Fingerprinting
Some websites protect and obfuscate what kind of webserver is in use or what components may be in use.
This is why fingerprinting comes in handy.
If you are attempting to perform an RCE within a fileupload, but you don't know which code to use so the server will be able to understand the injected code.
Is it a Linux the webserver is ran on, or a Windows?
They understand different types of code and you cannot uplaod a PHP code to a webserver that runs on an IIS framework.
Cookie Reconnaissance
Developers sometimes forget to change default cookies when creating an application.
It is therefore recommended to change these to obfuscate what code the application understands.
| Cookie Name | Backend Code |
|---|---|
| PHPSESSID | PHP |
| JSESSID | J2EE |
| CFID / CFTOKEN | CloudFusion |
| ASP.NET_SessionId | ASP.NET |
| session | Flask |
| ci_session | PHP - CodeIgniter |
| cpsession | Cpanel CMS |
Header Positioning
Some developers and administrators are clever and remove the Server: nginx/1.2.3.
How are we supposed to figure out the web server type if the server header is non-existent?
If lucky, the developers have forgotten to change the header positions within the responses of the webserver.
We could therefore take advantage of how the webserver have structured their header positions.
Depending on which order the headers line up in the response, we can potentially figure out what webserver the app is ran on.
Do note that some application have added additional headers in between the ones shown below, like Strict-Transport-Security.
- Example of
Apache'sheader positions
HTTP/1.1 200 OK
Date
Server
Last-Modified
ETag
Accept-Ranges
Content-Length
Connection
Content-Type
Apache
HTTP/1.1 200 OK
Date: Thu, 05 Sep 2019 17:42:39 GMT
Server: Apache/2.4.41 (Unix)
Last-Modified: Thu, 05 Sep 2019 17:40:42 GMT
ETag: "75-591d1d21b6167"
Accept-Ranges: bytes
Content-Length: 117
Connection: close
Content-Type: text/html
Nginx
HTTP/1.1 200 OK
Server: nginx/1.17.3
Date: Thu, 05 Sep 2019 17:50:24 GMT
Content-Type: text/html
Content-Length: 117
Last-Modified: Thu, 05 Sep 2019 17:40:42 GMT
Connection: close
ETag: "5d71489a-75"
Accept-Ranges: bytes
Lighttpd
HTTP/1.0 200 OK
Content-Type: text/html
Accept-Ranges: bytes
ETag: "4192788355"
Last-Modified: Thu, 05 Sep 2019 17:40:42 GMT
Content-Length: 117
Connection: close
Date: Thu, 05 Sep 2019 17:57:57 GMT
Server: lighttpd/1.4.54
Microsoft IIS
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
Date: Fri, 24 Sep 2021 08:48:36 GMT
Connection: close
Content-Length: 2808
HTTP Parameter Behaviour
It is possible to add additional parameters and parameter values to understand the inner structure of a webserver.
What happens if you fill in your user information, but adding the parameters twice? Which one of these values will the application choose to evaluate in the backend?
Let's say fname, Lname and email parameters are in use on a registration page.
Press save and you will most like see a POST request.
We will use a GET request for convenience sake.
- Original Request:
example.com/?fname=Charlie&lname=Chaplin&email=charlie%40chaplin.com
You will now see the following information saved in your account details page
- Displayed on website:
Name: Charlie
Last Name: Chaplin
Email: [email protected]
What happens if you were to add an extra parameter with a different value e.g fname=Oscar?
Will the application choose Charlie, Oscar or Charlie, Oscar when you look into your account details?
- Edited Request:
example.com/?fname=Charlie&fname=Oscar&lname=Chaplin&email=charlie%40chaplin.com
- Displayed on website:
Name: Charlie, Oscar
Last Name: Chaplin
Email: [email protected]
Here is a graph that may be of use to identify frameworks:
