Author: Security Research Division Date: March 2025 Classification: Technical White Paper Abstract The X-AspNet-Version HTTP response header is emitted by default in many Microsoft ASP.NET deployments, including those running version 4.0.30319 (commonly referred to as ASP.NET 4.x). While not a direct vulnerability, exposure of this header provides attackers with fingerprinting capabilities that accelerate reconnaissance and increase the likelihood of targeted exploitation. This paper details the specific vulnerabilities associated with ASP.NET 4.0.30319 when the header is present, including view state tampering, padding oracle attacks, and information disclosure via stack traces. Mitigation strategies and configuration hardening steps are provided. 1. Introduction ASP.NET 4.0.30319 is a widely used runtime version for web applications on Windows Server infrastructures. By default, IIS adds the X-AspNet-Version header to every HTTP response. For example:
Response.Headers.Remove("X-AspNet-Version"); x-aspnet-version 4.0.3 vulnerabilities
[X-AspNet-Version: 4.0.30319] Stack Trace: [NullReferenceException: Object reference not set to an instance of an object.] MyApp.DataLayer.GetUser(String id) in C:\Projects\MyApp\DataLayer.cs:line 42 A realistic attack scenario using the exposed header: By default, IIS adds the X-AspNet-Version header to
<system.web> <httpRuntime enableVersionHeader="false" /> </system.web> : httpRuntime enableVersionHeader="false" />
POST /default.aspx HTTP/1.1 X-AspNet-Version: 4.0.30319 Content-Type: application/x-www-form-urlencoded __VIEWSTATE=/wEPDwUKLT... (malicious Base64 blob)
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)