The first step in a planned attack on your website is the gathering of information about the site, in order to formulate a plan of attack. Obviously, one of the most effective ways to protect your website is to reveal as little information about your website as possible.
Here are some tips to minimise the amount of information your website reveals about itself.
1. Deny directory listings.
Unless you are running a ftp site, your users do not need to view the contents of a directory on your website. Exposing the directory structure and list of files to Internet users is unnecessary and can give a hacker valuable information about your website.
What you need to do: With the appropriate entry in your Web Server configuration file, you should be able to disable directory listings. Consult your Web Server documentation for the syntax.
2. Avoid revealing file names and directory structure in HTML comments.
Too often, HTML comments hanging around from the development days reveal enough information for a malicious user to piece together the directory structure and list of files in the directories.
What you need to do: Remove all comments that reveal unnecessary information like file names, directory structure or other sensitive information. You may be able to suppress comments by an application-level configuration setting, if the application you are running supports it.
3. Minimise the information sent out in HTTP headers.
A simple tool to view what information your server HTTP headers reveal is Lynx. Run “lynx –head http://your-server” to see what your HTTP headers contains. Do they reveal the server build number or the SSL version? Once a hacker has this information, it is fairly trivial to identify the vulnerabilities in the product. For example, Apache 2.0.52 is vulnerable to DOS attacks via a HTTP GET request with a MIME header containing multiple lines with a large number of space characters. If your HTTP header announces that you are running “Apache/2.0.52”, you are practically telling a malicious user how to launch a DOS attack on your website.
What you need to do: Minimise the verbosity of HTTP headers by an appropriate setting in your Server configuration file. Consult your Web Server documentation for the syntax.
In Apache, set the ServerTokens parameter in httpd.conf to “Prod”.
4. Customise your error responses.
In case of an error, redirect the user to a pre-defined error page. Not only is this an elegant way to handle errors, it may avoid the display of an error message that reveals sensitive information. For example, if a jsp page being invoked encounters an Exception, it outputs a stack trace that may reveal file names and locations. Setting up an error response to serve up an error page instead, will prevent this information from being visible to the user.
What you need to do: Customise error responses by making an appropriate entry in your Web Server configuration file. Consult your Web Server documentation for the syntax
5. Minimise published site information.
If your website has a “Site Information” or “About This Site” page, keep the technical details on this page to the minimum. Does the user really need to know the version of Web Server you are using, or the platform your website runs on? Are you revealing information that may help a hacker plan an attack on your website?
What you need to do: Avoid mentioning product names and versions, operating system information, etc on your website. Instead, provide an email address where users can contact the administrator for details, which may be revealed on a need-to-know basis.
Remember, knowledge is power, and more so in the hands of a malicious user. Every superfluous piece of information your website reveals about itself makes it more vulnerable to attack.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment