Forum Discussion
Stop Wappalyzer from detecting my back end server technologies
we know that F5 removes Server , X-powered-by headers to keep information about back end server from end users, but there is extension "Wappalyzer" on mozille firefox browser which indicates all back end server technologies.
i tried to inspect/check all security event logs and botnet logs but in vain, there is no request generated from this extension but can detect all my technologies server.
here is my question, is there any way to prevent "Wappalyzer" from detecting my server technology by F5 ASM.
The short answer is - not really..
Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.
When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.
The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies
There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.
IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.
The short answer is - not really..
Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.
When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.
The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies
There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.
IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.
Mostafa_Elsayed - If your post was solved it would be helpful to the community if you selected *Accept As Solution*. This helps future readers find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com