3

When I audit a service I come across the problem I have to figure out what is the product a website is using, to search for possible vulnerabilities afterwards.

What I do is to look for server responses using a proxy like Burp, or taking a look to the source code, but there are cases I have skipped a technology, because I didn't know the name was in the code, or maybe a certain product has a default login page, or some features in the code, that, if you don't have experience and have encounter them first, it is impossible to figure out what the product is.

How to do that in a proper way? How to automatize this task?

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
aDoN
  • 283
  • 1
  • 3
  • 10
  • 4
    Possible duplicate of [How to find out what programming language a website is built in?](http://security.stackexchange.com/questions/117131/how-to-find-out-what-programming-language-a-website-is-built-in) – Benoit Esnard Mar 18 '16 at 11:57
  • 1
    Not sure that it's a duplicate - in this case, it appears (from reading between the lines) that the OP is looking for tools that would help with, say, detecting the use of a specific CMS or shopping cart system, rather than the underlying language. – Matthew Mar 18 '16 at 12:23
  • exaclty, I need, from a website, for example, get the vendor, product and (if posible) version. For example, automatically get the page is using a Drupal version X or a jQuery version X..... this is what I need – aDoN Mar 18 '16 at 12:48
  • 2
    I suggest you read up on "Wappalyzer" as answered in [How to find out what programming language a website is built in?](http://security.stackexchange.com/a/117164/63999) – LvB Mar 18 '16 at 13:16
  • While the question is not a duplicate, the answers are generally the same – schroeder Mar 18 '16 at 16:10
  • Wappalyzer is deffinitely a good option, that is the kind of tool I was looking for. It's a very few times it manages to obtain the version.... that'd have been cool, but at least it gets the product. – aDoN Mar 23 '16 at 09:50
  • Another tool that obtains technologies is OWASP ZAP, I am not sure if wappalyzer is better in that matter though – aDoN Mar 23 '16 at 09:53

1 Answers1

1

During the analysis of a host you have to distinguish between two different approaches: Identification of products (e.g. Apache/IIS) and identification of technologies (e.g. PHP/ASP). The identification of these is similar in methodology but differs in technological details.

Many products announce themselves in welcome-banners, about sections and help mechanisms. Using and browsing an application with open eyes allows such an enumeration.

Some applications/technologies have specific optical characteristics. For example the HTML source of popular CMS is having a typical structure and is using repeating JS file names or CSS classes. Analysing these is called application fingerprinting.

There are some dedicated implementations for automated fingerprinting available. For example httprint and HTTPrecon for Webserver and HTTP header. There are other tools for other technologies too. Nmap is providing the argument -sV to enable version detection for different services/protocols based on fingerprinting techniques. This works very well.

Check out the OWASP according chapters for additional details and examples regarding web analysis.

Marc Ruef
  • 1,060
  • 5
  • 12