What’s in a version number?

You’re assessing a website. You get an HTTP response that looks like this:

HTTP/2.0 200 OK
content-type: text/html; charset=utf-8
expires: Sat, 01 Jan 2000 00:00:00 GMT
x-frame-options: DENY
x-powered-by: PHP/5.1.5
pragma: no-cache
strict-transport-security: max-age=15552000; preload
cache-control: private, no-cache, no-store, must-revalidate
date: Tue, 18 Jun 2019 04:28:37 GMT
X-Firefox-Spdy: h2

What do you report? If you’ve spent any time in Information Security, you’re probably eyeing that X-Powered-By header. You’d probably report that, right? But why? Why would you report it? Because of its presence in the response?

There’s a mixed bag here. I used to be one of those people that would say “oh no, hide the version number!” But what does that solve?

Put another way, you’d probably take that version number and look up known exploits for it, right? So why hide it? It doesn’t fix the problem. It just hides the problem, obscures it. The mantra “security by obscurity” still holds here. By recommending that people hide the version number, we are encouraging security by obscurity while still beating the drum that it doesn’t work for everything else. So where did this come from?

I remember years ago PHP Group released a guide for hiding the version number, and even at one point openly stated that it was useless. This guide was released some 17 years ago. This was the earliest that I remember seeing something written about hiding and the value of hiding it. I do remember hearing the advice passed around (or rather seeing) on bulletin boards and probably even some books I had read. But nobody was talking about the value.

Let’s talk value.

Reveals less about the environment, slowing down attackersAttackers are still going to keep probing and looking
Harder for IT/security/SEs to identify out-of-date software through scanning, such as Qualys, Nessus, and other tools in their environment
Doesn’t actually fix what is being reported – out of date software

To me, this is a clear win. Yes, I’m a little biased, having spent some time now in the enterprise and seeing things differently. However, the main reason why I used, and many others, would recommend hiding the version number of ASP.NET, PHP, and others, is to reveal less about the environment and slow down attackers. There aren’t many other benefits that I can see, even if I try to sit here and think about them.

I think we all would rather people patch and keep updated on the stack they are using rather than hide the fact that they don’t have good patch maintenance.

What’s the version number actually telling you? “Hey, I’m here!” or “Hey, I’m here and I need patches.” We can exploit lack of patches. Simply being there not so much. If we can exploit lack of patches, we can patch it.