You probably gonna find this issue in your manual browsing and spidering phase of your assessment and when performing the Fingerprint Web Server (Passive) and Fingerprint Web Server (Active) Tests.

Burp Suite Example

Nikto Example

Server: Microsoft-IIS/8.5
Retrieved x-aspnet-version header: 2.0.50727

Description

By default, excessive information about the server and frameworks used by website / web application are returned in the response headers.
These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Solution

Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

• Remove the X-Aspnet-Version HTTP header
• Remove the X-Powered-By HTTP header
• Remove the X-AspNetMvc-Version HTTP header

References

• https://www.troyhunt.com/shhh-dont-let-your-response-headers/
• Testing for Web Application Fingerprint (OWASP-IG-004)