Fingerprint Web Application Framework
Check List
Methodology
HTTP Headers
Fetch HTTP headers from the target website to extract the X-Powered-By header, identifying backend technologies like PHP or ASP.NET, and noting version details for potential vulnerability research
Analyze the response headers to identify the X-Generator header, revealing CMS or framework details such as WordPress or Drupal, which can indicate specific vulnerabilities or misconfigurations
Inspect additional headers like Server, Content-Type, or Cache-Control to gather information about the web server software, version, and caching behavior, cross-referencing with known CVEs
Examine security headers such as X-Frame-Options, Strict-Transport-Security, or Content-Security-Policy to assess the target’s security posture and identify weak or missing configurations
Query a network intelligence platform to search for servers or response bodies indicating specific technologies like ASP.NET or Microsoft-IIS, narrowing down targets for platform-specific exploit testing
Use a web fingerprinting tool to identify the target’s CMS, frameworks, or plugins, collecting detailed technology stack information to prioritize vulnerability scanning
Document all header details, including X-Powered-By, X-Generator, and server versions, along with fingerprinting results, to create a comprehensive proof-of-concept for responsible disclosure
Assess the impact of exposed technologies or versions, such as outdated software or weak security headers, to prioritize reporting based on potential exploit severity
Cookies
Fetch HTTP response headers from the target website to extract Set-Cookie headers, identifying session cookies and their attributes like name, path, domain, or security flags
Analyze the Set-Cookie header for specific session cookie names associated with known CMS or frameworks (e.g., CAKEPHP, laravel_session, wp-settings), indicating the underlying technology stack
Check cookie attributes such as Secure, HttpOnly, SameSite, and Expires to evaluate session management security, identifying risks like missing protections or overly permissive settings
Identify duplicate or redundant Set-Cookie headers (e.g., multiple CAKEPHP cookies) to detect misconfigurations that could lead to session fixation or cookie overwrites
Cross-reference session cookie names with a list of known CMS or framework identifiers (e.g., zope3, kohanasession, BITRIX_) to confirm the platform and research version-specific vulnerabilities
Test for session cookie persistence by sending requests with and without cookies, observing server behavior to detect improper session handling or authentication bypass opportunities
Document all Set-Cookie headers, including cookie names, values, attributes, and associated CMS/framework, to create a detailed proof-of-concept for responsible disclosure
Assess the impact of identified issues, such as weak session management, exposed CMS versions, or missing security flags, to prioritize reporting based on potential exploit severity
HTML Source Code
Fetch the target website’s HTML source code and search for specific JavaScript references (e.g., gtag.js) to identify third-party analytics scripts or tracking tools, noting associated IDs or keys
Extract HTML comments to uncover references to analytics platforms (e.g., Google Analytics, Site Kit), developer notes, or configuration details that may expose sensitive information
Inspect tags for generator attributes to identify CMS platforms like WordPress, Joomla, Drupal, or MediaWiki, along with version numbers, to pinpoint potential vulnerabilities
Search for CMS-specific markers in the HTML source, such as for phpBB or specific comments like <!-- START headerTags.cfm for Adobe ColdFusion, to confirm the technology stack
Identify framework-specific identifiers like __VIEWSTATE for ASP.NET or <!-- ZK for ZK Framework, revealing backend technologies for targeted vulnerability research
Look for proprietary platform markers, such as for Business Catalyst or ndxz-studio for Indexhibit, to detect niche CMS or hosting solutions
Analyze comments for sensitive data, such as API keys, domain configurations, or internal references, that could lead to unauthorized access or information disclosure
Use a web technology identification tool to cross-reference findings, confirming CMS, frameworks, or libraries in use, and mapping them to known vulnerabilities
Document all findings, including script references, comment snippets, meta tags, and identified platforms, to create a comprehensive proof-of-concept for responsible disclosure
Assess the impact of exposed CMS versions, hardcoded keys, or misconfigured analytics scripts, prioritizing reporting based on potential exploit severity
Specific File and Folders
Configure a proxy tool to intercept and map the target website's sitemap, identifying potential paths or endpoints for fuzzing like directories or file extensions that may expose sensitive resources
Select a specific domain or endpoint within the proxy tool's sitemap and send it to an automated fuzzing module to prepare for targeted directory or file enumeration
Mark variable positions in the target URL (e.g., directory name or file extension) to enable fuzzing, replacing placeholders with payloads to test for hidden or misconfigured resources
Integrate a comprehensive wordlist into the fuzzing module's payload settings, selecting lists containing common directory names, file extensions, or backup file patterns for thorough coverage
Launch the fuzzing attack to send multiple requests with varying payloads, monitoring responses for indicators like 200 OK, directory listings, or file downloads that reveal sensitive files
Analyze attack results to identify successful payloads, noting response codes, lengths, or content differences that indicate exposed configuration files, backups, or administrative interfaces
Follow up on discovered files or folders by accessing them manually to extract sensitive data such as credentials, database dumps, or internal documentation for impact assessment
Document all fuzzing results, including successful payloads, response details, and discovered resources, to create a detailed proof-of-concept for responsible disclosure
Assess the impact of exposed files or folders, such as information disclosure, unauthorized access, or chainable vulnerabilities, to prioritize reporting based on severity
File Extensions
Use a web technology detection tool to analyze the target website's headers, scripts, and content, identifying file extensions associated with detected CMS, frameworks, or libraries like PHP, ASPX, or JSP
Query an online technology profiler by entering the target URL to extract details on server technologies, including supported file extensions and associated versions for vulnerability mapping
Run a web fingerprinting tool on the target to scan for CMS, plugins, and server software, noting file extensions like .php, .html, or .asp that indicate the platform's capabilities
Execute a directory brute-forcing tool with the target URL, filtering for successful responses (e.g., 200 OK) and targeting specific extensions like PHP, ASPX, or JSP to uncover hidden files or misconfigurations
Perform file extension enumeration using a comprehensive wordlist, testing for a wide range of formats including configuration files (.conf, .ini), backups (.bak, .zip), databases (.sql, .db), and archives (.tar.gz, .rar) to detect exposed sensitive resources
Analyze discovered files for platform indicators such as .php3-.php5 for PHP versions or .aspx for ASP.NET, cross-referencing with known vulnerabilities or misconfigurations
Validate enumerated extensions by accessing discovered files to check for content like configuration data, logs, or source code that may reveal internal details or credentials
Document all identified extensions, associated technologies, and accessible files, including response codes and content snippets, to create a detailed proof-of-concept for responsible disclosure
Assess the impact of exposed file extensions, such as information disclosure from config files or RCE from executable scripts, to prioritize reporting based on severity
Error Message
Fetch the target website’s response content and search for error-related keywords like “syntax error” to identify debugging messages or stack traces exposed in the HTML output
Analyze retrieved error messages, such as PHP parse errors or unexpected token errors, to extract details like file paths (e.g., /var/www/html/index.php) or line numbers that reveal server-side structure
Inspect error messages for specific technology indicators, such as PHP, MySQL, or Apache errors, to confirm the server’s software stack and cross-reference with known vulnerabilities
Test the target URL with malformed requests or invalid parameters to trigger additional error responses, uncovering further details about the application’s backend or configuration
Check for full path disclosures in error messages to map the server’s filesystem, identifying potential targets for local file inclusion (LFI) or directory traversal attacks
Document all error messages, including the triggering URL, error type, file paths, and line numbers, to create a comprehensive proof-of-concept for responsible disclosure
Assess the impact of exposed error messages, such as information disclosure, potential for chaining with other vulnerabilities, or server misconfiguration, to prioritize reporting based on severity
Cheat Sheet
HTTP Headers
X-Powered-By
curl -s -I $WEBSITE | grep -i "X-Powered-By"HTTP/1.1 200 OK
Date: Sat, 19 Oct 2024 12:53:32 GMT
Server: Apache/2.4.54 (Debian)
X-Powered-By: PHP/7.4.33
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 19 Nov 1991 08:55:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 20336
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8X-Generator
curl -s -I $WEBSITE | grep -i "X-Generator"HTTP/2 200 OK
Date: Sun, 20 Oct 2024 19:44:37 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=2678400
Content-Language: en
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 17 Oct 2024 20:23:57 GMT
Link: <https://www.clubtexting.com/mass-texting-service>; rel="canonical", <https://www.clubtexting.com/node/2>; rel="shortlink"
Strict-Transport-Security: max-age=0
Traceparent: 00-17ff572e152af0e16aa14393ed1665c0-d07a1342ce2b0ab2-01
Vary: Cookie, Accept-Encoding
X-Content-Type-Options: nosniff
X-Debug-Info: eyJyZXRyaWVzIjowfQ==
X-Frame-Options: SAMEORIGIN
X-Generator: Wordpress
X-Platform-Cluster: dtrg7uteophra-main-bvxeaći
X-Platform-Processor: 7w2v5maie5xeye7eoz3s2122sa
X-Platform-Router: vpnpkzvsdhodouspycwfpqtbfu
CF-Cache-Status: HIT
Age: 256840
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n%2BuAuXK14P=iiu7C=tAY460JZghéRNpsdtyNz4zKvPZdQAB2xgUlKx4151BHwgzPf6kq9x04Xu0IyLqfpfkRuZLSLDNIOWUJ2YwrW8aIkprtCIhiXuZf%2BJa6XrteYB%2FUQ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-Ray: 8d5b80e93f87dca5-PRA
Server-Timing:
Alt-Svc: h3=":443"; ma=86400services.http.response.body: "ASP.NET" OR services.http.response.headers.server: "Microsoft-IIS" OR services.microsoft_sqlserverwhatweb $WEBSIETCookies
Set-Cookie
curl -s -I $WEBSITE | grep -i "Set-Cookie:"HTTP/1.1 200 OK
Date: Sun, 20 Oct 2024 19:38:17 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: CAKEPHP=jiflsfmsmeqhou0q38jbrlj380; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: CAKEPHP=jiflsfmsmeqhou0q38jbrlj380; path=/
Set-Cookie: CAKEPHP=jiflsfmsmeqhou0q38jbrlj380; path=/
Vary: Accept-Encoding
Content-Length: 52161
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8Session Cookie Parameters
Zope
zope3
CakePHP
cakephp
Kohana
kohanasession
Laravel
laravel_session
phpBB
phpbb3_
WordPress
wp-settings
1C-Bitrix
BITRIX_
AMPcms
AMP
Django CMS
django
DotNetNuke
DotNetNukeAnonymous
e107
e107_tz
EPiServer
EPiTrace, EPiServer
Graffiti CMS
graffitibot
Hotaru CMS
hotaru_mobile
ImpressCMS
ICMSession
Indico
MAKACSESSION
InstantCMS
InstantCMS[logdate]
Kentico CMS
CMSPreferredCulture
MODx
SN4[12symb]
TYPO3
fe_typo_user
Dynamicweb
Dynamicweb
LEPTON
lep[some_numeric_value]+sessionid
Wix
Domain=.wix.com
VIVVO
VivvoSessionId
HTML Source Code
Comment
curl -s $WEBSITE | grep -o "gtag.js"<!-- Google tag (gtag.js) snippet added by Site Kit -->
<!-- Google Analytics snippet added by Site Kit -->
<script src="https://www.googletagmanager.com/gtag/js?id=G-EVWGW1CZ2C6" id="google_gtagjs-js" async></script>
<script id="google_gtagjs-js-after">
window.dataLayer = window.dataLayer || [];
function gtag(){
dataLayer.push(arguments);
}
gtag('set', 'linker', {
"domains":["www.zkracing.com.my"]
});
</script>HTML Source Code
WordPress
<meta name="generator" content="WordPress 3.9.2" />
phpBB
<body id="phpbb"
Mediawiki
<meta name="generator" content="MediaWiki 1.21.9" />
Joomla
<meta name="generator" content="Joomla! - Open Source Content Management" />
Drupal
<meta name="Generator" content="Drupal 7 (http://drupal.org)" />
DotNetNuke
DNN Platform - [http://www.dnnsoftware.com](http://www.dnnsoftware.com)
Specific Markers
Adobe ColdFusion
<!-- START headerTags.cfm
Microsoft ASP.NET
__VIEWSTATE
ZK
<!-- ZK
Business Catalyst
<!-- BC_OBNW -->
Indexhibit
ndxz-studio
Wappalyzer
Specific File and Folders
BurpSuite
Burp Suite > Target > Right Click on One Domain > Send to Intruder > Intruder > Add Variable to Target Fuzzing > Payloads > Payloads Setting Add Wordlist > Start Attack
File Extensions
Wappalyzer
BuiltWith
whatweb $WEBSITEferoxbuster --url $WEBSITE -C 200 -x php,aspx,jspdirsearch -u $WEBSITE \
-w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt \
-e php,cgi,htm,html,shtm,sql.gz,sql.zip,shtml,lock,js,jar,txt,bak,inc,smp,csv,cache,zip,old,conf,config,backup,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,wasl,tar.gz,tar.bz2,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5Error Message
curl -s $WEBSITE | grep -i "syntax error"Parse error: syntax error, unexpected 'S SERVER' (T_VARIABLE) in /var/www/html/index.php on line 5Last updated