12

Many automatic security scanners have built in rules that alert on the presence of software version, and in many security lists version exposure to arbitrary person accessing the system is mentioned as one of the security problems.

So my question is - is it a real problem and is hiding the version adds anything real to the security?

The arguments for it say that hiding version makes harder to use targeted exploits, however most attackers now have automated exploit kits which take no time to run hundreds of exploit attempts against the target, so the difference is next to zero for an informed attacker. And one that is not informed will not know how to use the version information. Hiding versions also makes it harder to self-scan for left-behind vulnerable installations.

I also see that this practice is widely ignored - for example, the very OWASP page that describes this as security technique openly displays versions of the server software (OS, Apache, PHP) and the Wiki software. But even if you try to hide it, most web applications - especially complex ones - are easily versioned by fingerprinting of various content they generate.

So is it worth hiding version for a web application? Or for any application/OS/platform at all?

StasM
  • 1,841
  • 2
  • 15
  • 23

5 Answers5

11

The problem with security by obscurity is when you depend on obscurity to get security. If that's your only or main form of defense, you have a problem.

With that said, obscurity can add security to a system already using better strategies for security. There is no reason to expose that information, so you should not. It's useful information for an attacker, so you should certainly hide it whenever possible. The problem is when you start thinking along the lines of "well I hide this information, so no attacker can find out and use it to attack my system, so I'm safe."

Your system should be secure regardless of whether that information stays secret or not, but you shouldn't do the attackers any favors by releasing it.

Oleksi
  • 4,809
  • 2
  • 19
  • 26
  • 2
    As I said, one of the reasons to expose it may be so you could have automated tools to inventory your systems and alert you about old versions being left behind. So there are reasons :) What I'm asking is why everybody places this on the vulnerabilities lists together with real issues (like XSS, XSRF, etc.) as if it by itself could have any influence on your security. – StasM May 08 '12 at 03:36
  • I think it's because knowing the version of the software often leads to many other attacks. Many (many many) attacks are executed because systems aren't using up to date software, and knowing what version a system is running gives the attacker this information. Gives them a solid place to start launching attacks. – Oleksi May 08 '12 at 06:19
  • but if you have a set of exploits, why wouldn't you just launch all of them? It'll take you probably 5-10 seconds for all (99% of exploits take one request to execute), why rely on version and limit your potential list? Are there any data that point attackers really rely on versions in the field? I regularly have ancient exploits tried on my servers, but this of course is anecdotal. – StasM May 09 '12 at 06:28
  • @StasM - I don't think anyone is arguing against *you* having access to knowing the version information of all parts of your application. But that doesn't mean you should generally be broadcasting it to the world at large. – dr jimbob May 09 '12 at 15:46
5

Security by obscurity is good for defense in depth; it is not good as sole/primary mode of defense or when the obscurity interferes with normal operations.

If a 0-day vulnerability comes out for your application and you advertise your application/version number everywhere (e.g., in google searches, in HTTP response header 'Server: nginx 0.7.1'), you make it trivial for attackers aware of the new vulnerability to find your site and attempt to exploit it, before you have had time to apply a security patch. If you don't give this information (or other error messages), they will have to either guess your application's identity/version by features (and obscure feature checks in principle could tip off programs like fail2ban to an on-going attack) or try every known exploit for every possible application/version combination. This is much more cumbersome for the attacker.

Yes, its best to keep your application software up to date with all security patches; but in the real world this often lags. Don't give out unnecessary debugging information once an application goes live (though while debugging its probably helpful to leave the information available to you).

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • 2
    0days by definition mean it doesn't matter if you're on the latest version or not. – jldugger May 19 '12 at 03:12
  • 1
    @jldugger - agree; my language was sloppy/confusing. Basically meant that 0-day comes out, some people start trying to patch it and some people start trying to exploit it. Even if a workaround (disable the vulnerable feature; migrate to an older version) or security patch comes out for the vulnerability (and it stops being a 0-day) you may not have time to roll out the fix, and its in your best interest not to advertise you are still vulnerable. – dr jimbob May 19 '12 at 04:19
1

When a useful vulnerability comes out in a popular web application an attacker is going to use Google Hacking (or sometimes called a Google dork) to obtain a list of everyone running that software. Although this Google hack could contain the version number, some as simple as "Powered By Wordpress" is usually enough. Why check the version number, when you could just fire off the exploit and see if it succeeds.

So obscuring the version number isn't as important as obscuring the application its self.

rook
  • 46,916
  • 10
  • 92
  • 181
  • You can easily recognize app powered by Wordpress without needing any "powered by" - Wordpress has very specific structure of URLs, probably indexed by Google: wp-content, wp-includes, wp-login, etc. – StasM May 08 '12 at 03:35
  • @StasM oah your totally correct, and that can be fixed with mod_rewrite. – rook May 08 '12 at 17:53
  • you can, never saw that done in practice though. – StasM May 09 '12 at 06:29
1

This is (not very much) security by obscurity.

Script kiddies / worms won't bothered checking banners before launching attacks. IME, it's also reatively simple to identify different vendors, and releases of server software which do not return banner information (by mapping out responses to less common features and error conditions). About the only threat model is does provide any protection from is where the attacker is using a third-party search engine to identify targets - however most search engines don't index banner info - and there's often a lot of information just in the URLs

symcbean
  • 18,278
  • 39
  • 73
1

Let's look at 2 scenarios. In both of them version is vulnerable to an exploit (0-day or not-patched).

Attacker knows version. Attacker goes to your site and after simple check (looking at HTTP header, googling, looking at error messages...) finds out that you run this version. Then he finds exploit for it and runs only this one exploit. As the result your system is compromised. Only one exploit has been runned and therefore chance that IDS will detect attack isn't large. It will also be harder to find attacker by looking at logs as there was not so much malicious activity to be detected.

Attacker doesn't know version. Attacker goes to site and can't find out version. So he can't run only one exoloit. He should run plenty of them. This activity is likely to be detected and logged and his IP will likely to be blocked by IDS. Your system won't be compromised because you forced attacker to run plenty of exploits instead of only one.

Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
  • The way you described it - all the thinking, checking and doing by the attacker - seems a lot more work than simply running all the automated exploits against the server to see if any work. Do you really expect attackers to try and match exploits to software versions? Seems unlikely, to me. – HappyDog Jun 15 '21 at 15:43