Security issue with JBoss on the front-end - OWASP security by obscurity
https://stackoverflow.com/questions/6037834
-
14-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am planning on deploying an EAR application on JBoss 6 on Amazon available on the public web. I will need more than one instance but I do not need clustering and the ELB can do its job in my case. The OWASP security guidelines have been considered during development of the application. However, I have an issue with one OWASP principle: security by obscurity.
How can I conceal the fact that I am using JBoss? I have custom error pages and the ELB allows access only to the context path of my application, however, I am worried if JBoss reveals any Headers that are JBoss specific. Is it any safer to have Apache in front of JBoss in each instance using mod_jk or mod_proxy_ajp just to forward the requests (this is something I want to avoid if unnecessary)?
Regards
OTHER TIPS
The principle of security by obscurity doesn't mean that you should try to hide things. Actually, it means just the opposite. Please don't rely on hiding sensitive information, as it doesn't really slow down attackers very much and it creates a false sense of security.
The huge attack surface of a typical JBoss installation means that an attacker is very likely to figure out what you're running. There have been a number of "products" over the years that purport to hide the identity of the technologies you are using using techniques like hiding headers. Yet all an attacker typically has to do is delete a few parameters on the URL to get a full stacktrace that provides enough details to determine products, libraries, versions, etc...
You might throw off a few of the weaker automated scanners with this technique, but not anyone who really targets you. Principles are nice, but they're extremely open to interpretationa and often conflicting. Better to focus on verifying your application against the OWASP Application Security Verification Standard (ASVS).
How can I conceal the fact that I am using JBoss?
Assuming that JBoss sends a response header something like Server: JBoss v1.2.3.4, you could write a Filter that you map to all requests which overwrites this value with some arbitrary text of your choosing, for example:
public class StripHeaderFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
// process the rest of the chain first
filter.doFilter(request, response);
if (response instanceof HttpServletResponse) {
((HttpServletResponse) response).setHeader("Server", "It's a secret");
}
}
