Posts Tagged ‘apache’

How-to: Modify Apache-Coyote/1.1 Banner

If you’ve ever done a penetration test or got one done, you may have come across the following scenario:

HTTP Service running on port 8080, revealing the version information of the product in it banner.
The banner  revealed is Apache-Coyote/1.1.
This is the banner of the Apache Tomcat Web Server which runs on port 8080 by default.

Apache-Coyote/1.1 Version Disclosure

Now, as per good security practice, the banner should be removed or modified, so that it no longer reveals the version number.
This can be achieved by editing your server.xml configuration file found at the below location:

CATALINA_HOME/conf/server.xml

Original server.xml reveals version information

Modified server.xml

You may need to restart your server for the changes to reflect.
Once the Tomcat server is up, test the server to see if it shows the custom header.

 

> telnet localhost 8080
HEAD / HTTP/1.0
<CRLF>
<CRLF>

Web Server with Custom HTTP Banner

 

Hope this helps others who are looking for a solution to the banner version disclosure

Check out OWASP’s article on Securing Tomcat for more details.

Wasim

Follow

Get every new post delivered to your Inbox.

Join 299 other followers