1

I know an ecommerce company which has a public facing website at, say www.app.com which has a page www.app.com/version.jsp which is also publicly accessible. The page has the following information.

Build Info
Path:   /root/version/app/v5.6/b10
Server:     appUSA-prod-srv1
Date:   09/10/2017 6:21 AM
Source:     svn@svn
CI: Link (this leads to an internal link which is inaccessible to public)
Gradle is used in newer apps.

Its nice for developers/QA to know the exact version and build in production by simply checking the page. But, is it safe or advisable to make such a page publicly accessible ?

MasterJoe
  • 111
  • 4
  • 1
    It is advised that you should not announce your web application information that is helpful in the development phase; like version and name of the language, server info ex. In fact, I know some people who add fake data about those on their web application for security reasons. – JackSparrow Sep 29 '17 at 06:27
  • 1
    https://security.stackexchange.com/questions/14709/hiding-version-valuable-or-just-security-by-obscurity/ – symcbean Sep 29 '17 at 13:41
  • Security by obscurity is false. It might make you feel better, but it does absolutely nothing to prevent any vulnerabilities from being acted upon. If someone can take you down, they can figure out what version you're running. – dandavis Sep 29 '17 at 21:04
  • @dandavis You can not say it is false at all. If your defense mechanism has only obscurity, it is true (you can not accomplish much) but with the help of good organized security system, obscurity adds another security layer. – JackSparrow Sep 30 '17 at 09:55
  • FYI - The company does not make any security products or software that is used to build other software. Its just a mass consumer app. So, I am not sure if showing version numbers could potentially lead to hacking. – MasterJoe Oct 04 '17 at 17:14

2 Answers2

2

When in a production environment, the less non-critical information that is handed out the better your security surface will be.

Version information and a product's name can be used to narrow the scope down of attacks that can be used against an application.

Without knowing the in's and out's of the application, it's hard to know if it is in fact deployed as a "production level" application.

I will add that with SVN controlled applications, version information becomes useless to an attacker because the application likely to be rapidly updated.

EDIT: For further clarification, I will also mention that many protocols and pieces of software will pass a version parameter. This is to ensure that the program is talking to a valid version. Imagine an older version of the app talking to a new instance of server software. Things could either go very bad, or just not work at all.

dark_st3alth
  • 3,062
  • 9
  • 23
0

If this is a custom/bespoke application, then adding version number likely is not going to be an issue because version numbers would not help them find vulnerabilities from an existing vulnerability database.

But if this is an off-the-shelf application, especially widely used one, then the version number can be used by an attacker to narrow down the attacks the attacker need to do to likely be successful. Knowing the version number may allow the attacker to maintain a lower profile against any defense alerting mechanisms you might have. For example, if you have an intrusion detection system or when you have a web application firewall configured to detect and alert requests that looks like attack attempts of a vulnerability already fixed in your deployed version, they may not be triggered if the attacker used the version information to skip those already patched exploits.

Lie Ryan
  • 31,279
  • 6
  • 69
  • 93