Apache Tomcat Server Information Disclosure by Verbose – OWASP
Table of Contents
- 1 Apache Tomcat Server Information Disclosure by Verbose – OWASP
- 2 Tomcat Information Disabled by default in Response Header
- 3 How to check Apache Tomcat Server version details
- 4 Apache Tomcat Server Information Disclosed On The Error Page
- 5 Approach 2 -Disable Tomcat Name and Version
- 6 Approach 3 -Disable Tomcat Name and Version
- 7 References
By default, Apache Tomcat server information exposed and leads security issues. It’s one of the OWASP vulnerabilities with low risk. Apache Tomcat server information disclosed in two places such as response header and error screen in the lower version. In the higher version of the tomcat server, the server information disclosed in the error page but in the response header.
Article created for how to disable server information in tomcat older versions.
In this article, we are working on tomcat 8.5.54 to disable Tomcat server information.
There are two approaches to hide the Apache Tomcat server information.
Tomcat Information Disabled by default in Response Header
In this version of tomcat, server information disables by default in the response header. so no need to do anything on this.
Tomcat Information Disabled By Default in tomcat 8.5.54
How to check Apache Tomcat Server version details
Open a command prompt from windows and then go to Apache Tomcat server lib location by using CD command like as follows.
C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-8.5.54\lib
D:\Tools\Apache\apache-tomcat-8.5.54\lib>java -cp catalina.jar org.apache.catalina.util.ServerInfo
Output
Server version: Apache Tomcat/8.5.54 Server built: Apr 3 2020 14:06:10 UTC Server number: 8.5.54.0 OS Name: Windows 10 OS Version: 10.0 Architecture: amd64 JVM Version: 1.8.0_231-b11 JVM Vendor: Oracle Corporation
Apache Tomcat Server Information Disclosed On The Error Page
In tomcat 8.5.54, server information disclosed on the error page.
Tomcat Information Discloser on the Error Page
To disable the above Apache Tomcat server version in the error page, we can follow either Approach 1 or Approach 2 in the below
Approach 2 -Disable Tomcat Name and Version
By modifying the ServerInfo.properties which exist inside catalina.jar. We need to extract the file and then modify and add it to the same place. You can find the below steps on how to modify serverinfo.properties.
ServerInfo.properties file location in catalina.jar is /org/apache/catalina/util/ServerInfo.properties
Step 1: Backup Catalina.jar
Take a backup of catalina.jar file which exists in this location C:/<Apache-Tomcat-Installation-Directory>/lib/catalina.jar
Step 2: Extract and Edit serverinfo.properties file
Create a folder inside the lib folder like Catalina and then copy the jar into it. and then extract the jar as follows.
C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.0\lib D:\Tools\Apache\apache-tomcat-8.5.54\lib>mkdir catalina D:\Tools\Apache\apache-tomcat-8.5.54\lib>cd catalina D:\Tools\Apache\apache-tomcat-8.5.54\lib\catalina>jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
And then you can find the ServerInfo.properties file in that location and then open it in notepad to edit.
Server version: Apache Tomcat/8.5.54
Server number: 8.5.54.0
Server built: Apr 3 2020 14:06:10 UTCHere you can modify the server.info=Apache Tomcat/6.0.0 to server.info=Application Server and then save it.
Step 3: Add Serverinfo.properties into Catalina jar
After saving, you have to add it to the same place into catalina.jar by executing the following command.
D:\Tools\Apache\apache-tomcat-8.5.54\lib\catalina>jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
And then copy the catalina.jar into main location C:/<Apache-Tomcat-Installation-Directory>/lib/
If it will ask to replace then you can replace it and then start the Apache Tomcat Server and check the same way as follows.
D:\Tools\Apache\apache-tomcat-8.5.54\lib> java -cp catalina.jar org.apache.catalina.util.ServerInfo Output server.info=Apache Tomcat server.number=6.0.0 server.built=Jul 6 2016 08:43:30 UTC
Approach 3 -Disable Tomcat Name and Version
- Open command prompt
- Go to Tomcat lib folder
- Create folder like org/apache/catalina/util
D:\Tools\Apache\apache-tomcat-8.5.54\lib>mkdir org\apache\catalina\util D:\Tools\Apache\apache-tomcat-8.5.54\lib>
- Create empty file like ServerInfo.properties inside org/apache/catalina/util
- Add the line like server.info=Application Server
- Save it
- Restart / Start the Tomcat server
After starting the server, you can give any wrong application URL or tomcat wrong URL then you can see the below output.
Tomcat Information Disabled in Error Page
References
https://www.owasp.org/index.php/Securing_tomcat
I hope you understood how to disable the Apache Tomcat Server version in the response header and error page with different approaches to fix the security issue. Please reply to comment if any assistance required.
Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in the IT industry for more than 12 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting, Website Development, and IAM(ForgeRock) Specialist
I am a self-learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.
