Identifying Web Application Technologies - Michael Sutton's Blog -
Michael Sutton's Blog » Identifying Web Application Technologies
Identifying Web Application Technologies
Jeff Forristal has an interesting initiative and for those able to help out, there are cash and prizes to be had! Well ok, no cash, but you could walk away with some stylish SPI clothing or a few drinks on us. Jeff is looking for assistance in identifying the devices (web servers and proxies) that are responsible for some odd but consistent response headers. To see if you can help out, take a look at the three response challenges that he's identified.

 When auditing web applications, in order to efficiently test the application it is necessary to quickly determine the underlying technology that is being tested. Sure you could throw every single known attack at a web app but that would be extremely inefficient. There's no reason to send a known ColdFusion information leakage issue at an Java app., nor would you include stacked SQL queries when attacking a PHP/MySQL app. When auditing complex applications, efficiency is important in order to ensure that the audit can be completed during the timeframe provided and to ensure that it can be done regularly.

Assuming that a true black box test is being performed, knowledge of the underlying web application technologies will not be available. It is therefore necessary to monitor the behavior of the application in order to identify clues that will aid in identifying the technologies that have been used. Below is a list of typical clues to look for.

Server Response Header

The Server response header can be a goldmine of information as it "identif[ies] the server and any significant subproducts". RFC 2616 (Hypertext Transfer Protocol - HTTP/1.1) actually warns of the dangers of providing an overly verbose server header by stating that "revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes". Don't however be fooled as this header can easily be omitted, spoofed or altered by an intermediate device such as a proxy, even though RFC 2616 prohibits such behavior.

Response Header Format/Order

Different web servers provide response headers that adhere to protocol specifications but are still unique. Depending upon the structure of the request received, servers may respond with headers listed in a different order or perhaps with additional/omitted headers. Entire whitepapers have been written on this topic and this behavior has led to the creation of various web server fingerprinting technologies such as HTTPrint or HMAP.

Verbose Error Messages

When verbose error messages are not suppressed they can reveal not only the web/application servers being used but also complimentary technologies such as the database server that has been employed or the programming language used. For example, take a look at the following Google queries which identify revealing verbose error messages:

Known Pages/Directories/Functionality

By default, most servers/applications arrive out of the box with a number of sample apps, help files and common directory structures. Identifying such items on a site can once again reveal important details about the technologies used. Once again consider the following Google queries:

  • Oracle - iSQL*Plus is a web based SQL query tool that is included by default in Oracle HTTP Server, which is part of Oracle Application Server and Oracle Database Server

Page Extensions

This one is a bit of a no brainer but even this can be misleading at times as extensions can be changed, not displayed or be generic extensions used by multiple technologies (e.g. .htl or .html). Below is a sample of common page extensions and their underlying technologies:

  • ColdFusion
    • .cfm - ColdFusion Markup File
  • Microsoft
    • .asa - ASP Configuration File
    • .ascx - Active Server Custom Control
    • .asmx - Active Server Method File
    • .asp - Active Server Page
    • .aspx - Active Server Page Extended
    • .chm - Compiled HTML Help File
  • Java
    • .jhtml - Java within Hypertext Markup Language
    • .jnlp - Java Web Start File
    • .jsp - Java Server Page
    • .jspx - XML Java Server Page
  • PHP
    • .php - Hypertext Preprocessor File
    • .php3 - PHP 3 Script
    • .php4 - PHP 4 Script
    • .php5 - PHP 5 Script
    • .phtm - PHP Web Page
    • .phtml - PHP Web Page
  • Ruby
    • .rhtml - Ruby HTML Web Page

What is the ‘correct' way to identify underlying web application technologies? As with just about everything in security, there is no silver bullet. A combination of all of the aforementioned approaches is your best bet but in the end everything can be obfuscated either intentionally or otherwise. Nothing short of a chat with the developers and/or system administrators will reveal the true answer but with a little detective work you should be able to quickly identify the technologies with a reasonable level of confidence.

Posted 06-08-2007 6:13 PM by erik.peterson
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems