1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
27 28<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Response from Netscape Enterprise 4.1<br />
$ nc netscape.example.com 80<br />
HEAD / HTTP/1.0<br />
HTTP/1.1 200 OK<br />
Server: Netscape-Enterprise/4.1<br />
Date: Mon, 16 Jun 2003 06:01: 40 GMT<br />
Content-type: text/HTML<br />
Last-modified: Wed, 31 Jul 2002 15:37: 56 GMT<br />
Content-length: 57<br />
Accept-ranges: bytes<br />
Connection: close<br />
HTTP/1.1 200 OK<br />
Server: Microsoft-IIS/5.0<br />
Content-Location: http:/iis.example.com/Default.htm<br />
Date: Fri, 01 Jan 1999 20:14: 02 GMT<br />
Content-Type: text/HTML<br />
Accept-Ranges: bytes<br />
Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT<br />
ETag: W/e0d362a4c335be1: ae1<br />
Content-Length: 133<br />
Response from Netscape Enterprise 4.1<br />
Response from IIS 5.0<br />
$ nc iis.example.com 80<br />
GET / JUNK/1.0<br />
HTTP/1.1 400 Bad Request<br />
Server: Microsoft-IIS/5.0<br />
Date: Fri, 01 Jan 1999 20:14: 34 GMT<br />
Content-Type: text/HTML<br />
Content-Length: 87<br />
Response from Netscape Enterprise 4.1<br />
of an online tool that often delivers a lot of information about target<br />
Web Servers, is Netcraft. With this tool we can retrieve information<br />
about operating system, web server used, Server Uptime, Netblock<br />
Owner, history of change related to Web server and O.S.<br />
Response from a SunONE 6.1<br />
$ nc sunone.example.com 80<br />
HEAD / HTTP/1.0<br />
HTTP/1.1 200 OK<br />
Server: Sun-ONE-Web-Server/6.1<br />
Date: Tue, 16 Jan 2007 15:23:37 GMT<br />
Content-length: 0<br />
Content-type: text/html<br />
Date: Tue, 16 Jan 2007 15:20:26 GMT<br />
Last-Modified: Wed, 10 Jan 2007 09:58:26 GMT<br />
Connection: close<br />
We can notice that the ordering of the Date field and the Server field<br />
differs between Apache, Netscape Enterprise, and IIS.<br />
Malformed requests test<br />
Another useful test to execute involves sending malformed requests<br />
or requests of nonexistent pages to the server. Consider the following<br />
HTTP responses.<br />
Response from Apache 1.3.23<br />
$ nc apache.example.com 80<br />
GET / HTTP/3.0<br />
HTTP/1.1 400 Bad Request<br />
Date: Sun, 15 Jun 2003 17:12: 37 GMT<br />
Server: Apache/1.3.23<br />
Connection: close<br />
Transfer: chunked<br />
Content-Type: text/HTML; charset=iso-8859-1<br />
Response from IIS 5.0<br />
$ nc iis.example.com 80<br />
GET / HTTP/3.0<br />
$ nc netscape.example.com 80<br />
GET / HTTP/3.0<br />
HTTP/1.1 505 HTTP Version Not Supported<br />
Server: Netscape-Enterprise/4.1<br />
Date: Mon, 16 Jun 2003 06:04: 04 GMT<br />
Content-length: 140<br />
Content-type: text/HTML<br />
Connection: close<br />
Response from a SunONE 6.1<br />
$ nc sunone.example.com 80<br />
GET / HTTP/3.0<br />
HTTP/1.1 400 Bad request<br />
Server: Sun-ONE-Web-Server/6.1<br />
Date: Tue, 16 Jan 2007 15:25:00 GMT<br />
Content-length: 0<br />
Content-type: text/html<br />
Connection: close<br />
We notice that every server answers in a different way. The answer<br />
also differs in the version of the server. Similar observations can be<br />
done we create requests with a non-existent HTTP method/verb.<br />
Consider the following responses:<br />
Response from Apache 1.3.23<br />
$ nc apache.example.com 80<br />
GET / JUNK/1.0<br />
HTTP/1.1 200 OK<br />
Date: Sun, 15 Jun 2003 17:17: 47 GMT<br />
Server: Apache/1.3.23<br />
Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT<br />
ETag: 32417-c4-3e5d8a83<br />
Accept-Ranges: bytes<br />
Content-Length: 196<br />
Connection: close<br />
Content-Type: text/HTML<br />
$ nc netscape.example.com 80<br />
GET / JUNK/1.0<br />
Bad request<br />
Bad request<br />
Your browser sent to query this server could not understand.<br />
<br />
Tools<br />
• httprint - http: /net-square.com/httprint.html<br />
• httprecon - http: /www.computec.ch/projekte/httprecon/<br />
• Netcraft - http: /www.netcraft.com<br />
• Desenmascarame - http: /desenmascara.me<br />
Automated Testing<br />
Rather than rely on manual banner grabbing and analysis of the web<br />
server headers, a tester can use automated tools to achieve the same<br />
results. There are many tests to carry out in order to accurately fingerprint<br />
a web server. Luckily, there are tools that automate these tests.<br />
“httprint” is one of such tools. httprint uses a signature dictionary that<br />
allows it to recognize the type and the version of the web server in<br />
use.<br />
An example of running httprint is shown below:<br />
Online Testing<br />
Online tools can be used if the tester wishes to test more stealthily<br />
and doesn’t wish to directly connect to the target website. An example<br />
An example is shown below:<br />
OWASP Unmaskme Project is expected to become another online tool<br />
to do fingerprinting of any website with an overall interpretation of all<br />
the Web-metadata extracted. The idea behind this project is that anyone<br />
in charge of a website could test the metadata the site is showing<br />
to the world and assess it from a security point of view.<br />
While this project is still being developed, you can test a Spanish Proof<br />
of Concept of this idea.<br />
References<br />
Whitepapers<br />
• Saumil Shah: “An Introduction to HTTP fingerprinting” - http: /www.<br />
net-square.com/httprint_paper.html<br />
• Anant Shrivastava: “Web Application Finger Printing” - http: /anantshri.info/articles/web_app_finger_printing.html<br />
Remediation<br />
Protect the presentation layer web server behind a hardened reverse<br />
proxy.<br />
Obfuscate the presentation layer web server headers.<br />
• Apache<br />
• IIS<br />
Review Webserver Metafiles for Information<br />
Leakage (OTG-INFO-003)<br />
Summary<br />
This section describes how to test the robots.txt file for information<br />
leakage of the web application’s directory or folder path(s). Furthermore,<br />
the list of directories that are to be avoided by Spiders, Robots,<br />
or Crawlers can also be created as a dependency for Map execution<br />
paths through application (OTG-INFO-007)<br />
Test Objectives<br />
1. Information leakage of the web application’s directory or folder<br />
path(s).