This is the second part in the analysis of the content of HTTP headers returned from Belgian websites. The first part describes what HTTP headers are and analyses the results of the network requests.
Why is this important?
Disclosing HTTP headers is not going to make your site more vulnerable nor is not disclosing them going to make your site more secure. But by leaking version information you basically give away your level of patch management, making it easier for attackers to tune their attack tools to your environment.
Limiting the number of returned HTTP headers is not security through obscurity. Merely relying on hiding a version number as a defense measure is foolish, not broadcasting that version number because it serves no purpose for the outside world is common sense.
Additionally there’s no real need for clients to know what version you’re running. Your website will function perfectly without telling your visitors you’r running webserver version X with scripting language Y.
Still not convinced, read Shhh… don’t let your response headers talk too loudly. It is focused on ASP and IIS but the findings count for every environment.
Summary of the HTTP headers
- Only a few sites support HTTP headers providing extra user protection as X-Frame-Options or X-XSS-Protection
- To many sites neglect information leakage via HTTP headers (mostly detailed version strings)
- The average payload length of a HTTP header is 23 characters long
- Over 40% of the HTTP headers are Connection, Date, Content-Type and Server
- Roughly 17% of the returned data values are either “Close” Connection type or “HTML UTF-8” Content-Type
- 14% of the headers start with X-
- The longest data field returned is 1128 characters long
- The average cookie length is 84 characters
Popular HTTP headers
The requests generated 23029 HTTP headers.
Not surprisingly, the most popular HTTP headers are Connection, Date, Content-Type and Server.
These four headers make up for 9334 headers out of 23029 headers, meaning that over 40% of the returned headers are Connection, Date, Content-Type and Server.
The Connection field allows the sender to specify options that are desired for that particular connection. The Date field is the date and time at which the message was originated. The Content-Type field indicates the media type sent to the recipient. The Server field contains information about the software used by the origin server to handle the request.
Note that for the stats below I counted the results regardless of their case. So for example SET-COOKIE, set-cookie and Set-Cookie are all counted for Set-Cookie.
The list of headers contains a couple of unusual or misspelled HTTP headers.
Out of the 23029 headers collected, 3192 started with the header name X-, that is 14%.
Most popular header data
The most recurring HTTP header data values were Close and text/html; charset=utf-8. These values were returned by the header Connection (Close, the sender signals that the connection will be closed after completion of the response) and the header Content-Type (text/html; charset=UTF-8).
The number of Close Connection type and the different HTML UTF-8 Content-Type values total 3851 of data values returned. This means that roughly 17% of the returned data type is a Connection or a Content-Type setting.
The HTTP header Expires with value Thu, 19 Nov 1981 08:52:00 GMT is in the top values returned. This is due to a PHP setting to disable caching. It is the birth day of Sascha Schumann, the developer that added the code (see ext/session/session.c) in the session handling functions of PHP.
Most recurring combination HTTP header + data
The most recurring combination of “HTTP header and data” corresponds with the most popular HTTP headers and most popular data replies.
Header data value ‘0’
An unusual value found in the returned data was the value 0. This value was returned by different HTTP headers (Age and Content-Length). Also note that there is an Age, age and X-Age header.
Header data length
The longest data field returned is 1128 characters long. This was a Set-Cookie header returned by an Microsoft-IIS/8.0 server with ASP version 4.0.30319.
SPIP 3.0.16 @ www.spip.net + spip(3.0.16),compagnon(1.4.1),dump(1.6.7), ...
Headers with data length 29 were returned 4140 times : 2364 times by the header Date and 952 times by the header Expires. Headers with data length 5 were mostly returned by the header Connection.
Most frequent header data length is between 0 and 10 and between 26 and 50.
The total length of all the returned headers was 528099 characters. This means that on average the payload of the HTTP header is 23 characters long.
Header content type
The content type UTF-8 is used by the majority of the websites. It’s interesting to see the difference in notation “text/html; charset=UTF-8” and “text/html;charset=UTF-8”. Notice the extra space in the first data part. The difference in notation, adding a space or not, can also be observed for the value “text/html;charset=ISO-8859-1”.
Some content type headers return nosniff whereas this data should be set in the header X-Content-Type-Options and not in Content-Type.
Sites supported by PHP
A lot of sites are powered by PHP (based on the returned header data). In total 790 headers returned a header value starting with “PHP/”. Note that this is not full proof for PHP support, servers can return HTTP header data at will.
PHP only supports versions 5.5, 5.4 and 5.3. It is worrying that a lot of sites still rely on older, no longer supported versions of PHP, especially the PHP versions 4.x.
X-AspNet-Version and X-AspNetMvc-Version
The HTTP headers X-AspNet-Version and X-AspNetMvc-Version are headers for Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites and can be disabled.
Most ASP sites run version 4. Only a few sites run version 2.
The returned MVC version is most often 4.0 and 3.0.
Microsoft has a blogpost describing how to remove these unwanted HTTP headers.
It comes to no surprise that most websites run an Apache webserver.
Although the list of probed sites reflects some of the most popular Belgian websites not a lot of these sites are using “cloud-based” solutions. Servers returning a “Cloudflare” or “Akamai” host identification are only a small part of the returned Server headers.
A protection mechanism against Clickjacking is the use of the X-Frame-Options HTTP header. It’s sad to see that only a limited number of sites use this setting.
The X-XSS-Protection HTTP header re-enables the XSS filter that is built into many web browser. Although this filter should be enabled in most browsers, websites should not rely on the default setting. Ideally websites explicitly set this header.
The X-Content-Type-Options HTTP header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files. The only defined value is “nosniff”. Unfortunately this header is only returned 25 times.
Cookies are set by the HTTP header Set-Cookie. One site uses SET-COOKIE whereas one other site uses set-cookie.
The average cookie length was between 26 and 100. Most of these cookies were session cookies.
The total length of all the cookies was 119659 meaning that the average cookie length is 84 characters long. This average cookie length is influenced by a number of headers with ridiculous cookie length (>200 characters).