How to Disable Apache Tomcat Server version
Table of Contents
By default, Apache Tomcat server version exposed and leads security issues. There are three approaches to hide the Apache Tomcat server version. In which easy-st way is adding one of the attributes in server.xml
In this article, we are working on Apache Tomcat 6.0.0.
Tomcat Information in Response Header
In the below image, the tomcat version highlighted. We should not expose the server information because the attacker can attack the application by passing the vulnerable data according to server
Tomcat Information Disclosure in Response Header
How to check Apache Tomcat Server version details
Open a command prompt from windows and then go to Apache Tomcat server lib location by using CD command like as follows.
C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.0\lib
D:\Tools\Apache\apache-tomcat-6.0.0\lib>java -cp catalina.jar org.apache.catalina.util.ServerInfo
Output
Server version: Apache Tomcat/6.0.26 Server built: March 9 2010 1805 Server number: 6.0.0 OS Name: Windows 7 OS Version: 6.1 Architecture: amd64 JVM Version: 1.8.0_131-b11 JVM Vendor: Oracle Corporation
Approach 1 – Disable Tomcat info in Response Header
By adding the server attribute in server.xml
This approach will disclose the Apache Tomcat version in the response header, not on the error page.
server.xml path : C:/<Apache-Tomcat-Installation-Directory>/conf/server.xml
Note: Take server.xml as a backup for safety purposes.
Example
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
enableLookups="false" redirectPort="8443" server="Application Server" />
This is the easy-st way to disclose the Apache Tomcat server version.
Tomcat Information Disable in Response Header
Output
You can find the changes highlighted in yellow color in the below image.
Tomcat Information Disable in Response Header Output
The above changes are reflected in the response header, but not on any error page.
You can see the error page still having the Apache Tomcat Server Version details as follows
Tomcat Information Disclosure on Error Page
To disclose the above Apache Tomcat server version in the error page, we can follow either Approach 2 or Approach 3 in the below
Approach 2 -Disable Tomcat Name and Version
By modifying the ServerInfo.properties which exist inside catalina.jar. We need to extract the file and then modify and add it to the same place. You can find the below steps on how to modify serverinfo.properties.
ServerInfo.properties file location in catalina.jar is /org/apache/catalina/util/ServerInfo.properties
Step 1: Backup Catalina.jar
Take a backup of catalina.jar file which exists in this location C:/<Apache-Tomcat-Installation-Directory>/lib/catalina.jar
Step 2: Extract and Edit serverinfo.properties file
Create a folder inside the lib folder like Catalina and then copy the jar into it. and then extract the jar as follows.
C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.0\lib D:\Tools\Apache\apache-tomcat-6.0.0\lib>mkdir catalina D:\Tools\Apache\apache-tomcat-6.0.0\lib>cd catalina D:\Tools\Apache\apache-tomcat-6.0.0\lib\catalina>jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
And then you can find the ServerInfo.properties file in that location and then open it in notepad to edit.
server.info=Apache Tomcat/6.0.0
server.number=6.0.0
server.built=Jul 6 2016 08:43:30 UTCHere you can modify the server.info=Apache Tomcat/6.0.0 to server.info=Application Server and then save it.
Step 3: Add Serverinfo.properties into Catalina jar
After saving, you have to add it to the same place into catalina.jar by executing the following command.
D:\Tools\Apache\apache-tomcat-6.0.0\lib\catalina>jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
And then copy the catalina.jar into main location C:/<Apache-Tomcat-Installation-Directory>/lib/
If it will ask to replace then you can replace it and then start the Apache Tomcat Server and check the same way as follows.
D:\Tools\Apache\apache-tomcat-6.0.0\lib> java -cp catalina.jar org.apache.catalina.util.ServerInfo Output server.info=Apache Tomcat server.number=6.0.0 server.built=Jul 6 2016 08:43:30 UTC
Approach 3 -Disable Tomcat Name and Version
- Open command prompt
- Go to Tomcat lib folder
- Create folder like org/apache/catalina/util
D:\Tools\Apache\apache-tomcat-6.0.0\lib>mkdir org\apache\catalina\util D:\Tools\Apache\apache-tomcat-6.0.0\lib>
- Create empty file like ServerInfo.properties inside org/apache/catalina/util
- Add the line like server.info=Application Server
- Save it
- Restart / Start the Tomcat server
After starting the server, you can give any wrong application URL or tomcat wrong URL then you can see the below output.
Tomcat Information Disabled on Error Page
References
https://www.owasp.org/index.php/Securing_tomcat
I hope you understood how to disable the Apache Tomcat Server version in the response header and error page with different approaches to fix the security issue. Please reply to comment if any assistance required.
Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in the IT industry for more than 12 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting, Website Development, and IAM(ForgeRock) Specialist
I am a self-learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.
