Software Component Leak
Description
The web/application server is leaking tech stack information.
Access to such information may facilitate attackers identifying vulnerabilities to exploit.
Remediation
Filter out the data that is being returned from the server.
GraphQL Specific
Apollo
Configure the Apollo server to disable the inclusion of stack trace information in error messages sent to clients. Ensure that the 'debug' option is set to 'false' in production environments to prevent leaking detailed server implementation details.
Yoga
Configure the Yoga framework server to suppress version and technology stack details in HTTP response headers and error messages to prevent information leakage that could aid attackers in exploiting known vulnerabilities.
Awsappsync
Configure AWS AppSync resolvers to prevent information leakage by ensuring error messages are generic and do not expose stack details or sensitive information. Utilize AWS AppSync settings to control and mask error responses.
Graphqlgo
Configure the GraphQLGo server to suppress detailed error messages and stack traces in production environments. Implement middleware or custom error handling that returns generic error messages to the client, thus preventing the leakage of sensitive information about the underlying technology stack.
Graphqlruby
In the GraphQLRuby framework, ensure that the server configuration is set to minimize information leakage by disabling verbose error messages and introspection in production environments. Use the debug: false option in the GraphQL schema definition and restrict access to introspection queries to authorized personnel only.
Hasura
Configure the Hasura GraphQL engine to prevent exposing server version information by setting the 'HASURA_GRAPHQL_HIDE_SERVER_HEADER' environment variable to 'true'. Additionally, review and adjust the 'HASURA_GRAPHQL_DEV_MODE' setting to ensure that detailed error messages are not sent to the client in production environments.
REST Specific
Asp_net
Configure the ASP.NET framework to suppress detailed error messages and headers that reveal server or framework versions. Use custom error pages and set the 'customErrors' mode to 'On' or 'RemoteOnly' in the web.config file. Additionally, ensure that the 'httpRuntime' element's 'enableVersionHeader' attribute is set to 'false' to prevent the ASP.NET version from being included in HTTP responses.
Ruby_on_rails
In the Ruby on Rails framework, configure the environment files to suppress detailed error messages and stack traces in production. Use 'config.consider_all_requests_local = false' and 'config.action_dispatch.show_exceptions = true' to prevent leaking tech stack information to users. Additionally, ensure that 'config/environments/production.rb' has 'config.log_level = :info' to limit logging verbosity.
Next_js
Configure the Next.js application to disable the 'x-powered-by' header by setting the 'poweredByHeader' option to false in the 'next.config.js' file. Additionally, ensure that error pages do not disclose stack traces or other sensitive information to the client by customizing the error handling logic.
Laravel
In the Laravel framework, ensure that the 'APP_DEBUG' setting in the '.env' file is set to 'false' in the production environment to prevent the server from leaking stack trace information. Additionally, configure the 'ExceptionHandler' to handle errors without revealing sensitive information, and use middleware to suppress or customize server headers that disclose technology stack details.
Express_js
Configure the Express.js application to suppress server version information by setting the 'x-powered-by' header to false using the line 'app.disable('x-powered-by');' in the application setup code.
Django
Configure the Django settings to disable the 'X-Powered-By' header and set 'DEBUG' to False in production to prevent leakage of technical stack information.
Symfony
In the Symfony framework, to prevent the web/application server from leaking tech stack information, configure the 'expose_php' and 'server_tokens' directives in the 'php.ini' and web server configuration files respectively to 'Off'. Additionally, ensure that the 'prod' environment is used for production, as it does not display error messages or stack traces to the end user. Review and adjust the 'security.yaml' configuration to restrict error output and use the 'WebProfilerBundle' only in the 'dev' environment.
Spring_boot
In the Spring Boot application, configure the application.properties or application.yml file to disable the exposure of version information. Set 'management.endpoint.info.enabled' to false and 'endpoints.info.enabled' to false if using an older version of Spring Boot. Additionally, customize error handling to prevent stack traces from being sent to clients and review the server's HTTP response headers to remove or obscure any technology stack information.
Flask
Configure the Flask application to suppress server banners and error messages that reveal stack information. Use the 'Flask-Talisman' extension to set security headers and the 'WERKZEUG_DEBUG_PIN' environment variable to 'off' to prevent debug pin exposure. Additionally, ensure that 'DEBUG' mode is set to 'False' in the production environment.
Nuxt
Configure the Nuxt.js application to suppress server version headers and error messages that reveal stack details. Utilize the 'render' configuration to remove specific headers and customize error pages to prevent information leakage.
Fastapi
Configure FastAPI to suppress server banners and error messages that reveal stack details. Use middleware to intercept responses and remove headers like 'server' and 'x-powered-by', and customize error handlers to prevent leaking stack information in error responses.
Configuration
Identifier:
information_disclosure/software_component_leak
Examples
Ignore this check
checks:
information_disclosure/software_component_leak:
skip: true
Score
- Escape Severity: LOW
Compliance
- OWASP: API8:2023
- pci: 6.5.3
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.18.1
- nist: SP800-53
- fedramp: AC-6