Disclosure of Software Version

0
260
Disclosure of Software Version

Although at the first glance, information about software version has nothing to do with sensitive data, Its usefulness for the attackers shouldn’t be underestimated. If an attacker knows software version, he or she can get information about vulnerabilities of this particular software and produce attacks to damage your website or access sensitive data.

Example:

First, in the browser click on the right mouse button and select “inspect elements” (in Mozilla you can simply press “q”). Here, you will find a network tab which displays all the requests you made. Now in the address bar of your browser type http://hack-yourself-first.com ( this is a special website for web penetrating purposes ) or any website address you want. In the network tab, it will display all requests you made.

Open the first request :

Disclosure of Software Version

here as you can see in Response header we have software version:

Server: Microsoft-IIS/10.0

Vary: Accept-Encoding

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version; 5.1

X-Powered-By: ASP.NET

If an attacker identifies the software version, he will be able to use special databases which store information about software vulnerabilities. One of them is www.exploit-db.com which is a database with a lot of exploits. Then, the attacker searches for particular software version and checks if it can be exploitable. As you see, software information can be very useful information in the attacker’s hands.