Search code examples
activemq-classicstompowasp

How to hide ActiveMQ broker version in STOMP CONNECTED server header?

I want to fulfill OWASP ASVS 14.3.3 requirement, which stands:

14.3.3 Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components.

For ActiveMQ broker. I have a problem with STOMP protocol CONNECTED message which looks like this:

CONNECTED
server:ActiveMQ/5.15.9
heart-beat:0,10000
session:ID:localhost.local-36323-1578488170638-3:15
version:1.2
user-name:user@example.com

And reveal(to hypothetical evil one) my ActiveMQ broker version So my question is how to hide whole server header or if it is not possible maybe its version part.

Solution

  • This can be done by little hacking

    1. As header server is set by constant BROKER_VERSION in code here
    2. And the value of constant BROKER_VERSION is read here from classpath location /org/apache/activemq/version.txt
    3. We have to override the content of /org/apache/activemq/version.txt which surprisingly reside in activemq-client