• About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • 20.11.2021
  • | Jason Johnson
  • Tags: Web Application Penetration Testing

Fingerprinting Web Application Technologies

When starting a web application penetration test, a fair bit of time is invested into mapping out the application and understanding its underlying technologies. Abraham Lincoln once famously said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe,” and it’s this same careful preparation that lays the foundation for a successful and thorough penetration test.

Technology fingerprinting is a key first step to properly understanding the functionality of the target system or application and will help guide the identification and exploitation of vulnerabilities. In this article we’re going to explore what web application technology fingerprinting is, why easily fingerprinted technologies can reduce an application’s security posture and what methods can be used to mitigate this.

 

What is Technology Fingerprinting?

Technology fingerprinting (in a web application context) is the process of identifying what technologies are present by analysing the application for common technology indicators. Technology fingerprinting is used by penetration testers and threat actors alike to identify utilised web application components and their software version. This information helps threat actors and penetration testers to discover software with known vulnerabilities and will steer their exploitation efforts.

Web application technologies can be fingerprinted through a number of indicators including:

  • HTTP response header names
  • HTTP response header order
  • HTML source code/metadata references
  • Cookie names and values
  • Error pages
  • Improperly handled error messages
  • Technology documentation (such as README files)
  • Leftover default server/framework pages

 

The most common indicators used by bots, threat actors and penetration testers to fingerprint web application technologies are shown below:

 

Analysing HTTP Response Headers

When a request is made to a web server, it will respond with the response body and the HTTP headers. Sometimes these headers can be overly verbose and contain information that expose not only the type and version of the server, but the framework as well. Even the order of the headers can give an indication of the server in use, since by default, servers may have differing selection and arrangement of headers in their response. The example below shows the HTTP response headers when a request is made to an Apache server utilising PHP.

 

 

 

Analysing HTML Source Code/Metadata

When examining the HTML source code of responses, software components and their versions can often be exposed in comments and metadata. For this reason, it’s often recommended that overly verbose metadata and comments are cleansed so they don’t appear in the server response. In the example below, a comment within the HTML exposes that the WordPress plugin ‘Yoast SEO’ is being used and that it’s running version 17.4.

 

 

 

Analysing Cookie Names

In a similar context to HTTP response headers, Cookie names and occasionally their value format can expose the server or framework used by the application. The JSESSIONID cookie set in the example below indicates that the server is utilising a J2EE framework.

 

 

 

Analysing Error Pages

Error pages are another simple way that the server or framework can be fingerprinted. Looking at the HTML of error pages for error codes such as 400, 401, 404, 500 and 503 can often provide insight into the technologies in use. The below example shows a 404 and 500 Error page for the server that give away that an IIS server utilising ASP.NET framework.

 

 

 

Identifying Default Server Pages

Searching for common default pages left over during the server or framework’s installation can expose what technologies are running and often their version. This often provides a simple way of understanding the technologies in use. In the basic example below, we find the default IIS 10.0 server’s default page has been left on the server.

 

 

 

Well-Known Automated Web Application Fingerprinting Tools

There are a number of automated tools that can be used for fingerprinting web application technologies, including:

  • Wappalyzer
  • BuiltWith
  • Netcraft
  • Nmap
  • Nikto

 

Arguably the two most effective tools , particularly for web application technology fingerprinting (Wappalyzer and BuiltWith) are previewed below:

 

Wappalyzer

Wappalyzer is a free browser plugin that fingerprints all types of application components including server types, frameworks, plugins, scripts and databases using a number of known technology indicators. It updates dynamically as you navigate through an application, picking up identified technologies and versions to give you a consolidated picture of how the application is built.

 

 

 

BuiltWith

BuiltWith is another free tool that allows you to passively fingerprint application technologies without even having to make a single request to the target site yourself. Simply provide the URL of the target application and BuiltWith will return information on the web stack and miscellaneous components.

 

 

 

Why is Technology Fingerprinting a Concern?

During a penetration test, technology fingerprinting is typically classed as a low-risk finding because it does not result in direct exploitation of the web application by itself. The danger posed by easily fingerprinted technologies arises where the component version exposed has a known vulnerability. This makes a vulnerable component that may have been easily overlooked by a threat actor easily identifiable and provides a clear vector for exploitation.

This danger is exacerbated by bots that scour the internet searching for components matching the versions of the latest 0-day vulnerabilities. An exposed component version that may not be affected by a known vulnerability today may be affected tomorrow, at which point that component becomes easily identifiable and low-hanging fruit for malicious individuals.

Component information for web applications can also be searchable on databases such as shodan.io, which is another easy way of searching for applications that have clearly exposed vulnerable component versions.

 

How Can We Combat Technology Fingerprinting?

A web application often has a large number of technology indicators, and it can often be functionally impossible to completely conceal all technologies in use. Even though attempting to conceal the existence of certain technologies may only slow down determined individuals, concealing the versions of the utilised technologies will reduce the risk that they will be searchable in databases such as Shodan.io or be found by bots.

Technology fingerprinting indicators should be cleansed wherever simple to do so. Some strategies to consider include:

  • Ensuring that any non-mandatory HTTP response headers are removed.
  • Ensuring that comments and metadata that give away technology versions are removed.
  • Ensuring that error messages are properly handled, and a generic response is provided.
  • Ensuring that versions are removed from technology documentation wherever possible.
  • Ensuring that default server/framework pages are removed where no longer needed.

 

Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing and Cyber Essentials/Cyber Essentials Plus assessments. What makes us different? We combine expert cyber security with great customer service and value for money. Please contact us if you’re interested in a free consultation.

Latest Posts

Securing Your Software Development Life Cycle

It’s been three decades since the advent of the World Wide Web and since then, web content has transformed from serving simple HTML files to…
  • Jason Johnson|
  • 22.04.2022|
READ MORE

British Data Awards 2022 Finalists Announced

With a record 158 entries submitted, competition to be named a Finalist in the British Data Awards 2022 proved to be especially tough. But today…
  • Michael Fotis|
  • 29.03.2022|
READ MORE

Cyber Essentials Plus: A Guide to Certification 2022

Cyber Essentials Plus certification is the highest accreditation offered by the government-backed Cyber Essentials Scheme which aims to help organisations implement the fundamental baseline cyber…
  • Jason Johnson|
  • 10.02.2022|
READ MORE

Securing Your Software Development Life Cycle

It’s been three decades since the advent of the World Wide Web and since then, web content has transformed from serving simple HTML files to…
  • Jason Johnson|
  • 22.04.2022|
READ MORE

British Data Awards 2022 Finalists Announced

With a record 158 entries submitted, competition to be named a Finalist in the British Data Awards 2022 proved to be especially tough. But today…
  • Michael Fotis|
  • 29.03.2022|
READ MORE

Cyber Essentials Plus: A Guide to Certification 2022

Cyber Essentials Plus certification is the highest accreditation offered by the government-backed Cyber Essentials Scheme which aims to help organisations implement the fundamental baseline cyber…
  • Jason Johnson|
  • 10.02.2022|
READ MORE
CREST Accredited

Predatech achieves CREST accredited member status

We’re delighted to announce that Predatech has successfully achieved CREST accredited member status. CREST is recognised globally as the cyber assurance body for the technical…
  • Michael Fotis|
  • 10.01.2022|
READ MORE
SEE ALL ARTICLES
Quick Links
  • About Us
  • Resources
  • British Data Awards
  • Contact
Services
  • Penetration Testing
  • Vulnerability Assessment
  • Phishing Simulation & Training
  • Strategy & Maturity
  • Information Assurance
  • Cyber Essentials

Contact

  • [email protected]
  • 0161 706 0720

© 2021 Predatech Limited

Privacy Policy
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Find out more by reading our Privacy Policy.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT
Get a Quote
  • *