What is system information?
System information can be roughly understood as information about the structure and operation of that system.
You’re probably wondering: Well if my system doesn’t do anything shady, why should I hide it? Yes! Imagine your home is a gold store with lots of money and gold. Do you have a signboard “There is a hole in the bottom corner of the fence, my house’s safe is on the 2nd floor, a 4-digit password”?
Of course, you should never let your home information open to a thief. This is like inviting a thief into the house. However, most of us leave system information to the hacker. Is that any different from inviting a hacker to attack !!
How do we expose system information?
We often expose system information very indiscriminately, not inferior to how Kim Kardashian shows off her body in clothes. Here are some common types of disclosure:
All of this information is easily accessible using buildwith. This page works on the principle of reading headers returned from the server, see what libraries the HTML includes.
These “harmless” information also inadvertently “helps” hackers attack your system more easily by the following ways:
- Knowing the version of the library/framework used, the server version, the database version, … hackers can find the security hole (CVE) of the system.
- Searching is easy; go to nvd.nist.gov. Based on the framework/server/database version, hackers can see these versions' security flaws. From these vulnerabilities, hackers can try to attack the system.
- Besides, when knowing the framework is in use, the hacker can find the path to the admin page (For WordPress is / wp-admin, with Joomla as / administrator, with PHPMyAdmin being / PHPMyAdmin). Next, the hacker can try to enter the default admin username/password to log into the system. Scary yet ??
- With mobile app or software, a hacker can decompile to steal API or security key. Not hiding anything from you, I also decompile Simsimi API files to get the Key and free API attached to that Facebook chatbot …
How to hide?
The highest skill of hiding is that hackers cannot know what language/framework your system is written, what database to use, where to deploy. This makes the job of a hacker much more difficult.
Actually, hiding system information is not too difficult or time-consuming. Just be careful and watchful. Some of the popular methods of “hiding information” are:
- Config server or writing code to remove redundant HTTP headers.
- When deploying, we obfuscate or uglify the code to make the code difficult to read. To avoid hackers knowing which JS libraries use, we can bundle the entire library and code into one file.
- When the system is down, display custom Error Page, errors in this page should be clearly explained to the user. But absolutely do not show the error/exception directly to avoid hacker attack.
Regularly update/upgrade the framework to the latest version to fix the vulnerabilities and avoid hackers taking advantage of the old version's vulnerabilities.
If you have experience hiding system information or have attacked the system based on its information, please comment.