Is it really Security Misconfiguration to show a version number?Does A6 - Security Misconfiguration be reported for embedded JS?Is there a base version of jQuery which has no XSS vulnerability?License key / Serial number generator and checkerOWASP Top 10 style security guide for implementation in hardware devicesObstacle in Implementing a Time Limited/Number of Use Limited SoftwareIs Content Security Policy only enforced during initial rendering?Client-Server Authentication Security IssueIs there a base version of jQuery which has no XSS vulnerability?Allow setting both server URL and public key - security hole?How to exploit publicy known vunerable version of jquery?

Will using a resistor in series with a LED to control its voltage increase the total energy expenditure?

Why is the result of ('b'+'a'+ + 'a' + 'a').toLowerCase() 'banana'?

Bringing Power Supplies on Plane?

A trip to the library

Why won't the Republicans use a superdelegate system like the DNC in their nomination process?

How did Arecibo detect methane lakes on Titan, and image Saturn's rings?

How can I communicate my issues with a potential date's pushy behavior?

Dogfights in outer space

What are the advantages of this gold finger shape?

How would you translate this? バタコチーズライス

Is it possible to know the exact chord from the roman numerals

How can I shoot a bow using strength instead of dexterity?

Why is there a large performance impact when looping over an array with 240 or more elements?

Good textbook for queueing theory and performance modeling

What should we do with manuals from the 80s?

Are there any cons in using rounded corners for bar graphs?

Telephone number in spoken words

How come the Rambam forbids picking up money found in the street?

Should I leave building the database for the end?

"Mouth-breathing" as slang for stupidity

Why aren’t there water shutoff valves for each room?

Why does the cable resistance jump from a low value to high value at a particular frequency?

Attacking the Hydra

Is it OK to draw different current from L1 and L2 on NEMA 14-50?



Is it really Security Misconfiguration to show a version number?


Does A6 - Security Misconfiguration be reported for embedded JS?Is there a base version of jQuery which has no XSS vulnerability?License key / Serial number generator and checkerOWASP Top 10 style security guide for implementation in hardware devicesObstacle in Implementing a Time Limited/Number of Use Limited SoftwareIs Content Security Policy only enforced during initial rendering?Client-Server Authentication Security IssueIs there a base version of jQuery which has no XSS vulnerability?Allow setting both server URL and public key - security hole?How to exploit publicy known vunerable version of jquery?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








14















Our web application uses a HTML file with jQuery embedded inside.
According to the jQuery license (https://jquery.org/license/), we have to leave the license header intact, including the version number.



Our client reported exposure of the product and version combination as a security risk. Strangely, the bootstrap version in the same file is not reported as a security risk.



Many applications use libraries with version numbers inside. It's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.



In what circumstances does this "security misconfiguration" (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) apply to displaying product and version number? And how can we resolve this issue without violating the jQuery license?










share|improve this question









New contributor



stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 5





    I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.

    – schroeder
    yesterday






  • 3





    "Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.

    – Luc
    yesterday







  • 2





    Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.

    – MechMK1
    yesterday

















14















Our web application uses a HTML file with jQuery embedded inside.
According to the jQuery license (https://jquery.org/license/), we have to leave the license header intact, including the version number.



Our client reported exposure of the product and version combination as a security risk. Strangely, the bootstrap version in the same file is not reported as a security risk.



Many applications use libraries with version numbers inside. It's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.



In what circumstances does this "security misconfiguration" (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) apply to displaying product and version number? And how can we resolve this issue without violating the jQuery license?










share|improve this question









New contributor



stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 5





    I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.

    – schroeder
    yesterday






  • 3





    "Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.

    – Luc
    yesterday







  • 2





    Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.

    – MechMK1
    yesterday













14












14








14


2






Our web application uses a HTML file with jQuery embedded inside.
According to the jQuery license (https://jquery.org/license/), we have to leave the license header intact, including the version number.



Our client reported exposure of the product and version combination as a security risk. Strangely, the bootstrap version in the same file is not reported as a security risk.



Many applications use libraries with version numbers inside. It's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.



In what circumstances does this "security misconfiguration" (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) apply to displaying product and version number? And how can we resolve this issue without violating the jQuery license?










share|improve this question









New contributor



stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Our web application uses a HTML file with jQuery embedded inside.
According to the jQuery license (https://jquery.org/license/), we have to leave the license header intact, including the version number.



Our client reported exposure of the product and version combination as a security risk. Strangely, the bootstrap version in the same file is not reported as a security risk.



Many applications use libraries with version numbers inside. It's even possible to get version numbers by running some code in Firebug or Chrome's Developer Console.



In what circumstances does this "security misconfiguration" (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) apply to displaying product and version number? And how can we resolve this issue without violating the jQuery license?







license-enforcement owasp-top-ten jquery






share|improve this question









New contributor



stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question









New contributor



stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited 27 mins ago









atk

2,05910 silver badges14 bronze badges




2,05910 silver badges14 bronze badges






New contributor



stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked yesterday









stormtrooperstormtrooper

714 bronze badges




714 bronze badges




New contributor



stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




stormtrooper is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • 5





    I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.

    – schroeder
    yesterday






  • 3





    "Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.

    – Luc
    yesterday







  • 2





    Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.

    – MechMK1
    yesterday












  • 5





    I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.

    – schroeder
    yesterday






  • 3





    "Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.

    – Luc
    yesterday







  • 2





    Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.

    – MechMK1
    yesterday







5




5





I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.

– schroeder
yesterday





I think you have a logic error in that information disclosure is being equated as a security misconfiguration. They are in no way the same or related.

– schroeder
yesterday




3




3





"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.

– Luc
yesterday






"Strangely, bootstrap version in the same file is not reported as a security risk." They might have randomly spotted the jQuery version number and reported that. Or they might think that it's redundant to nitpick over every version number they found. Or their automated tool just spotted the jQuery one. Just like software is never bug-free because the programmer doesn't think of every edge case or know every quirk (or perhaps doesn't get enough time to do so), pentesting is also an inexact business.

– Luc
yesterday





2




2





Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.

– MechMK1
yesterday





Removing the version number from the license file would not help you anyways, because an attacker can just check manually what version you are using.

– MechMK1
yesterday










4 Answers
4






active

oldest

votes


















32














The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.



However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.



Furthermore, there are other ways to mitigate this:



  • Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.

  • Update the client libraries whenever a security problem is identified.

If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.






share|improve this answer

























  • Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.

    – Luc
    yesterday






  • 4





    @Luc I would argue that it's simply useless, you can access this through $.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.

    – Kaiido
    yesterday











  • @Kaiido Nice, I didn't know of $.fn.jquery. I'm not sure if this is a lucky coincidence or if it's common for other libraries to have this as well though. Looking up the library I see second-most commonly, Bootstrap, it doesn't seem like there is such a function for that.

    – Luc
    20 hours ago







  • 2





    @Luc if you are talking about the css, then no, there isn't something available from js (apart comments). But each bootstrap plugins have their own VERSION accessible from the constructor: stackoverflow.com/questions/43233588/…

    – Kaiido
    20 hours ago












  • @Sjoerd What mailing lists would you reccomend for a web-based system (Apache, nginx, JQuery, SSH, FTP, server packages in general)?

    – Echo
    18 hours ago


















21














Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.



Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".



So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.






share|improve this answer
































    4














    It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.



    Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.



    Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.



    Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1



    Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.



    Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.



    Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.






    share|improve this answer

























    • "unless you never scan yourself, hiding [version numbers] is shooting yourself in the foot." Except there exists a development team that made the software. They know what version they used and can check it for vulnerabilities. Doing that is as uncommon as running vulnerability scans on yourself (almost nobody does either), but if you have to pick one, I would rather check the version numbers myself than expose them for everyone to see. Yes, targeted attackers will use other means to get the info, but that doesn't mean you want to make it easy for either them or the script kiddies.

      – Luc
      20 hours ago







    • 1





      If you are easy target for script kiddies, then exposed version numbers are the least of your problems. I agree dev team should check for vulns, but you know what? They aren't security experts and you are. There is some sense in running scans instead of trusting the dev team on this. Ideally, you'd do both.

      – Tom
      16 hours ago


















    0














    I'm not 100% sure whether or not this is a duplicate question. If it should be marked as such, please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.



    One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client. Is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number? In many cases it won't be, but in others it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.



    As to why Bootstrap is not reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.






    share|improve this answer





























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );






      stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.









      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215205%2fis-it-really-security-misconfiguration-to-show-a-version-number%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      32














      The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.



      However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.



      Furthermore, there are other ways to mitigate this:



      • Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.

      • Update the client libraries whenever a security problem is identified.

      If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.






      share|improve this answer

























      • Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.

        – Luc
        yesterday






      • 4





        @Luc I would argue that it's simply useless, you can access this through $.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.

        – Kaiido
        yesterday











      • @Kaiido Nice, I didn't know of $.fn.jquery. I'm not sure if this is a lucky coincidence or if it's common for other libraries to have this as well though. Looking up the library I see second-most commonly, Bootstrap, it doesn't seem like there is such a function for that.

        – Luc
        20 hours ago







      • 2





        @Luc if you are talking about the css, then no, there isn't something available from js (apart comments). But each bootstrap plugins have their own VERSION accessible from the constructor: stackoverflow.com/questions/43233588/…

        – Kaiido
        20 hours ago












      • @Sjoerd What mailing lists would you reccomend for a web-based system (Apache, nginx, JQuery, SSH, FTP, server packages in general)?

        – Echo
        18 hours ago















      32














      The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.



      However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.



      Furthermore, there are other ways to mitigate this:



      • Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.

      • Update the client libraries whenever a security problem is identified.

      If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.






      share|improve this answer

























      • Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.

        – Luc
        yesterday






      • 4





        @Luc I would argue that it's simply useless, you can access this through $.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.

        – Kaiido
        yesterday











      • @Kaiido Nice, I didn't know of $.fn.jquery. I'm not sure if this is a lucky coincidence or if it's common for other libraries to have this as well though. Looking up the library I see second-most commonly, Bootstrap, it doesn't seem like there is such a function for that.

        – Luc
        20 hours ago







      • 2





        @Luc if you are talking about the css, then no, there isn't something available from js (apart comments). But each bootstrap plugins have their own VERSION accessible from the constructor: stackoverflow.com/questions/43233588/…

        – Kaiido
        20 hours ago












      • @Sjoerd What mailing lists would you reccomend for a web-based system (Apache, nginx, JQuery, SSH, FTP, server packages in general)?

        – Echo
        18 hours ago













      32












      32








      32







      The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.



      However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.



      Furthermore, there are other ways to mitigate this:



      • Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.

      • Update the client libraries whenever a security problem is identified.

      If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.






      share|improve this answer













      The security impact of exposing the version number is that an attacker can instantly see whether your version is vulnerable to a known vulnerability. For example, jQuery before 3.4.0 is vulnerable to CVE-2019-11358, so it is useful information for an attacker to know whether your jQuery is 3.3.9 or 3.4.1.



      However, with JavaScript that runs in the browser the complete source code is accessible by the attacker, so it is impossible to hide whether your jQuery is vulnerable. Even if you hide the version, the attacker can compare the code, or just try an exploit, to determine whether you are vulnerable. Hiding the version number may make it slightly more work, but realisticly it accomplishes little.



      Furthermore, there are other ways to mitigate this:



      • Keep in the loop about security problems in the libraries you use. Subscribe to a mailing list or another publishing method for security problems.

      • Update the client libraries whenever a security problem is identified.

      If you always have a non-vulnerable version because you update regurarly, it is no problem that the version is disclosed. And you can tell your client that this is the way you mitigate the information disclosure.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered yesterday









      SjoerdSjoerd

      22.1k9 gold badges52 silver badges71 bronze badges




      22.1k9 gold badges52 silver badges71 bronze badges















      • Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.

        – Luc
        yesterday






      • 4





        @Luc I would argue that it's simply useless, you can access this through $.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.

        – Kaiido
        yesterday











      • @Kaiido Nice, I didn't know of $.fn.jquery. I'm not sure if this is a lucky coincidence or if it's common for other libraries to have this as well though. Looking up the library I see second-most commonly, Bootstrap, it doesn't seem like there is such a function for that.

        – Luc
        20 hours ago







      • 2





        @Luc if you are talking about the css, then no, there isn't something available from js (apart comments). But each bootstrap plugins have their own VERSION accessible from the constructor: stackoverflow.com/questions/43233588/…

        – Kaiido
        20 hours ago












      • @Sjoerd What mailing lists would you reccomend for a web-based system (Apache, nginx, JQuery, SSH, FTP, server packages in general)?

        – Echo
        18 hours ago

















      • Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.

        – Luc
        yesterday






      • 4





        @Luc I would argue that it's simply useless, you can access this through $.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.

        – Kaiido
        yesterday











      • @Kaiido Nice, I didn't know of $.fn.jquery. I'm not sure if this is a lucky coincidence or if it's common for other libraries to have this as well though. Looking up the library I see second-most commonly, Bootstrap, it doesn't seem like there is such a function for that.

        – Luc
        20 hours ago







      • 2





        @Luc if you are talking about the css, then no, there isn't something available from js (apart comments). But each bootstrap plugins have their own VERSION accessible from the constructor: stackoverflow.com/questions/43233588/…

        – Kaiido
        20 hours ago












      • @Sjoerd What mailing lists would you reccomend for a web-based system (Apache, nginx, JQuery, SSH, FTP, server packages in general)?

        – Echo
        18 hours ago
















      Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.

      – Luc
      yesterday





      Agreed, just a small note: "Hiding the version number may make it slightly more work" I'd argue it's a bit more than "slightly": in order to map code back to a version number (in order to plug that version number into a CVE search), you have to have an index of all variants (minified, maybe with different packers) of all versions of all relevant libraries. A dedicated attacker might do this if they suspect there will be an exploitable vulnerability, but most of the time, the vulns of client-side libraries are not reachable or have a limited impact. I think few attackers would bother.

      – Luc
      yesterday




      4




      4





      @Luc I would argue that it's simply useless, you can access this through $.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.

      – Kaiido
      yesterday





      @Luc I would argue that it's simply useless, you can access this through $.fn.jquery, way easier than scrapping the comments which may anyway be unreadable in most sources because of SOP.

      – Kaiido
      yesterday













      @Kaiido Nice, I didn't know of $.fn.jquery. I'm not sure if this is a lucky coincidence or if it's common for other libraries to have this as well though. Looking up the library I see second-most commonly, Bootstrap, it doesn't seem like there is such a function for that.

      – Luc
      20 hours ago






      @Kaiido Nice, I didn't know of $.fn.jquery. I'm not sure if this is a lucky coincidence or if it's common for other libraries to have this as well though. Looking up the library I see second-most commonly, Bootstrap, it doesn't seem like there is such a function for that.

      – Luc
      20 hours ago





      2




      2





      @Luc if you are talking about the css, then no, there isn't something available from js (apart comments). But each bootstrap plugins have their own VERSION accessible from the constructor: stackoverflow.com/questions/43233588/…

      – Kaiido
      20 hours ago






      @Luc if you are talking about the css, then no, there isn't something available from js (apart comments). But each bootstrap plugins have their own VERSION accessible from the constructor: stackoverflow.com/questions/43233588/…

      – Kaiido
      20 hours ago














      @Sjoerd What mailing lists would you reccomend for a web-based system (Apache, nginx, JQuery, SSH, FTP, server packages in general)?

      – Echo
      18 hours ago





      @Sjoerd What mailing lists would you reccomend for a web-based system (Apache, nginx, JQuery, SSH, FTP, server packages in general)?

      – Echo
      18 hours ago













      21














      Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.



      Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".



      So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.






      share|improve this answer





























        21














        Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.



        Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".



        So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.






        share|improve this answer



























          21












          21








          21







          Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.



          Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".



          So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.






          share|improve this answer













          Knowing the version number is not a security misconfiguration. The risk of exposing version numbers is an "information disclosure". This can create a hazard if knowing this information equips an attacker to craft an exploit for a vulnerability in that specific version.



          Even if the library ends up containing a vulnerability, it is still not a security misconfiguration issue. That would be "A9-Using Components with Known Vulnerabilities".



          So, it appears that the client has an incorrect and rigid understanding of the risks and the situation.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          schroederschroeder

          84.8k34 gold badges189 silver badges228 bronze badges




          84.8k34 gold badges189 silver badges228 bronze badges
























              4














              It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.



              Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.



              Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.



              Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1



              Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.



              Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.



              Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.






              share|improve this answer

























              • "unless you never scan yourself, hiding [version numbers] is shooting yourself in the foot." Except there exists a development team that made the software. They know what version they used and can check it for vulnerabilities. Doing that is as uncommon as running vulnerability scans on yourself (almost nobody does either), but if you have to pick one, I would rather check the version numbers myself than expose them for everyone to see. Yes, targeted attackers will use other means to get the info, but that doesn't mean you want to make it easy for either them or the script kiddies.

                – Luc
                20 hours ago







              • 1





                If you are easy target for script kiddies, then exposed version numbers are the least of your problems. I agree dev team should check for vulns, but you know what? They aren't security experts and you are. There is some sense in running scans instead of trusting the dev team on this. Ideally, you'd do both.

                – Tom
                16 hours ago















              4














              It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.



              Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.



              Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.



              Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1



              Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.



              Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.



              Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.






              share|improve this answer

























              • "unless you never scan yourself, hiding [version numbers] is shooting yourself in the foot." Except there exists a development team that made the software. They know what version they used and can check it for vulnerabilities. Doing that is as uncommon as running vulnerability scans on yourself (almost nobody does either), but if you have to pick one, I would rather check the version numbers myself than expose them for everyone to see. Yes, targeted attackers will use other means to get the info, but that doesn't mean you want to make it easy for either them or the script kiddies.

                – Luc
                20 hours ago







              • 1





                If you are easy target for script kiddies, then exposed version numbers are the least of your problems. I agree dev team should check for vulns, but you know what? They aren't security experts and you are. There is some sense in running scans instead of trusting the dev team on this. Ideally, you'd do both.

                – Tom
                16 hours ago













              4












              4








              4







              It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.



              Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.



              Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.



              Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1



              Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.



              Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.



              Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.






              share|improve this answer













              It is a very, very old pattern of thought in cybersecurity that exposing the version number of something is a security hazard.



              Allegedly, it makes the work easier for attackers, because if they know the version of whatever it is you are running, they can look up the vulnerabilities that apply to that version.



              Actually, that is what security scanners are doing. Nessus et al have a built-in database of vulnerabilities by version number. So unless you never scan yourself, hiding that information is shooting yourself in the foot.



              Except that both scanners and attackers (who use scanners, you know?) have other means than a simple strcmp() to determine the version number of something. It's a bit more effort, and can't always pinpoint an exact number, but no attacker worth anything will confuse jQuery 3.3.0 with jQuery 2.2.1



              Non-script-kiddie level attackers also have several other methods to figure out what you're running, from fingerprinting to simply testing automatically a few hundred exploits and checking which work.



              Hiding the version number gives you a very small amount of additional security. If you have nothing else left to do, you can do it or not. As long as you have any real security issues to fix, spend your time on those.



              Lastly, exposing the version number is not a case of a Security Misconfiguration. If your tool reports it as such, report that bug upstream so your tool can get fixed.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 23 hours ago









              TomTom

              6,3379 silver badges37 bronze badges




              6,3379 silver badges37 bronze badges















              • "unless you never scan yourself, hiding [version numbers] is shooting yourself in the foot." Except there exists a development team that made the software. They know what version they used and can check it for vulnerabilities. Doing that is as uncommon as running vulnerability scans on yourself (almost nobody does either), but if you have to pick one, I would rather check the version numbers myself than expose them for everyone to see. Yes, targeted attackers will use other means to get the info, but that doesn't mean you want to make it easy for either them or the script kiddies.

                – Luc
                20 hours ago







              • 1





                If you are easy target for script kiddies, then exposed version numbers are the least of your problems. I agree dev team should check for vulns, but you know what? They aren't security experts and you are. There is some sense in running scans instead of trusting the dev team on this. Ideally, you'd do both.

                – Tom
                16 hours ago

















              • "unless you never scan yourself, hiding [version numbers] is shooting yourself in the foot." Except there exists a development team that made the software. They know what version they used and can check it for vulnerabilities. Doing that is as uncommon as running vulnerability scans on yourself (almost nobody does either), but if you have to pick one, I would rather check the version numbers myself than expose them for everyone to see. Yes, targeted attackers will use other means to get the info, but that doesn't mean you want to make it easy for either them or the script kiddies.

                – Luc
                20 hours ago







              • 1





                If you are easy target for script kiddies, then exposed version numbers are the least of your problems. I agree dev team should check for vulns, but you know what? They aren't security experts and you are. There is some sense in running scans instead of trusting the dev team on this. Ideally, you'd do both.

                – Tom
                16 hours ago
















              "unless you never scan yourself, hiding [version numbers] is shooting yourself in the foot." Except there exists a development team that made the software. They know what version they used and can check it for vulnerabilities. Doing that is as uncommon as running vulnerability scans on yourself (almost nobody does either), but if you have to pick one, I would rather check the version numbers myself than expose them for everyone to see. Yes, targeted attackers will use other means to get the info, but that doesn't mean you want to make it easy for either them or the script kiddies.

              – Luc
              20 hours ago






              "unless you never scan yourself, hiding [version numbers] is shooting yourself in the foot." Except there exists a development team that made the software. They know what version they used and can check it for vulnerabilities. Doing that is as uncommon as running vulnerability scans on yourself (almost nobody does either), but if you have to pick one, I would rather check the version numbers myself than expose them for everyone to see. Yes, targeted attackers will use other means to get the info, but that doesn't mean you want to make it easy for either them or the script kiddies.

              – Luc
              20 hours ago





              1




              1





              If you are easy target for script kiddies, then exposed version numbers are the least of your problems. I agree dev team should check for vulns, but you know what? They aren't security experts and you are. There is some sense in running scans instead of trusting the dev team on this. Ideally, you'd do both.

              – Tom
              16 hours ago





              If you are easy target for script kiddies, then exposed version numbers are the least of your problems. I agree dev team should check for vulns, but you know what? They aren't security experts and you are. There is some sense in running scans instead of trusting the dev team on this. Ideally, you'd do both.

              – Tom
              16 hours ago











              0














              I'm not 100% sure whether or not this is a duplicate question. If it should be marked as such, please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.



              One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client. Is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number? In many cases it won't be, but in others it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.



              As to why Bootstrap is not reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.






              share|improve this answer































                0














                I'm not 100% sure whether or not this is a duplicate question. If it should be marked as such, please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.



                One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client. Is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number? In many cases it won't be, but in others it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.



                As to why Bootstrap is not reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.






                share|improve this answer





























                  0












                  0








                  0







                  I'm not 100% sure whether or not this is a duplicate question. If it should be marked as such, please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.



                  One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client. Is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number? In many cases it won't be, but in others it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.



                  As to why Bootstrap is not reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.






                  share|improve this answer















                  I'm not 100% sure whether or not this is a duplicate question. If it should be marked as such, please do so mods, but I think that the advice in this particular post "Is there a base version of jQuery which has no XSS Vulnerability" would be useful in solving the problem for your clients.



                  One of the main factors you'll have to evaluate in addressing the general question is whether the proposed security solution is a good ROI for your client. Is it worth writing an exception into the security policy, or perhaps implementing code to strip out the version numbers returned (or as the commenter notes potentially ditching jQuery) to mitigate the risk of exposing the version number? In many cases it won't be, but in others it will, and it will all depend on the individual situation. However, you should definitely verify the versions that you are using aren't already compromised by using something like cvedetails or the NIST National Vulnerability Database.



                  As to why Bootstrap is not reported that is likely down to the scanner (which you didn't mention) and tests you're using for evaluation. According to the logic of the OWASP Security Misconfiguration it could be seen as a vulnerability as well and should/should not be addressed for the same reason. Regardless, exposing that information does give any potential attacker another data point from which to conduct research and potentially identify vulnerabilities.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 3 hours ago









                  Lightness Races in Orbit

                  1,9011 gold badge11 silver badges15 bronze badges




                  1,9011 gold badge11 silver badges15 bronze badges










                  answered yesterday









                  jfran3jfran3

                  717 bronze badges




                  717 bronze badges























                      stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.









                      draft saved

                      draft discarded


















                      stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.












                      stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.











                      stormtrooper is a new contributor. Be nice, and check out our Code of Conduct.














                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215205%2fis-it-really-security-misconfiguration-to-show-a-version-number%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                      Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                      Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її