Forum Discussion
NimbostratusVulnerabilities "Server Information Disclosure" and "Missing Secure Attribute"
could somone suggest how to fix the below vulnerabilities.
"Server Information Disclosure" and "Missing Secure Attribute"
2 Replies
Erik_NovakEmployee
Hello Ranbir, it sounds like those two vulnerabilities were revealed in the output from a web application vulnerability scanner. A quick way to see if they're easily resolved is to create a security policy in ASM using the "third party vulnerability scanner" output option when you start the deployment wizard. Import the XML-based vulnerability output file into ASM, and then locate those two vulnerabilities in the list. It is possible that ASM will mark them as "resolvable" and you might be able to simply select each one in the GUI and then click "resolve" or "resolve and stage." At that point, you could run the scan again, and any vulnerabilities resolved by ASM should no longer appear.
- nathe
Cirrocumulus
So, ASM will remove the Server header by default if it's enabled on the VIP.
If you haven't got ASM then irules will be your friend here. See the following links:
SOL11324: Setting the secure attribute for HTTP cookies
This will have an example on how you can loop through headers and remove any that you want.
Hope this helps,
N
