Imagine a new zero-day web exploit is announced to the world. Some web administrators will immediately update their sites with the corrective code, however others may not be so quick to react. Some may be asking, what's the big deal? How would anyone find my little site? Security through obscurity, right?
Well it turns out that one of the best tools for locating vulnerable sites is you friendly local search engine. How's that you ask? Well a search engine like Google can provide an easy way to search for something common across all vulnerable systems. Take for example the recent vulnerability that was discovered in BlogEngine.Net. No matter what the size of your blog, chances are that your site would be discovered with a simple query like http://www.google.com/search?q=%22BlogEngine.NET+1.3.0.0%22.
What's interesting to me is that the information being used is something that many administrators have either added or left on their Blog theme. So I started wondering if simply removing the Powered by BlogEngine.Net tag would be enough to shield a website from being exploited. I believe the obvious answer is, while not completely shielding your site, it would definitely add a layer of insulation from some people wanting to attack your site.
<rant>
Some people may disagree with this statement. I hear it all the time: "Security through obscurity is not security at all". I strongly disagree with that statement, believing that obscurity keeps some of the people away from your site. I liken it to locks on your doors. Some people know how to pick locks but most people don't know how to pick the locks.
</rant>
So all this got me thinking, what would happen if the search engines couldn't see the "Powered by BlogEngine.Net" string. Would this exclude your site from the results of the search string shown above? Perhaps. Interesting idea but I do want this information displayed on my blog. So how can I display the string to actual users but not to search engines?
One site suggested that search engines can't accept cookies. The idea being that when a search engine hits your site they are scraping the raw source from your site and won't accept cookies. Can anyone confirm that suggestion? In any case I decided to see how hard it would be to write some JavaScript that would display the "Powered by BlogEngine.Net" if the client accepts cookies.
Not too difficult really. Just start with sending a cookie to the client:
function SetCookie(name,value,expires,path,domain,secure)
{
var strDNS = GetDNS();
document.cookie = name + "=" +escape(value) +
( (expires) ? ";expires=" + expires.toGMTString() + 1000*60*20 : "") +
( (path) ? ";path=" + path : "") +
( (domain) ? ";domain=" + strDNS : "") +
( (secure) ? ";secure" : "");
return true
}
Next try and retrieve the cookie:
function GetCookie() {
var strName = "varCook";
if (document.cookie.indexOf(strName) == -1)
{
return false;
}
else
{
cookieStart = document.cookie.indexOf(strName);
cookieValStart = (document.cookie.indexOf("=", cookieStart) + 1);
cookieValEnd = document.cookie.indexOf(";", cookieStart);
if (cookieValEnd == -1)
{ cookieValEnd = document.cookie.length; }
cookieValue = document.cookie.substring(cookieValStart, cookieValEnd);
}
if (cookieValue = "True")
{ return ("True"); }
}
If the cookie is found then the string is displayed to the user, if not then nothing is displayed.
function showPoweredByBlogEngine()
{
if (CheckCookiesEnabled() == true)
{
document.write("Powered by <a href='http://www.dotnetblogengine.net/' target='_blank'>BlogEngine.NET</a>");
}
}
All that's left is to add the script tag where I want the string to be displayed:
<script language="javascript" type="text/javascript">showPoweredByBlogEngine();</script>
For the complete JavaScript code simply download the one I am using. I would be interested in what everyone thinks about this idea. Will this make a difference in being able to find my blog using a search engine?
CSS-Tricks
Janko at Warp Speed
Kim Cameron's Identity Weblog
Pluralsight Blogs
Thu, May 22, 2008
Technology