4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
41<br />
Web Application Penetration Testing<br />
• List of spreadsheet software<br />
• Diagramming software<br />
References<br />
Whitepapers<br />
[1] http:/en.wikipedia.org/wiki/Code_coverage<br />
Fingerprint Web Application Framework<br />
(OTG-INFO-008)<br />
Summary<br />
Web framework[*] fingerprinting is an important subtask of the information<br />
gathering process. Knowing the type of framework can automatically<br />
give a great advantage if such a framework has already been<br />
tested by the penetration tester. It is not only the known vulnerabilities<br />
in unpatched versions but specific misconfigurations in the framework<br />
and known file structure that makes the fingerprinting process<br />
so important.<br />
Several different vendors and versions of web frameworks are widely<br />
used. Information about it significantly helps in the testing process,<br />
and can also help in changing the course of the test. Such information<br />
can be derived by careful analysis of certain common locations. Most<br />
of the web frameworks have several markers in those locations which<br />
help an attacker to spot them. This is basically what all automatic tools<br />
do, they look for a marker from a predefined location and then compare<br />
it to the database of known signatures. For better accuracy several<br />
markers are usually used.<br />
[*] Please note that this article makes no differentiation between Web<br />
Application Frameworks (WAF) and Content Management Systems<br />
(CMS). This has been done to make it convenient to fingerprint both of<br />
them in one chapter. Furthermore, both categories are referenced as<br />
web frameworks.<br />
Test Objectives<br />
To define type of used web framework so as to have a better understanding<br />
of the security testing methodology.<br />
How to Test<br />
Black Box testing<br />
There are several most common locations to look in in order to define<br />
the current framework:<br />
• HTTP headers<br />
• Cookies<br />
• HTML source code<br />
• Specific files and folders<br />
HTTP headers<br />
The most basic form of identifying a web framework is to look at the<br />
X-Powered-By field in the HTTP response header. Many tools can be<br />
used to fingerprint a target. The simplest one is netcat utility.<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.0.14<br />
Date: Sat, 07 Sep 2013 08:19:15 GMT<br />
Content-Type: text/html;charset=ISO-8859-1<br />
Connection: close<br />
Vary: Accept-Encoding<br />
X-Powered-By: Mono<br />
From the X-Powered-By field, we understand that the web application<br />
framework is likely to be Mono. However, although this<br />
approach is simple and quick, this methodology doesn’t work in<br />
100% of cases. It is possible to easily disable X-Powered-By header<br />
by a proper configuration. There are also several techniques<br />
that allow a web site to obfuscate HTTP headers (see an example<br />
in #Remediation chapter).<br />
So in the same example the tester could either miss the X-Powered-By<br />
header or obtain an answer like the following:<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.0.14<br />
Date: Sat, 07 Sep 2013 08:19:15 GMT<br />
Content-Type: text/html;charset=ISO-8859-1<br />
Connection: close<br />
Vary: Accept-Encoding<br />
X-Powered-By: Blood, sweat and tears<br />
Sometimes there are more HTTP-headers that point at a certain<br />
web framework. In the following example, according to the information<br />
from HTTP-request, one can see that X-Powered-By<br />
header contains PHP version. However, the X-Generator header<br />
points out the used framework is actually Swiftlet, which helps a<br />
penetration tester to expand his attack vectors. When performing<br />
fingerprinting, always carefully inspect every HTTP-header for<br />
such leaks.<br />
HTTP/1.1 200 OK<br />
Server: nginx/1.4.1<br />
Date: Sat, 07 Sep 2013 09:22:52 GMT<br />
Content-Type: text/html<br />
Connection: keep-alive<br />
Vary: Accept-Encoding<br />
X-Powered-By: PHP/5.4.16-1~dotdeb.1<br />
Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />
Cache-Control: no-store, no-cache, must-revalidate, postcheck=0,<br />
pre-check=0<br />
Pragma: no-cache<br />
X-Generator: Swiftlet<br />
Consider the following HTTP Request-Response:<br />
$ nc 127.0.0.1 80<br />
HEAD / HTTP/1.0