of Prod or ProductOnly | ||
| + | |||
<pre> | <pre> | ||
ServerTokens Prod | ServerTokens Prod | ||
Revision as of 16:33, 5 October 2015
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
Summary
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.
Apache Server Information
Server Token
Description
By Default Apache ServerToken directive revelas the below information.
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5
This allows attackers to identify webservers details greatly and increases the effieciency of any attack,as security vulnerabilities are dependent upon specific software versions.
How to test
In order to test for ServerToken configuration, one should check the apache configuration file.
Misconfiguration
ServerTokens Full
Remediation
Configure the ServerTokens directive in the apache configurattion to value of Prod or ProductOnly
ServerTokens Prod or ServerTokens ProductOnly
References
https://httpd.apache.org/docs/current/misc/security_tips.html
