Java Server Information Exposure
Description
This vulnerability detector identifies Java server information exposure through HTTP responses. It finds cases where ResponseEntity.ok() methods return sensitive server information that could aid attackers in reconnaissance or exploitation attempts.
Detection Strategy
• The code must import servlet libraries (javax.servlet.ServletContext, javax.servlet.*, jakarta.servlet.ServletContext, or jakarta.servlet.*)
• A method call with expression 'ok' is found on a ResponseEntity object
• The first argument passed to the ResponseEntity.ok() method contains server information that should not be exposed
• The argument analysis determines that sensitive server details are being returned in the HTTP response
Vulnerable code example
import javax.servlet.ServletContext;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class ServerInfoController extends HttpServlet {
...✅ Secure code example
import javax.servlet.ServletContext;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class ServerInfoController extends HttpServlet {
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.