Application gateway server information disclosure in HTTP response header

Azure Developer 20 Reputation points
2023-10-30T08:45:17.1333333+00:00

Hi,

We encountered a problem with pentesting. Found issue about server information "nginx" when application gateway response. I created an application gateway of WAF tier, I implement rewrite set for remove "Server" in response.User's image

It works correctly at status 200, but state 403 still contains data for nginx

1698655245192

Kindly suggest a way to fix it.

Thanks,

Suriyan

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,087 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,611 Reputation points Microsoft Employee
    2023-10-30T12:21:49.9966667+00:00

    Hello @Azure Developer ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are facing an issue with Application gateway WAF where the server information is being disclosed in HTTP response header of 403 error and you are unable to implement rewrite set for same.

    As mentioned in the Application Gateway header rewrite limitations,

    Rewrites aren't supported for 4xx and 5xx responses generated directly from Application Gateway

    Refer: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#limitations

    If you wish you may upvote the feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    https://feedback.azure.com/d365community/idea/88a5fb41-8010-ee11-a81c-000d3adb7ffd

    So, maybe you can take a look into Custom error pages supported by Application gateway in this case.

    Application Gateway allows you to create custom error pages instead of displaying default error pages. You can use your branding and layout for errors related to different response codes.

    You can define customized error pages for different response codes returned by the Application Gateway. The response codes for which you can configure error pages are 400, 403, 405, 408, 500, 502, 503, and 504. You can use global-level or listener-specific error page configuration to set them granularly for each listener.

    To create a custom error page, you should:

    • know the response code for which a custom error page is needed.
    • know the corresponding remote location (URL) for the HTML page. This must be a publicly accessible file.
    • ensure the error page is publicly accessible and return a 200 response.
    • ensure the error page should be in *.htm or *.html extension type.
    • ensure the page size is less than 1 MB.
    • You may reference internal or external images/CSS for this HTML file. For externally referenced resources, use absolute URLs that are publicly accessible. Be aware of the HTML file size when using base64-encoded inline images, JavaScript, or CSS.

    Refer:

    https://learn.microsoft.com/en-us/azure/application-gateway/configuration-listeners#custom-error-pages

    https://learn.microsoft.com/en-us/azure/application-gateway/custom-error

    Additional info:

    • The custom error pages are displayed for response codes generated by Application Gateway. If an error originates from the backend server, it is passed along unmodified to the client.
    • Rewrites aren't supported when the application gateway is configured to redirect the requests or to show a custom error page.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.