ZAP – In Page Banner Information Leak

Details
Alert ID	10009
Alert Type	Passive
Status	beta
Risk	Low
CWE	200
WASC	13
Technologies Targeted	All
Tags	CWE-200 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-INFO-02
More Info	Scan Rule Help

Summary

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Solution

Configure the server to prevent such information leaks. For example: Under Tomcat this is done via the "server" directive and implementation of custom error pages. Under Apache this is done via the "ServerSignature" and "ServerTokens" directives.

Other Info

There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.

References

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/

Code

org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRule.java