So, if you are writing a website using Java and JSP's and didn't want users to know what language you written it in. What techniques would you use?
views:
318answers:
6
+3
Q:
What tactics can I use to prevent users from discovering what language a website is written in?
+2
A:
The only thing I would do is some how pass in the requests to pages without the extensions (jsp, aspx, asp, etc). This can be done by manually parsing the request url. Also, reconfiguring your server to hide its details about what it is.
Daniel A. White
2009-04-19 00:13:43
could you use mod_rewrite to help with this?
Sam Hoice
2009-04-19 01:05:02
+5
A:
If you are using some sort of framework, like Struts2, you'll have an extension (*.action, or whatever you choose) mapped to the dispatcher servlet. The dispatcher "forwards" the request to the JSP, which is in the WEB-INF directory. Users only see the URL that was directed to the servlet, and get back HTML. They can't tell what the template language was. Since you can choose whatever you like for the servlet mapping, you could make something up, or even misdirect them with something like ".php" or ".asp".
Of course, you might have some JSPs right in the web app directory, rather than in WEB-INF. You can give these a different extension, and tell the container to process them as JSPs by creating a <jsp-property-group> with a url-pattern element that specifies the fake extension in web.xml.
You'll also need to examine your container's documentation to determine how to hide any server version information that might be sent. Another thing to explore is how to change the session cookie name to something other than "jsessionid". That's a bit of a giveaway, but it's part of the Servlet specification, and some containers don't support changing it.
erickson
2009-04-19 00:24:58
+1. With Spring MVC, usually controllers are mapped to ".htm" - so no implementation-specific extensions
matt b
2009-04-19 01:08:01
Also make sure your error pages (404/500/etc.) don't give it away for you.
runako
2009-04-19 01:17:07
Do not use a standard excetion like ".do" or ".action" these will easily let conclude on the framework.
ordnungswidrig
2009-04-19 22:02:26
+4
A:
Along with other answers here, you'll want to make sure you're handling your application errors correctly. If you let an Exception out and the web container handles it, it'll be pretty obvious what you're using.
Rob Hruska
2009-04-19 00:53:54
+1
A:
1) Make up your own file extension and configure your server to map that to your handler of choice. e.g. Remap .whee to invoke the ASP.NET handler or PHP handler.
2) Make sure that whatever handler you are using doesn't put headers in to indicate what it is, like most do. If it does, configure it not to, or else put something in front of it in the stack to remove those headers before transmitting.
Darren Clark
2009-04-19 01:05:23
+1
A:
You'll also want to inspect the HTTP response headers that your app sends back. Often times it's trivial to find the technology powering an app in the response headers.
squillman
2009-04-19 02:34:33
A:
In the Apache configuration files, the following line causes it to recognize .php as a PHP script and execute it as such:
AddHandler php5-script .php
Change it to .asp and Apache will recognize .asp files as PHP scripts. Change it to, say, .blarg, and Apache will recognize .blarg files as PHP scripts.
Barry Brown
2009-04-19 03:02:16
Do be wary of this and place your scripts outside of the webroot, linking to them, in the unlikely event your apache.conf is overwritten and your scripts are displayed as plain text to the world.
Frank Crook
2009-04-19 14:58:50
How would that be any different for .php files? If the conf file is overwritten and the AddHandler line shown above is removed, the source of any .php file can be seen.
Barry Brown
2009-04-19 18:04:03