After the security scan, I got to know that the server leaks inodes via Etags. What should I do?

After automated scanning on my web application I have the result that "Server leaks inodes via ETags, header found with file /icons/README, fields: 0x16a4 0x438c0000000". I've read about ETags but I don't see any security risk related to this. INode defined as "The file's i-node number will be included in the calculation" is one of the standard configurations."


Answered by Abhinav Pillai

First of all, this is a false positive. Nikto reports this issue "Server leaks inodes via ETags" if there is a dash in the ETag header, which is by itself not an indication of anything. An inode is a data structure used by the Linux file system. Every file and directory has an inode which stores its name, size and other data. Every inode has a number which uniquely identifies it. Apache HTTPD used this in the ETag for a while. The ETag is an identifier which should uniquely identify a file on the web server, and the inode number is a number which uniquely identifies a file on the filesystem, so it seemed to make sense to use one for the other. The inode number is technical information from the file system. If exposed, it cannot be used to exploit anything useful. Furthermore, it is only exposed on files that you can already download. It doesn't seem to be a real security risk to me if a server exposes inodes.



Your Answer

Interviews

Parent Categories