Skip to content

Map Application architecture

OWASP Web Security Testing Guide 4.2 > 1. Information Gathering > 1.10. Map Application architecture

ID Link to Hackinglife Link to OWASP Objectives
1.10 WSTG-INFO-10 Map Application Architecture - Understand the architecture of the application and the technologies in use. - Identify application architecture whether on Application and Network components: Applicaton: Web server, CMS, PaaS, Serverless, Microservices, Static storage, Third party services/APIs , Network and Security: Reverse proxy, IPS, WAF
  • In a blind testing, start with the assumption that there is a simple setup (a single server.)
  • Then, question if there is a firewall protecting the web server.
  • Is it a stateful firewall or is it an access list filter on a router? Is it bypasseable?
  • See response headers and try to identify a typical firewall response header.
  • Reverse proxies might be in use, and configured as Intrusion Prevention System.
  • Application- level firewall might be in use.
  • Proxy-caches can be in use.
  • Is there a Load Balancer in place? F5 BIG-IP load balancers introduces some prefixed cookies.
  • Some application web servers include values in the response or rewrite URLS automatically to do session tracking.
Last update: 2023-12-25
Created: December 24, 2023 11:19:43