---
id: ff4807d4-324d-4c85-b9f5-45b7e0cce2ba
---

# Apache Server Information Leak via ETag Header
---

This incident type refers to a vulnerability in the Apache web server where sensitive information is leaked through the ETag header. The ETag header is used to help browsers cache web pages and can contain metadata about the file being served. However, if the ETag value is not properly configured, it can inadvertently expose information about the server, such as file paths or version numbers. Attackers can use this information to gain insights into a server's configuration and use it to launch further attacks.

### Parameters
```shell
export APACHE_CONFIG_FILE="PLACEHOLDER"

export SERVER_URL="PLACEHOLDER"

export PATH_TO_APACHE_CONFIG_FILE="PLACEHOLDER"
```

## Debug

### Check if Apache server is running
```shell
systemctl status apache2
```

### Check Apache server version
```shell
apache2 -v
```

### List Apache modules and check if mod_headers is enabled
```shell
apache2ctl -M | grep headers
```

### Check Apache server configuration for ETag settings
```shell
grep -i ETag ${APACHE_CONFIG_FILE}
```

### Check if ETags are being sent in server responses
```shell
curl -I -s ${SERVER_URL} | grep -i ETag
```

### Check if ETags are being sent in HTTPS responses
```shell
openssl s_client -connect ${SERVER_URL}:443 | openssl x509 -noout -text | grep ETag
```

### Check if ETags are being sent in HTTP/2 responses
```shell
nghttp -H ${SERVER_URL} | grep -i ETag
```

## Repair

### Update the Apache web server to the latest version and apply any patches that address the ETag header vulnerability.
```shell


#!/bin/bash



# Update package repository

sudo apt-get update



# Update Apache web server

sudo apt-get install apache2



# Check Apache version

sudo apache2 -v


```

### Configure the ETag header to only include a secure hash value that does not reveal any sensitive information about the server or its configuration.
```shell


#!/bin/bash



# Stop Apache web server

sudo systemctl stop apache2



# Edit Apache configuration file to remove version number from ETag header

sudo sed -i 's/^\s*#*\s*FileETag.*/FileETag MTime Size/g' ${PATH_TO_APACHE_CONFIG_FILE}



# Restart Apache web server

sudo systemctl start apache2


```

This incident type refers to a vulnerability in the Apache web server where sensitive information is leaked through the ETag header. The ETag header is used to help browsers cache web pages and can contain metadata about the file being served. However, if the ETag value is not properly configured, it can inadvertently expose information about the server, such as file paths or version numbers. Attackers can use this information to gain insights into a server's configuration and use it to launch further attacks.


This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


Unauthorized Directory Access in Apache HTTPD.

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


Slowloris Attack Detected on Apache server.

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


Apache SQL Injection Attempts in URI Incident

This incident type refers to a security vulnerability in the SSL/TLS configuration of the Apache HTTP Server, which can leave the server and its users vulnerable to attacks. The SSL/TLS configuration is responsible for encrypting the communication between the server and its clients, and if it is not configured properly, it can be exploited by hackers to intercept or modify sensitive data. This type of incident requires immediate attention from software engineers to ensure that the SSL/TLS configuration is properly configured to prevent any potential security threats.


Inadequate SSL/TLS Configuration for Apache HTTP Server.

The High Apache Request Time to First Byte (TTFB) Incident is a type of incident related to web server performance. It occurs when there is a significant delay in the time it takes for the server to respond to a request from a client. TTFB is a metric that measures the time it takes for a web server to send the first byte of data in response to a request. When TTFB is high, it can indicate that the server is experiencing performance issues or that there is a problem with the network connection. This type of incident can impact website performance, user experience, and ultimately, customer satisfaction.


High Apache Request Time to First Byte (TTFB) Incident

```shell
export APACHE_CONFIG_FILE="PLACEHOLDER"

export SERVER_URL="PLACEHOLDER"

export PATH_TO_APACHE_CONFIG_FILE="PLACEHOLDER"
```


### Check if Apache server is running

```shell
systemctl status apache2
```

### Check Apache server version

```shell
apache2 -v
```

### List Apache modules and check if mod\_headers is enabled

```shell
apache2ctl -M | grep headers
```

### Check Apache server configuration for ETag settings

```shell
grep -i ETag ${APACHE_CONFIG_FILE}
```

### Check if ETags are being sent in server responses

```shell
curl -I -s ${SERVER_URL} | grep -i ETag
```

### Check if ETags are being sent in HTTPS responses

```shell
openssl s_client -connect ${SERVER_URL}:443 | openssl x509 -noout -text | grep ETag
```

### Check if ETags are being sent in HTTP/2 responses

```shell
nghttp -H ${SERVER_URL} | grep -i ETag
```


### Update the Apache web server to the latest version and apply any patches that address the ETag header vulnerability.

```shell


#!/bin/bash



# Update package repository

sudo apt-get update



# Update Apache web server

sudo apt-get install apache2



# Check Apache version

sudo apache2 -v


```

### Configure the ETag header to only include a secure hash value that does not reveal any sensitive information about the server or its configuration.

```shell


#!/bin/bash



# Stop Apache web server

sudo systemctl stop apache2



# Edit Apache configuration file to remove version number from ETag header

sudo sed -i 's/^\s*#*\s*FileETag.*/FileETag MTime Size/g' ${PATH_TO_APACHE_CONFIG_FILE}



# Restart Apache web server

sudo systemctl start apache2


```


Apache Server Information Leak via ETag Header

Overview

Parameters

Debug

Check if Apache server is running

Check Apache server version

List Apache modules and check if mod_headers is enabled

Check Apache server configuration for ETag settings

Check if ETags are being sent in server responses

Check if ETags are being sent in HTTPS responses

Check if ETags are being sent in HTTP/2 responses

Repair

Update the Apache web server to the latest version and apply any patches that address the ETag header vulnerability.

Configure the ETag header to only include a secure hash value that does not reveal any sensitive information about the server or its configuration.

Learn more

Related Runbooks

Unauthorized Directory Access in Apache HTTPD.

Slowloris Attack Detected on Apache server.

Apache SQL Injection Attempts in URI Incident

Inadequate SSL/TLS Configuration for Apache HTTP Server.

Support