Prevent Web Application Framework Information Leakage

Obtaining information about the used web application frameworks is a crucial task for any attacker. There may be vulnerabilities in certain frameworks that give an attacker the needed attack vector.

Security Assessment

Security_Assessment_ PreventWebApplicationFrameworkInformationLeakage

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Vulnerability Information

Obtaining information about the used web application frameworks is a crucial task for any attacker. There may be vulnerabilities in certain frameworks that give an attacker the needed attack vector. To complicate the information gathering process for attackers, the web application should not provide information about used frameworks especially their version.

For the sake of simplicity, we do not differentiate at this point between used framework languages such as PHP, content management systems such as Wordpress or frameworks such as JQuery.

This scanner addresses the OWASP Top 10 vulnerability of "Using components with known vulnerabilities". While it is crucial to make sure you use the latest version of your web application frameworks, it is an added layer of security if you can prevent attackers from knowing which web application framework - and which version - you are running.

Guides

Use the following guides to check possible sources of web application framework information leakage and remove the information from the delivered websites:

  • PHP
  • Wordpress - powered by
  • Wordpress - Meta Generator
  • General Hints

PHP

PHP advertises its version based on a setting in its config file. To disable this function, make the following entry in the config file usually located at /etc/php.ini:

expose_php = Off

Wordpress

Wordpress advertises its presence by several means. You should check each of them.

Powered By

Wordpress themes usually add a footer which shows something like "Proudly powered by Wordpress".

To remove this notice, first check whether your theme has settings for the footer. If so, you will find them in the menu under "Appearances → Themes → Customize". You may see a "Footer Area" or "Copyright Area" option there where you can simply remove the corresponding code.

If your theme does not come with such settings, you need to edit the theme yourself. Go to "Appearances → Editor → Theme Footer (footer.php)". The code will look something like this:

<?php
/**
* The template for displaying the footer
*
* Contains the closing of the "site-content" div and all content after.
*
* @package WordPress
* @subpackage Twenty_Fifteen
* @since Twenty Fifteen 1.0
*/
?>

</div><!-- .site-content -->

<footer id="colophon" class="site-footer" role="contentinfo">
<div class="site-info">
<?php
/**
* Fires before the Twenty Fifteen footer text for footer customization.
*
* @since Twenty Fifteen 1.0
*/
do_action( 'twentyfifteen_credits' );
?>
<a href="<?php echo esc_url( __( 'https://wordpress.org/', 'twentyfifteen' ) ); ?>"><?php printf( __( 'Proudly powered by %s', 'twentyfifteen' ), 'WordPress' ); ?></a>
</div><!-- .site-info -->
</footer><!-- .site-footer -->

</div><!-- .site -->

<?php wp_footer(); ?>

</body>
</html>

Remove all information there that will leak your used system. A sanitized version might look something like:

<?php
/**
* The template for displaying the footer
*
* Contains the closing of the "site-content" div and all content after.
*
* @package WordPress
* @subpackage Twenty_Fifteen
* @since Twenty Fifteen 1.0
*/
?>

</div><!-- .site-content -->

<footer id="colophon" class="site-footer" role="contentinfo">
<div class="site-info">
Your footer Notice
</div><!-- .site-info -->
</footer><!-- .site-footer -->

</div><!-- .site -->

<?php wp_footer(); ?>

</body>
</html>

Meta Generator

Wordpress inserts a meta generator tag into your website code. It shows up in the html source code as:

<meta name="generator" content="WordPress 4.7.4" />

You need to disable the meta generator by adding a function to your theme settings. Open "Appearances → Editor → Theme Functions (functions.php)". There add:

/**
* Remove meta generator link
*/
remove_action('wp_head', 'wp_generator');

General Hints

Search in your web application for the following keywords:

  • X-Powered-By
  • PoweredBy
  • MetaGenerator
  • Version

Leaked version information will often be nearby those keywords. If you have isolated which framework leaks its version, you can look for a specific solution.

For more information about Crashtest Security visit crashtest-security.com/