Server leaks implementation information

[willtemperley]

Upgrade error responses provide details of the implementation and the protocol. This may be useful when debugging, but in production it's a security risk.

Java-WebSocket/src/main/java/org/java_websocket/WebSocketImpl.java

Line 463 in 30ba037

+ "\r\nContent-Type: text/html\r\nServer: TooTallNate Java-WebSocket\r\nContent-Length: "

[marci4]

Feel free to open a PR with a option to disable this

[PhilipRoman]

I don't think there is need to change anything - it is a common practice to report the server implementation and all http servers I know do it. You can pick any site, and do curl -D - -o /dev/null https://example.com | grep -i server and see the server implementation. Apache even reports details like OpenSSL version so I don't see the issue here.

[willtemperley]

@PhilipRoman The issue is that it isn't necessary to expose the implementation. and if any vulnerabilities exists it makes them easier to exploit. Using your command, I can't find an important website that discloses the server implementation.

"While exposed server information is not necessarily in itself a vulnerability, it is information that can assist attackers in exploiting other vulnerabilities that may exist."

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server

[marci4]

@PhilipRoman I would add an option to the Draft_6455 as well as the server to hide the implementation.
You're cool with it?

[PhilipRoman]

Sure, I don't see any downside