Fingerprint Web Server
OWASP Web Security Testing Guide 4.2 > 1. Information Gathering > 1.2. Fingerprint Web Server
ID | Link to Hackinglife | Link to OWASP | Objectives |
---|---|---|---|
1.2 | WSTG-INFO-02 | Fingerprint Web Server | - Determine the version and type of a running web server to enable further discovery of any known vulnerabilities. |
Passive fingerprinting
Whois
Banner grabbing
Basic:
- nmap.
- telnet
- openssl
-
- sending malformed request (with SANTACLAUS method for instance):
-
Some targets obfuscate their servers by modifying headers, but, there is a default ordering in the headers response, so you can do some guessing from ordering too.
Automatic scanning tools
Netcraft can offer us information about the servers without even interacting with them, and this is something valuable from a passive information gathering point of view. We can use the service by visiting https://sitereport.netcraft.com
and entering the target domain. We need to pay special attention to the latest IPs used. Sometimes we can spot the actual IP address from the webserver before it was placed behind a load balancer, web application firewall, or IDS, allowing us to connect directly to it if the configuration.
Active fingerprinting
HTTP headers and HTML Source code
- Note the response header
Server
,X-Powered-By
, orX-Generator
as well. - Identify framework specific cookies. For instance, the cookie
CAKEPHP
for php. - Review the source code and identify
<meta>
or attributes with typical patterns from some servers (and/or frameworks).