'AmazonS3' value of Server Header triggers 'Server Leaks Version Information via "Server" HTTP Response Header Field' alert

[Stanislava]

Hello,

I have a question about ServerHeaderInfoLeakScanRule. When I run scan against some solutions based on AWS, those which are served from an S3 will get a low severity alert Server Leaks Version Information via "Server" HTTP Response Header Field with 'AmazonS3' as evidence. 

The description is following:

"The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to."

OWASP-ZAP source code\zap-extensions\addOns\pscanrulesBeta\src\main\java\org\zaproxy\zap\extension\pscanrulesBeta\ServerHeaderInfoLeakScanRule.java rule uses a regex, that will raise an alert on any digit in the value: "Pattern.compile(".*\\d.*")"

My question is if it is an intended behavior, as in description problem is that version is leaked, but with value 'AmazonS3' no version is present.  

 

Thanks in advance

Best regards

Stanislava Y

[kingthorin+owaspzap]

Yes it's the intended behavior (you read the code). Yup it's a false positive. You have a few options:

1) Strip the header from responses, it doesn't help users anyway and saves you a few bytes transfer per response.

2) Setup a Alert Filter https://www.zaproxy.org/docs/desktop/addons/alert-filters/

3) Disable the passive scan rule if it isn't something you care about (though arguably there could be valid findings on other traffic).

4) Manually set the finding as a False Positive.

5) Submit a PR with a fix, though that seems kinda "whack a mole"ish.

[Stanislava]

Thank you for the clarification. I will remove the header, where I can and filter these alerts out for the rest. Thanks again.

Stanislava