If you’ve ever done a penetration test or got one done, you may have come across the following scenario:
HTTP Service running on port 8080, revealing the version information of the product in it banner.
The banner revealed is Apache-Coyote/1.1.
This is the banner of the Apache Tomcat Web Server which runs on port 8080 by default.
Now, as per good security practice, the banner should be removed or modified, so that it no longer reveals the version number.
This can be achieved by editing your server.xml configuration file found at the below location:
You may need to restart your server for the changes to reflect.
Once the Tomcat server is up, test the server to see if it shows the custom header.
> telnet localhost 8080 HEAD / HTTP/1.0 <CRLF> <CRLF>
Hope this helps others who are looking for a solution to the banner version disclosure
Check out OWASP’s article on Securing Tomcat for more details.