Web application security - the fast guide 1.1 | Page 70
Chapter 4 - Be the attacker
P a g e | 70
As show in the above listing the netcat tool connecting the localhost,
information about the server were retrieved through the Head method.
Direct access to server banners information is not always that simple
especially with lot precautions taken from system administrators by even
providing a fake banner info. Another method to get this information
might be assessing how the server will react to special requests.
An example about this approach is the usage of PUT method to send an
empty request to the server. The following table shows difference among
server reactions
Sun One Web Server IIS 6.0 Apache 2.0.x IIS 5.x
401 Unauthorized 411 Length Required 405 Method not
allowed 403 Forbidden
Sometimes information regarding if part of the header is capitalized or is
shown before other parts can be used to know the type and version of the
server.
As example (Content-Length) header in (Sun One) web server is
capitalized in contrast with what appear in (IIS5) server.
Lot of tools were developed to help identifying the server type and
version through collecting each type and version features and create a
sort of signature related to each server.an example about similar tools is
the httprint tool by Net Square.
httprint fingerprinting engine uses statistical analysis, combined with
fuzzy logic techniques, to determine the type of HTTP server it can be
used to b oth gather and analyze signatures generated from HTTP servers.
Another example interesting tool is SHODAN online search engine that
provide ability to search indexed information about http responses of
indexed servers
4.7 Attack Mapping-Information about Intermediaries