Site icon Best Web Hosting

Funny and malicious server banners

Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.

Many of these server banners are simply short strings like “Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.

Chrome’s Network Inspector showing the HTTP response headers for wordpress.com, which uses the nginx web server. It does not reveal a version number.

A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.

Custom banners

Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.

For example, if a web server advertises itself as running a vulnerable version of Apache, such as “Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “Apache”.

Our Web Server Survey includes a few websites that return the following Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:

Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.

Unlikely server banners

Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.

There are hundreds of web servers that claim to be running on a Commodore 64, but are more than likely not.

And whilst it is not impossible for a web server to be powered by a potato, one of the most well known examples that hit the news 22 years ago ultimately turned out to be a joke. Today, possibly in homage to this prank, there are several hundred websites that return a “Server: Potato” response header.

Perhaps to avoid any ambiguities with a Debian distribution from the same era named Potato, there are also dozens of websites that claim to be running on “A literal potato with wires sticking out of it”. A couple of servers also claim to be running “GLaDoS PoTaTo”, which is a reference to the potato battery that powers the antagonist in the computer game Portal 2. All of the purportedly potato powered web servers insinuate that there is only one potato involved in the generation of electricity (other examples include “A Single Potato” and “a potato"), with the only exception being a small number of servers that have adopted a higher tech approach with “somme potatoes linked together” [sic].

Not a web server: A fictional potato-powered computer in the game Portal 2.

A handful of sites return the following server header, which includes an inordinate number of software names and versions which are unlikely in practice:

This sort of honeypot banner is a red herring for automated attack software that is looking for vulnerable websites to exploit.

We also see server banners being used to ask the most profound questions, such as:

Other peculiar server banners are used to convey messages or stories. One such example is the website of a self-confessed computer nerd that returns the following lengthy server banner, which regales the story of Darth Plagueis, a fictional character from the Star Wars franchise:

Indeed.

Recruitment

There are many examples of websites hiding recruitment pitches in HTTP response headers, HTML comments, JavaScript, and other places that are only likely to be noticed by the inquisitive. These techniques are typically used to advertise tech job vacancies, where the method of discovery increases the chance of applicants having at least some of the skills or qualities required to do the job well.

Some websites therefore use the server banner to present these messages, as it is an easy-to-configure place to put the message whilst still making it practically invisible to the majority of visitors.

Some examples of server banners being used for recruitment purposes include:

Malicious server banners

Amidst the plentiful examples of jokey server banners, there are some that delve into murkier territories. Numerous websites return specially crafted server banners that attempt to exploit security vulnerabilities in the clients that visit the sites, in back-end systems that subsequently process the strings, or on webpages where the server banner is redisplayed.

Some of these server banners are designed only to detect or demonstrate the presence of vulnerabilities in a benign fashion, whereas some are overtly malicious.

Log4shell exploits

A small number of websites in our latest Web Server Survey attempt to exploit the recent Log4shell vulnerability in Log4j by setting server banners similar to the following:

If one of the LDAP URLs in these server banners receives any requests, the “attacker” will know the site presenting the banner has been visited by a bot or other type of client that ultimately uses a vulnerable version of Log4j to log the string.

While these instances are currently benign and could well be done purely out of curiosity or in a legitimate attempt to claim bug bounties, they are nonetheless capable of detecting vulnerable clients or back-ends and the payloads could be turned malicious at any time.

Cross-site scripting

There are hundreds of websites with server banners that include cross-site scripting (XSS) payloads, some of which are specially crafted in an attempt to bypass filters. Here are several examples:

These server banners are intended to exploit stored XSS vulnerabilities, i.e. where the scripts are stored and subsequently redisplayed on a different website with insufficient encoding to prevent them being executed in a visitor’s web browser. Again, while some of these payloads are clearly benign, those that reference external scripts could be weaponised at any moment by changing the content of the remote script.

Raw HTTP response headers, showing a benign cross-site scripting payload in a web server banner.

Any service that fetches websites and displays the server name on a web page (or in any kind of HTML-based client) without proper encoding would be vulnerable to this type of attack, and the attacker may be able to identify where the script is ultimately executed by visitors via the Referer HTTP request header.

One of the above payloads executes a remote script hosted at https://1y.lc/m. This script is presumably the work of a bug bounty hunter, as amongst other things it uses the XSS vulnerability to see whether the site has a security policy hosted at /.well-known/security.txt. If present, these policy files typically instruct researchers how to report security bugs and may also indicate whether any monetary rewards are available.

The much larger script at http://xn--rda.pw, which is loaded by the long obfuscated payload, includes a header comment that says “This is a payload to test for Cross-site Scripting (XSS). It is meant to be used by security professionals and bug bounty hunters.” However, there is nothing to prevent it being used for malicious purposes such as taking screenshots of sensitive data and transmitting them to an attacker.

SQL injection

Possibly inspired by a classic xkcd comic, hundreds of websites return server banners similar to the following:

Whilst seemingly jokey at first, these payloads are overtly malicious and have a clear intent: To delete data by exploiting an SQL injection vulnerability.

If these sites are visited by a web crawler that logs server banners in a database by executing an unsafely constructed SQL statement, the malicious server banners could result in entire database tables being unexpectedly deleted.

EICAR traps

Dozens of websites include the contents of the EICAR test file in their server banner. This is a benign file that was originally created to test the response of anti-virus software without having to place real malware on a system.

These are other examples of custom server banners that may have been intended as a joke but that could have harmful consequences, such as causing loss of data or a denial of service. When these server headers are written to a log file or database, there’s a slight possibility that anti-virus software might delete or quarantine the server-side data.

YouTube in iframes

Several sites return the following server banner, which embeds a YouTube video in an iframe. It will attempt to autoplay the video on any webpage that shows this server name without encoding it appropriately.

There are no prizes for guessing what the video is, and while you could argue there is no harmful intent behind tricking other websites into unexpectedly playing excellent 80s pop music videos at their visitors, doing so would indicate the presence of an HTML injection vulnerability. Sites that play the video would likely also be vulnerable to stored cross-site scripting attacks.

More than a hundred server banners contain hyperlinks. As these links would never be displayed in the visitor’s browser, this suggests expectations of them eventually ending up being displayed on other websites that do display the banner.

This may not seem a particularly sinister practice at first glance, but being able to plant links on multiple vulnerable sites could have useful applications for black hat search engine optimisation.

Additionally, when a link is clicked on by a visitor, the browser may transmit a Referer header that will reveal the location of the page that contains the hyperlink. As the page bearing the hyperlink is demonstrably vulnerable to HTML injection via a server banner, it is likely to also be vulnerable to cross-site scripting which could give an attacker more powerful opportunities to attack the site’s visitors.

Fortunately, the significant majority of server banners are neither malicious nor misleading. Market shares of the major server vendors are published monthly in our
Web Server Survey, which has been tracking the growth of the web since 1995.

Exit mobile version