the-web-application-hackers-handbook

102 Chapter 4 n Mapping the Application
HTTP Fingerprinting
In principle, any item of information returned by the server may be customized
or even deliberately falsified, and banners like the Server header are no exception.
Most application server software allows the administrator to configure the
banner returned in the Server HTTP header. Despite measures such as this, it is
usually possible for a determined attacker to use other aspects of the web server’s
behavior to determine the software in use, or at least narrow down the range of
possibilities. The HTTP specification contains a lot of detail that is optional or left
to an implementer’s discretion. Also, many web servers deviate from or extend
the specification in various ways. As a result, a web server can be fingerprinted
in numerous subtle ways, other than via its Server banner. Httprecon is a handy
tool that performs a number of tests in an attempt to fingerprint a web server’s
software. Figure 4-11 shows Httprecon running against the EIS application and
reporting various possible web servers with different degrees of confidence.
Figure 4-11: Httprecon fingerprinting the EIS application
File Extensions
File extensions used within URLs often disclose the platform or programming
language used to implement the relevant functionality. For example:
n asp — Microsoft Active Server Pages
n aspx — Microsoft ASP.NET