CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Obtaining information about the used web application frameworks is a crucial task for any attacker. There may be vulnerabilities in certain frameworks that give an attacker the needed attack vector. To complicate the information gathering process for attackers, the web application should not provide information about used frameworks especially their version.
For the sake of simplicity, we do not differentiate at this point between used framework languages such as PHP, content management systems such as Wordpress or frameworks such as JQuery.
This scanner addresses the OWASP Top 10 vulnerability of "Using components with known vulnerabilities". While it is crucial to make sure you use the latest version of your web application frameworks, it is an added layer of security if you can prevent attackers from knowing which web application framework - and which version - you are running.
Use the following guides to check possible sources of web application framework information leakage and remove the information from the delivered websites:
PHP advertises its version based on a setting in its config file. To disable this function, make the following entry in the config file usually located at
Wordpress advertises its presence by several means. You should check each of them.
Wordpress themes usually add a footer which shows something like "Proudly powered by Wordpress".
To remove this notice, first check whether your theme has settings for the footer. If so, you will find them in the menu under "Appearances → Themes → Customize". You may see a "Footer Area" or "Copyright Area" option there where you can simply remove the corresponding code.
If your theme does not come with such settings, you need to edit the theme yourself. Go to "Appearances → Editor → Theme Footer (footer.php)". The code will look something like this:
Remove all information there that will leak your used system. A sanitized version might look something like:
Wordpress inserts a meta generator tag into your website code. It shows up in the html source code as:
You need to disable the meta generator by adding a function to your theme settings. Open "Appearances → Editor → Theme Functions (functions.php)". There add:
Search in your web application for the following keywords:
Leaked version information will often be nearby those keywords. If you have isolated which framework leaks its version, you can look for a specific solution.