“I often regret that I have spoken; never
that I have been silent.” - Publilius Syrus
The first step in a planned attack on your website
is the gathering of information about the site, in order to
formulate a plan of attack. Obviously, one of the most effective
ways to protect your website is to reveal as little information
about your website as possible.
Here are some tips to minimise the amount
of information your website reveals about itself.
1. Deny directory listings.
Unless you are running a ftp site, your users
do not need to view the contents of a directory on your website.
Exposing the directory structure and list of files to Internet
users is unnecessary and can give a hacker valuable information
about your website.
What you need to do: With the appropriate
entry in your Web Server configuration file, you should be
able to disable directory listings. Consult your Web Server
documentation for the syntax.
2. Avoid revealing file names and directory
structure in HTML comments.
Too often, HTML comments hanging around from
the development days reveal enough information for a malicious
user to piece together the directory structure and list of
files in the directories.
What you need to do: Remove all comments
that reveal unnecessary information like file names, directory
structure or other sensitive information. You may be able
to suppress comments by an application-level configuration
setting, if the application you are running supports it.
3. Minimise the information sent out in
A simple tool to view what information your
server HTTP headers reveal is Lynx. Run “lynx –head
http://your-server” to see what your HTTP headers contains.
Do they reveal the server build number or the SSL version?
Once a hacker has this information, it is fairly trivial to
identify the vulnerabilities in the product. For example,
Apache 2.0.52 is vulnerable to DOS attacks via a HTTP GET
request with a MIME header containing multiple lines with
a large number of space characters. If your HTTP header announces
that you are running “Apache/2.0.52”, you are
practically telling a malicious user how to launch a DOS attack
on your website.
What you need to do: Minimise the verbosity
of HTTP headers by an appropriate setting in your Server configuration
file. Consult your Web Server documentation for the syntax.
In Apache, set the ServerTokens parameter in httpd.conf to
4. Customise your error responses.
In case of an error, redirect the user to
a pre-defined error page. Not only is this an elegant way
to handle errors, it may avoid the display of an error message
that reveals sensitive information. For example, if a jsp
page being invoked encounters an Exception, it outputs a stack
trace that may reveal file names and locations. Setting up
an error response to serve up an error page instead, will
prevent this information from being visible to the user.
What you need to do: Customise error
responses by making an appropriate entry in your Web Server
configuration file. Consult your Web Server documentation
for the syntax
5. Minimise published site information.
If your website has a “Site Information”
or “About This Site” page, keep the technical
details on this page to the minimum. Does the user really
need to know the version of Web Server you are using, or the
platform your website runs on? Are you revealing information
that may help a hacker plan an attack on your website?
What you need to do: Avoid mentioning
product names and versions, operating system information,
etc on your website. Instead, provide an email address where
users can contact the administrator for details, which may
be revealed on a need-to-know basis.
Remember, knowledge is power, and more so
in the hands of a malicious user. Every superfluous piece
of information your website reveals about itself makes it
more vulnerable to attack.
DISCLAIMER: This article
does not suggest that minimising the verbosity of a website
is an alternative to the usual security measures employed
(firewalls, intrusion detection, logfile analysis, etc.)
About the Author:
Deepak Extross is a software developer at ISM Consulting
Asia Pacific Pty. Ltd, based in Canberra, Australia. He is
a Sun Certified Java Programmer and is currently acquiring
a Graduate Diploma in Information Security and Intelligence.
Deepak can be contacted at firstname.lastname@example.org