Forum Discussion
Mostafa_Elsayed
Cirrus
CirrusStop Wappalyzer from detecting my back end server technologies
we know that F5 removes Server , X-powered-by headers to keep information about back end server from end users, but there is extension "Wappalyzer" on mozille firefox browser which indicates all back...
The short answer is - not really..
Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.
When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.
The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies
There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.
IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.
AaronJB
SIRT
SIRTThe short answer is - not really..
Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.
When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.
The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies
There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.
IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.