Prevent Web Application Framework Information Leakage

Obtaining information about the used web application frameworks is a crucial task for any attacker. There may be vulnerabilities in certain frameworks that give an attacker the needed attack vector.

Security Assessment

Security_Assessment_ PreventWebApplicationFrameworkInformationLeakage

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Vulnerability Information

Obtaining information about the used web application frameworks is a crucial task for any attacker. There may be vulnerabilities in certain frameworks that give an attacker the needed attack vector. To complicate the information gathering process for attackers, the web application should not provide information about used frameworks especially their version.

For the sake of simplicity, we do not differentiate at this point between used framework languages such as PHP, content management systems such as Wordpress or frameworks such as JQuery.

This scanner addresses the OWASP Top 10 vulnerability of "Using components with known vulnerabilities". While it is crucial to make sure you use the latest version of your web application frameworks, it is an added layer of security if you can prevent attackers from knowing which web application framework - and which version - you are running.

Guides

Use the following guides to check possible sources of web application framework information leakage and remove the information from the delivered websites:

  • PHP
  • Wordpress - powered by
  • Wordpress - Meta Generator
  • General Hints

PHP

PHP advertises its version based on a setting in its config file. To disable this function, make the following entry in the config file usually located at /etc/php.ini:

preventwebapplicationframework

https://github.com/crashtest-security/gist/blob/master/fingerprinting/php

Wordpress

Wordpress advertises its presence by several means. You should check each of them.

Powered By

Wordpress themes usually add a footer which shows something like "Proudly powered by Wordpress".

To remove this notice, first check whether your theme has settings for the footer. If so, you will find them in the menu under "Appearances → Themes → Customize". You may see a "Footer Area" or "Copyright Area" option there where you can simply remove the corresponding code.

If your theme does not come with such settings, you need to edit the theme yourself. Go to "Appearances → Editor → Theme Footer (footer.php)". The code will look something like this:

preventwebapplicationframework (1)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/wp_powered_by_orig

Remove all information there that will leak your used system. A sanitized version might look something like:

preventwebapplicationframework (2)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/wp_powered_by_sanitized

Meta Generator

Wordpress inserts a meta generator tag into your website code. It shows up in the html source code as:

preventwebapplicationframework (3)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/wp_meta

You need to disable the meta generator by adding a function to your theme settings. Open "Appearances → Editor → Theme Functions (functions.php)". There add:

preventwebapplicationframework (4)

https://github.com/crashtest-security/gist/blob/master/fingerprinting/wp_remove_meta

General Hints

Search in your web application for the following keywords:

  • X-Powered-By
  • PoweredBy
  • MetaGenerator
  • Version

Leaked version information will often be nearby those keywords. If you have isolated which framework leaks its version, you can look for a specific solution.

For more information about Crashtest Security visit crashtest-security.com/