- 论坛徽章:
- 0
|
为了不让网站攻击者获取服务器OS(操作系统类型和版本号)和WEB(apache和IIS)服务信息。如何屏蔽掉403等错误,让他直接返回404错误呢?
web为APACHE和IIS
以下是扫描的结果
GET /~root/ HTTP/1.1
Cookie: JSESSIONID=96B19C59DC23F0527C33524F23999DB5
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: wwwwwwwww
2010-5-1 19:37:22 155/1413
HTTP/1.1 403 Forbidden
Content-Length: 327
Date: Thu, 29 Apr 2010 11:31:07 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /~root/
on this server.</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the
request.</p>
</body></html>
响应中的验证:
• HTTP/1.1 403 Forbidden
推理:
测试尝试了检测服务器上的隐藏目录。403 Forbidden 响应泄露了存在此目录,即使不允
许对其进行访问。 |
|
免费注册
发表于 2010-05-07 10:27
