8

Is it dangerous from a security perspective to put a line at the bottom of a website "Powered by Wordpress/Drupal/Django/WHATEVER" ? I know that certain platforms/applications have different security vulnerabilities that are more common/easily exploited. Knowing the ins/outs of a platform would definitely direct any searches for a vulnerability.

I'm not sure if this falls in as "security by obscurity" because but I also think not having that tag may increase the level of effort for a potential attacker.

From a security perspective what would you advise a webapp programmer?

AviD
  • 72,138
  • 22
  • 136
  • 218
KDEx
  • 4,981
  • 2
  • 20
  • 34

1 Answers1

8

In some circumstances, hiding software identifying information can be considered beneficial to the overall system's security, not to expose it to risks of being targeted by 0-day exploits, or make it generally easier for the attacker to find possible exploits without doing much research on what software he should target, and increasing chances of being exposed in the process.

Scanning for banners (as these signatures are sometimes called by attackers) can be difficult to detect, if the software itself doesn't makes it trivial for the attacker to collect it, so removing any such signatures or changing them to arbitrary non-identifying values is often recommended, for example on web server software (Apache, IIS,...) that might by default publish even what operating system they're running on.

In your case however, discovering what web framework some website is based on (especially the most common ones, like the ones you mention) is fairly trivial by simply inspecting response HTML / CSS / JS for signs of common building blocks these frameworks rely on (and sometimes even on what domain or web hosting server they're published), so I wouldn't really say you'd be hiding essential information that is otherwise impossible to determine by other means. Adding, or removing a line "Powered by..." in / from your response footer (or anywhere else) in my opinion doesn't change a thing for high level software stack (but you might want to omit what OS it's running on, e.t.c.).

Most websites built on such frameworks will be far more at risk of being targeted by automated web bots looking to inject malicious code by commonly known exploits, regardless if your website is built on this or that framework / CMS / whatsitcalled, not even bothering to look at your signature information. And more targeted attacks really won't have hard time figuring what underlying framework it's built on. You would be by far better off by "obfuscating" paths to your CMS, and focusing your attention on hardening web application security by running vulnerability scanners on them on your own and eliminating any potential vulnerabilities they came up with, for example.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
  • 5
    But be careful with a version number in the banner: "Powered by Wordpress version v1.2 is much more revealing than simply the framework used. That way an attacker can easily find out if you applied the latest security patches. – Jeff Jul 06 '13 at 09:13
  • @Jeff - Cheers! I forgot to mention that and is true, you don't want anyone to know you're not using latest versions and make them find exploits as easily as browsing through published changes and reasons for them in security updates. It's not the best way to advertise your platform's capabilities either, if it's not updated regularly, so it would probably be best to simply leave that information out. :) – TildalWave Jul 06 '13 at 14:29
  • @TildalWave, However, isn't this sortof like the frowned upon "security by obscurity"? – Pacerier May 05 '15 at 04:56