After obtaining a list of subdomains, the next step involves identifying the frameworks and applications running on each subdomain. This information is crucial for understanding potential vulnerabilities.
Common applications, whether open source or commercial, are interesting for analysis due to their source code accessibility. Unlike in-house applications, testers can review both the application logic and implemented security controls. Some common applications include forums (e.g., phpBB, vBulletin), Content Management Systems (CMS) like Joomla or Drupal, Customer Relationship Management (CRM) systems, blogging platforms (e.g., WordPress, Movable Types), and social networking scripts.
Identifying the exact application and version is essential for finding publicly available exploits. Techniques include:
- Browsing the Website:
- Look at URLs, appearance, and logic of webpages.
- Search for the application's name in page content.
- Inspect web page source; the name and version might be in HTML comments or HTTP headers.
- Sending a GET Request:
-
Examine response headers for information.
-
Example (Joomla):
plaintextCopy codeRequest: GET / HTTP/1.1 Host: www.joomla.org User-Agent: Mozilla/5.0 (x11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.3 Response: HTTP/1.x 200 OK Content-Encoding: gzip Content-Type: text/html; charset=utf-8 Server: LiteSpeed Vary: Accept-Encoding X-Content-Encoded-By: Joomla! 2.5
Here, the server is running Joomla! 2.5.
-
- Footer Notifications:
-
Some applications require users to keep a footer notification for support and acknowledgment.
-
Example (vBulletin):
plaintextCopy codeCopyright © 2015 vBulletin Solutions. All Rights Reserved vBulletin® is a registered trademark of vBulletin Solutions.
-
- Source Code Examination:
-
Examine web page source code for information in META tags and HTML comments.
-
Example (WordPress):
htmlCopy code<meta name="generator" content="Wordpress 4.2-beta-31946" />
-
Common CMS platforms like Joomla, Drupal, and Mambo often have large support communities providing free add-ons, components, and extensions. These third-party add-ons can introduce vulnerabilities. Fingerprinting installed add-ons can involve examining website URLs, as these URLs typically consist of three main parts:
plaintextCopy codeindex.php?option=%component_name%&task=%task_value%
In Joomla, for example, the option
parameter in the URL reveals installed third-party add-ons. For instance:
plaintextCopy codeindex.php?option=com_docman&task=doc_view&gid=100
This URL indicates the use of the Docman
document manager component.
In the information-gathering process, it is crucial not only to list common applications in use but also to identify third-party add-ons, potentially useful for penetration testing tasks.