cancel
Showing results for 
Search instead for 
Did you mean: 

Stop Wappalyzer from detecting my back end server technologies

we know that F5 removes Server , X-powered-by headers to keep information about back end server from end users, but there is extension "Wappalyzer" on mozille firefox browser which indicates all back end server technologies.

i tried to inspect/check all security event logs and botnet logs but in vain, there is no request generated from this extension but can detect all my technologies server.

here is my question, is there any way to prevent "Wappalyzer" from detecting my server technology by F5 ASM.

1 ACCEPTED SOLUTION

AaronJB
F5 SIRT
F5 SIRT

The short answer is - not really..

Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.

 

When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.

The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies

 

There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.

 

IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.

View solution in original post

2 REPLIES 2

AaronJB
F5 SIRT
F5 SIRT

The short answer is - not really..

Wappalyzer (at least as a browser plug-in) doesn't make any requests of it's own to your server, rather it looks at the responses your website sends to try and determine what technolgies you use, and it does a huge number of regex based checks against things like: filenames, HTTP headers, DOM content and likely more.

 

When run as a stand-alone client (which browses the website headlessly) I believe it sends a User-Agent string of Wappalyzer, which you could of course block, but as a browser extension it is just querying what the browser is already seeing.

The analysis engine is actually opensource so you could look for what Wappalyzer is detecting and then try to adjust your website so that it no longer triggers the detections: https://github.com/wappalyzer/wappalyzer/tree/master/src/technologies

 

There's no simple fix with a device in front of your website, in other words; you're going to have to obfuscate and change every imported JavaScript library, back-end technology etc that Wappalyzer can detect so that it no longer matches whatever signature the engine is looking for.

 

IMHO there is very little value in spending a huge amount of time 'stealthing' the technologies you use beyond ensuring an attacker can't trivially detect major versions of things like your webserver, and you're much better off spending time and resources ensuring that libraries are kept up-to-date and that any known vulnerabilities are patched in a timely manner.

LiefZimmerman
Community Manager
Community Manager

@Mostafa_Elsayed - If your post was solved it would be helpful to the community if you selected *Accept As Solution*. This helps future readers find answers more quickly and confirms the efforts of those who helped.

Thanks for being part of our community.
Lief

------
Lief ZimmermanLiefZimmerman | @LiefZF5 | DevCentral Community Manager