Server Header Disclosure
Mobile applications and their backend servers have set standards for communication. Each message type has unique fields. Messages typically comprise of header and data. Header sections consist of additional information regarding the data and the server. Internal details of the system like application version and server version may be present inside headers. A user with malicious intent may use the information for harming the server. Let us have a look at an example to understand the scenario better.
A server responds to its client mobile application. The message format consists of header and data sections. Whenever the server throws an error, the header section mentions the web application’s version and the server version. The user of the mobile application examines the header and obtains the information. Subsequently, he finds vulnerabilities in the mentioned version of the app and exploits one of them. This way, he gains access to the server and destroys critical data.
The solution is to customize the server’s response message headers. The server may include sensitive information while filling up headers using the default format. The format shall be customized, leaving out components that would reveal confidential information.