Fingerprinting
      Back to home
      1. Support Center
      2. Fingerprinting

      How to prevent web application framework information leakage

      Obtaining information about the used web application frameworks is crucial for any attacker. In addition, some vulnerabilities in specific frameworks may give an attacker the needed attack vector.

      Security Assessment

      Security_Assessment_ PreventWebApplicationFrameworkInformationLeakage

      CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

      Vulnerability Information

      Obtaining information about the used web application frameworks is crucial for any attacker. Some vulnerabilities in specific frameworks may give an attacker the needed attack vector. To complicate the information gathering process for attackers, the web application should not provide information about used frameworks, especially their versions.

      For simplicity, we do not differentiate between used framework languages such as PHP, content management systems such as WordPress, or frameworks such as JQuery.

      This scanner addresses the OWASP Top 10 vulnerability of "Using components with known vulnerabilities." While it is crucial to make sure you use the latest version of your web application frameworks, it is an added layer of security if you can prevent attackers from knowing which web application framework and version you are running.

      Prevention Guides

      Use the following guides to check possible sources of web application framework information leakage and remove the information from the delivered websites:

      • PHP
      • WordPress - powered by
      • WordPress - Meta Generator
      • General Hints

      PHP

      PHP advertises its version based on a setting in its config file. To disable this function, make the following entry in the config file usually located at /etc/php.ini:

      expose_php = Off

      WordPress

      WordPress advertises its presence by several means. You should check each of them.

      Powered By

      WordPress themes usually add a footer that shows something like "Proudly powered by WordPress."

      First, check whether your theme has settings for the footer to remove this notice. If so, you will find them in the menu under "Appearances → Themes → Customize." You may see a "Footer Area" or "Copyright Area" option there where you can remove the corresponding code.

      If your theme does not come with such settings, you need to edit the theme yourself. Go to "Appearances → Editor → Theme Footer (footer.php)." The code will look something like this:

      <?php
      /**
       * The template for displaying the footer
       *
       * Contains the closing of the "site-content" div and all content after.
       *
       * @package WordPress
       * @subpackage Twenty_Fifteen
       * @since Twenty Fifteen 1.0
       */
      ?>

        </div><!-- .site-content -->

        <footer id="colophon" class="site-footer" role="contentinfo">
            <div class="site-info">
                <?php
                    /**
                     * Fires before the Twenty Fifteen footer text for footer customization.
                     * 
                     * @since Twenty Fifteen 1.0
                     */
                    do_action( 'twentyfifteen_credits' );
                ?>
                <a href="<?php echo esc_url( __( 'https://wordpress.org/', 'twentyfifteen' ) ); ?>"><?php printf( __( 'Proudly powered by %s', 'twentyfifteen' ), 'WordPress' ); ?></a>
              </div><!-- .site-info -->
          </footer><!-- .site-footer --> 

      </div><!-- .site -->

      <?php wp_footer(); ?>

      </body>
      </html>

      Remove all information there that will leak your used system. A sanitized version might look something like this:

      <?php
      /**
       * The template for displaying the footer
       *
       * Contains the closing of the "site-content" div and all content after.
       *
       * @package WordPress
       * @subpackage Twenty_Fifteen
       * @since Twenty Fifteen 1.0
       */
      ?>

           </div><!-- .site-content -->

           <footer id="colophon" class="site-footer" role="contentinfo">
              <div class="site-info">
                  Your footer Notice
              </div><!-- .site-info -->
          </footer><!-- .site-footer -->

      </div><!-- .site -->

      <?php wp_footer(); ?>

      </body>
      </html>

      Meta Generator

      WordPress inserts a meta generator tag into your website code. It shows up in the HTML source code as:

      <meta name="generator" content="WordPress 4.7.4" />

      It would be best if you disabled the meta generator by adding a function to your theme settings. Open "Appearances → Editor → Theme Functions (functions.php)." There add:

      /**
       * Remove meta generator link
       */
      remove_action('wp_head', 'wp_generator');

      General Hints

      Search in your web application for the following keywords:

      • X-Powered-By
      • PoweredBy
      • MetaGenerator
      • Version

      Leaked version information will often be nearby those keywords. If you have isolated which framework leaks its version, you can look for a specific solution.