Apache Tomcat Server Information Disclosure by Verbose OWASP

Apache Tomcat Server Information Disclosure by Verbose – OWASP

By default, Apache Tomcat server information exposed and leads security issues. It’s one of the OWASP vulnerabilities with low risk. Apache Tomcat server information disclosed in two places such as response header and error screen in the lower version. In the higher version of the tomcat server, the server information disclosed in the error page but in the response header.

Article created for how to disable server information in tomcat older versions.

In this article, we are working on tomcat 8.5.54 to disable Tomcat server information.

There are two approaches to hide the Apache Tomcat server information.

 

Tomcat Information Disabled by default in Response Header

In this version of tomcat, server information disables by default in the response header. so no need to do anything on this.

Tomcat Information Disabled By Default in tomcat 8.5.54

Tomcat Information Disabled By Default in tomcat 8.5.54

How to check Apache Tomcat Server version details

Open a command prompt from windows and then go to Apache Tomcat server lib location by using CD command like as follows.

C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-8.5.54\lib

D:\Tools\Apache\apache-tomcat-8.5.54\lib>java -cp catalina.jar org.apache.catalina.util.ServerInfo

 

Output

Server version: Apache Tomcat/8.5.54
Server built:   Apr 3 2020 14:06:10 UTC
Server number:  8.5.54.0
OS Name:        Windows 10
OS Version:     10.0
Architecture:   amd64
JVM Version:    1.8.0_231-b11
JVM Vendor:     Oracle Corporation

 

Apache Tomcat Server Information Disclosed On The Error Page

In tomcat 8.5.54, server information disclosed on the error page.

Tomcat Information Discloser in Error Page

Tomcat Information Discloser on the Error Page

 

To disable the above Apache Tomcat server version in the error page, we can follow either Approach 1 or Approach 2 in the below

 

Approach 2 -Disable Tomcat Name and Version

By modifying the ServerInfo.properties which exist inside catalina.jar. We need to extract the file and then modify and add it to the same place. You can find the below steps on how to modify serverinfo.properties.

ServerInfo.properties file location in catalina.jar is /org/apache/catalina/util/ServerInfo.properties

 

Step 1: Backup Catalina.jar

Take a backup of catalina.jar file which exists in this location C:/<Apache-Tomcat-Installation-Directory>/lib/catalina.jar

 

Step 2: Extract and Edit serverinfo.properties file

Create a folder inside the lib folder like Catalina and then copy the jar into it. and then extract the jar as follows.

C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.0\lib

D:\Tools\Apache\apache-tomcat-8.5.54\lib>mkdir catalina

D:\Tools\Apache\apache-tomcat-8.5.54\lib>cd catalina 

D:\Tools\Apache\apache-tomcat-8.5.54\lib\catalina>jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

And then you can find the ServerInfo.properties file in that location and then open it in notepad to edit.

Server version: Apache Tomcat/8.5.54
Server number: 8.5.54.0
Server built: Apr 3 2020 14:06:10 UTC

Here you can modify the server.info=Apache Tomcat/6.0.0 to server.info=Application Server and then save it.

 

Step 3: Add Serverinfo.properties into Catalina jar

After saving, you have to add it to the same place into catalina.jar by executing the following command.

D:\Tools\Apache\apache-tomcat-8.5.54\lib\catalina>jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

And then copy the catalina.jar into main location C:/<Apache-Tomcat-Installation-Directory>/lib/

If it will ask to replace then you can replace it and then start the Apache Tomcat Server and check the same way as follows.

D:\Tools\Apache\apache-tomcat-8.5.54\lib> java -cp catalina.jar org.apache.catalina.util.ServerInfo  Output server.info=Apache Tomcat server.number=6.0.0 server.built=Jul 6 2016 08:43:30 UTC

 

Approach 3 -Disable Tomcat Name and Version

  • Open command prompt
  • Go to Tomcat lib folder
  • Create folder like org/apache/catalina/util
D:\Tools\Apache\apache-tomcat-8.5.54\lib>mkdir org\apache\catalina\util

D:\Tools\Apache\apache-tomcat-8.5.54\lib>
  • Create empty file like ServerInfo.properties inside org/apache/catalina/util
  • Add the line like server.info=Application Server
  • Save it
  • Restart / Start the Tomcat server

 

After starting the server, you can give any wrong application URL or tomcat wrong URL then you can see the below output.

 

Tomcat Information Disabled in Error Page

Tomcat Information Disabled in Error Page

References

https://www.owasp.org/index.php/Securing_tomcat

 

I hope you understood how to disable the Apache Tomcat Server version in the response header and error page with different approaches to fix the security issue. Please reply to comment if any assistance required.

 

Leave a Reply