debian-mirror-gitlab/doc/user/application_security/dast/checks/16.5.md

---
stage: Secure
group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# AspNet header exposes version information

## Description

The target website returns AspNet header(s) and version information of this website. By
exposing these values attackers may attempt to identify if the target software is vulnerable to known
vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
vulnerability is identified in the particular version.

## Remediation

To remove the `X-AspNet-Version` header set `<httpRuntime enableVersionHeader="false" />` in the `<system.Web>`
section of the `Web.config` file.

## Details

| ID | Aggregated | CWE | Type | Risk |
|:---|:--------|:--------|:--------|:--------|
| 16.5 | true | 16 | Passive | Low |

## Links

- [CWE](https://cwe.mitre.org/data/definitions/16.html)
- [IIS Remove Unwanted Headers](https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710)
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`---`
			`stage: Secure`
			`group: Dynamic Analysis`
			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
			`---`

New upstream version 14.6.3+ds1 2022-01-26 12:08:38 +05:30			`# AspNet header exposes version information`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30
			`## Description`

			`The target website returns AspNet header(s) and version information of this website. By`
			`exposing these values attackers may attempt to identify if the target software is vulnerable to known`
			`vulnerabilities, or catalog known sites running particular versions to exploit in the future when a`
			`vulnerability is identified in the particular version.`

			`## Remediation`

			To remove the `X-AspNet-Version` header set `<httpRuntime enableVersionHeader="false" />` in the `<system.Web>`
			section of the `Web.config` file.

			`## Details`

			`\| ID \| Aggregated \| CWE \| Type \| Risk \|`
			`\|:---\|:--------\|:--------\|:--------\|:--------\|`
			`\| 16.5 \| true \| 16 \| Passive \| Low \|`

			`## Links`

New upstream version 14.6.3+ds1 2022-01-26 12:08:38 +05:30			`- [CWE](https://cwe.mitre.org/data/definitions/16.html)`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [IIS Remove Unwanted Headers](https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710)`