Welcome to @!$h@s Free CodeWorld
  free books Search
  free books Source Code
  free books FAQs
  free books Articles
  free books Resources
   Windows Tips & Tricks
   Dot Net Section
   About Myself

I am a B.E in Information Technology form Lingaya's Institute of Management and Technology Faridabad, India.

I have worked on VC++, MFC, ASP, ASP.NET ,Sql Server. Currently I am working on Visual C++ and MFC.

I made a free open source firewall for windows which can be find in MYProjects section.

I am currently working in GloalLogic, Noida.

For any comments and suggestions Contact Me at :

MySpace profile: Here

  Tips and Tricks about Google Is your website too verbose?

Is your website too verbose?

“I often regret that I have spoken; never that I have been silent.” - Publilius Syrus

The first step in a planned attack on your website is the gathering of information about the site, in order to formulate a plan of attack. Obviously, one of the most effective ways to protect your website is to reveal as little information about your website as possible.

Here are some tips to minimise the amount of information your website reveals about itself.

1. Deny directory listings.

Unless you are running a ftp site, your users do not need to view the contents of a directory on your website. Exposing the directory structure and list of files to Internet users is unnecessary and can give a hacker valuable information about your website.

What you need to do: With the appropriate entry in your Web Server configuration file, you should be able to disable directory listings. Consult your Web Server documentation for the syntax.

2. Avoid revealing file names and directory structure in HTML comments.

Too often, HTML comments hanging around from the development days reveal enough information for a malicious user to piece together the directory structure and list of files in the directories.

What you need to do: Remove all comments that reveal unnecessary information like file names, directory structure or other sensitive information. You may be able to suppress comments by an application-level configuration setting, if the application you are running supports it.

3. Minimise the information sent out in HTTP headers.

A simple tool to view what information your server HTTP headers reveal is Lynx. Run “lynx –head http://your-server” to see what your HTTP headers contains. Do they reveal the server build number or the SSL version? Once a hacker has this information, it is fairly trivial to identify the vulnerabilities in the product. For example, Apache 2.0.52 is vulnerable to DOS attacks via a HTTP GET request with a MIME header containing multiple lines with a large number of space characters. If your HTTP header announces that you are running “Apache/2.0.52”, you are practically telling a malicious user how to launch a DOS attack on your website.

What you need to do: Minimise the verbosity of HTTP headers by an appropriate setting in your Server configuration file. Consult your Web Server documentation for the syntax.
In Apache, set the ServerTokens parameter in httpd.conf to “Prod”.

4. Customise your error responses.

In case of an error, redirect the user to a pre-defined error page. Not only is this an elegant way to handle errors, it may avoid the display of an error message that reveals sensitive information. For example, if a jsp page being invoked encounters an Exception, it outputs a stack trace that may reveal file names and locations. Setting up an error response to serve up an error page instead, will prevent this information from being visible to the user.

What you need to do: Customise error responses by making an appropriate entry in your Web Server configuration file. Consult your Web Server documentation for the syntax

5. Minimise published site information.

If your website has a “Site Information” or “About This Site” page, keep the technical details on this page to the minimum. Does the user really need to know the version of Web Server you are using, or the platform your website runs on? Are you revealing information that may help a hacker plan an attack on your website?

What you need to do: Avoid mentioning product names and versions, operating system information, etc on your website. Instead, provide an email address where users can contact the administrator for details, which may be revealed on a need-to-know basis.

Remember, knowledge is power, and more so in the hands of a malicious user. Every superfluous piece of information your website reveals about itself makes it more vulnerable to attack.

DISCLAIMER: This article does not suggest that minimising the verbosity of a website is an alternative to the usual security measures employed (firewalls, intrusion detection, logfile analysis, etc.)

About the Author:

Deepak Extross is a software developer at ISM Consulting Asia Pacific Pty. Ltd, based in Canberra, Australia. He is a Sun Certified Java Programmer and is currently acquiring a Graduate Diploma in Information Security and Intelligence.
Deepak can be contacted at dextross@optusnet.com.au

Other articles :

  1. introduction to ASP.NET
  2. Install Apache , PHP , MySQL , Perl on Windows
  3. Introduction to Orkut (Tips)
  4. Tips and Tricks about GMail
  5. Basics of a firewall

Copyright 2012, ProgrammerWorld.NET

Comments | Suggest a Site | Contact us for Advertisement | Submit Article | Submit Source Code |
For any queries regarding this web site or to contribute to this site mail me at Admin@ProgrammerWorld.NET

Advertiser can contact us on above mentioned email address. This site get more than 60000 unique Ip hits per month.

Like this site ? Keep this site available and free by donating