yii

yii

关注
发信
关注(28)粉丝(399)

如何从Wappalyzer隐藏Yii Web框架名称?

本文介绍了如何从Wappalyzer隐藏Yii Web框架名称?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试从Chrome/Firefox中的Wappalyzer插件隐藏框架名称Yii.在安全审核中,我需要隐藏框架名称.

I'm trying to hide the framework name Yii from Wappalyzer plugin in Chrome/Firefox. I need to hide the framework name as a part of security audit.

我已经在Apache配置中关闭了服务器签名,但是框架名称Yii仍然显示

I've turned off server signatures in Apache config but the framework name Yii is still showing

推荐答案

您可以找到Wappalyzer如何检测Yii 此处

You can find how the Wappalyzer is detecting Yii here

HTML代码

HTML code

您需要确保您的html不包含html部分中提到的代码.

You would need to make sure that your html doesn't contain the code mentioned in html part.

  1. Powered by...文本由Yii::powered()生成,因此请确保您未在​​布局文件中调用它.
  2. 您将更改CSRF令牌输入的名称,以便第二行没有问题
  3. 当您调用yii\web\ViewendPage()方法时,这些块将被替换,因此请确保在布局的末尾具有$this->endPage();调用.
  1. The Powered by... text is generated by Yii::powered() so make sure you are not calling that in your layout file.
  2. You will change the name of CSRF token input so the second line is not a problem
  3. These blocks are replaced when you call endPage() method of yii\web\View so make sure that you have $this->endPage(); call at the end of your layout.

饼干

Cookies

为避免这种检测,您将需要更改CSRF令牌名称.您可以在此处找到更改方法:如何更改CSRF字段ID从YII_CSRF_TOKEN到其他

To avoid this detection you will need to change CSRF token name. You can find how to change it here:how to change csrf field id from YII_CSRF_TOKEN to any other

JS文件

JS files

这可能是最令人讨厌的检测. Wappalyzer中的检测模式假定资产文件夹为8个字符长的字符串.幸运的是,在yii\web\AssetManager中有hashCallback属性请参阅文档.您可以使用它来更改资产文件夹名称的生成方式.

This is probably most annoying detection. The detection pattern in Wappalyzer is assuming that assets folders are 8 character long strings. Fortunately there is hashCallback property in yii\web\AssetManager see documentation. You can use it to change how the folder names for assets are generated.

这将帮助您避免检测到Wappalyzer,但只要看看加载了哪些脚本的人仍然可以看到yii.js,yii.validation.js和yii.activeForm.js脚本已加载.您可以将它们复制到某些文件夹中,重命名它们,然后自定义资产捆绑包以更改已加载的脚本.

This will help you avoid Wappalyzer detection but someone who will take a look at what scripts are loaded would still be able to see that yii.js, yii.validation.js and yii.activeForm.js scripts are loaded. You can copy them to some of your folders, rename them and then customize asset bundles to change the loaded scripts.

您将要自定义以下资产:

You will want to customize following assets:

  • yii\web\YiiAsset用于yii.js脚本.
  • yii\validators\ValidationAsset用于yii.validation.js脚本.
  • yii\widgets\ActiveFormAsset用于yii.activeForm.js脚本.
  • yii\web\YiiAsset for yii.js script.
  • yii\validators\ValidationAsset for yii.validation.js script.
  • yii\widgets\ActiveFormAsset for yii.activeForm.js script.

这篇关于如何从Wappalyzer隐藏Yii Web框架名称?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-23 08:38
Powered by LMLPHP ©2024 yii 0.005210