Web Application Fingerprinting
One of the first tasks when conducting a web application penetration test is to try to identify the version of the web server and the web application.The reason for that is that it allows us to discover all the well-known vulnerabilities that are affecting the web server and the application.This process is called web application fingerprinting and in this article we will see how to perform it.
The web application fingerprinting can be done with the use of a variety of tools or manually.
This can be done with the use of different utilities such as the telnet or the netcat.For example we can try to connect with netcat to the remote webserver that is running on port 80.We will send an HTTP request by using the HEAD method and we will wait for the response of the web server.
As we can see from the HTTP response header the type of the web server is Apache.Also we have managed to identify the technology from the X-Powered-By field name along with the version that supports the application which is PHP/5.3.5 and also the web application that is running on the web server which is a ZendServer.Alternatively if we don’t want to use the netcat utility we can use the telnet in order to obtain the header information from the web server.The image below is showing the usage of telnet in obtaining the HTTP Response Header from the same web server.
Another way is while we are performing our port scan with Nmap on the remote host to use the command -sV which will obtain as well the type and the version of the web server that is running.For example in the image below we can see from the output that Nmap discovered that the web server is IIS version 6.0.
Another method is to send a malformed request to the web server that will cause the web server to produce an error page which will contain in the response header the version of the web server.
In some cases the version of the application can be discovered through source code inspection.So it is always a good practice to look there as well.You can see in the following example that we have discovered that the application is WordPress 3.3.2 version by looking at the meta tag.
Web application fingerprinting can be done as well with the use of automated tools that have been designed for that purpose.One of the most famous tools is of course the httprint.This tool comes with Backtrack but there is a version as well for windows.In the example below we will use a .txt file that contains signatures of different versions of web servers.So the httprint will try to match the signature of the target web server with the list of known signatures that the signature file contains in order to produce an accurate result.
Another tool that performs pretty much the same job with the httprint is the httprecon.This tool is for windows platforms and it basically sends different kind of request to the target web server in order to identify its version.The image below is showing that we have a match 100% that host that we have scanned is running Apache 2.2.3 version.
Also if we are performing an external web application penetration test then might also want to use an online tool which is called netcraft.This tool can retrieve also the headers of the web server and it can provide us with much more information including the operating system,the nameserver and the netblock owner and much more.
As we saw the web application fingerprinting is an important task for web application penetration tests.It will help us to identify the well-known vulnerabilities that are affecting the web server and the vulnerabilities that are affecting the application that is installed.So we will know what kind of exploits we will need to use in order to start the exploitation.However many web administrators are choosing in nowadays to modify the headers in order to fool any malicious attackers.So as a penetration testers we cannot rely fully on the results that we will get and we will need to use different methods and tools and to execute different commands in order to be sure about the exact version.