Testing web application security
There are many common web security issues that you should protect yourself against, of varying degrees of severity. If you run a bug bounty program with these present, these are likely to be the first reports that you get. You will receive many duplicates of the same basic issues, so these are the faults to fix first to encourage researchers to explore more deeply.
Some tools step through these kinds of attacks, but here, we will describe how these attacks work and why.
Information leakage
An attacker looking for vulnerabilities to exploit needs to know what system they are attacking: what kind of web server is this, and what version is running? Web servers generally present this information in headers because it may help client web browsers with compatibility, but that information is not usually needed. Instead, it lets attackers know what exploits are likely to work, so it’s best to disable it. There are settings to implement that...
