https://wiki.owasp.org/api.php?action=feedcontributions&user=Emilio+Casbas&feedformat=atomOWASP - User contributions [en]2024-03-28T18:35:12ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Web-metadata&diff=155643Web-metadata2013-07-18T10:28:02Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|-<br />
|JSF/2.0<br />
|Web server using [http://www.oracle.com/technetwork/java/javaee/javaserverfaces-139869.html JavaServer Faces technology]<br />
|Need more info<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by, x-varnish, x-varnish-cache<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|Cookies[ASPSESSION<br />
|Web server using [http://www.asp.net/ ASP technology]<br />
|See ASP.NET in the Powered-by HTTP header section<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|-<br />
|access-control-allow-origin, access-control-allow-headers<br />
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]<br />
|Need more info<br />
|-<br />
|MetaGenerator[Square One, Meta-Author[Jeremy<br />
|Web server using [https://github.com/square-one/square-one-cms Square One CMS (light version of Joomla)]<br />
|Looks like is discontinued<br />
|-<br />
|MetaGenerator[LFC<br />
|Web server using [http://www.getlfs.com/ LFS technology]<br />
|CMS based on Python, Django and jQuery<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154873Web-metadata2013-07-02T16:32:55Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|-<br />
|JSF/2.0<br />
|Web server using [http://www.oracle.com/technetwork/java/javaee/javaserverfaces-139869.html JavaServer Faces technology]<br />
|Need more info<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|Cookies[ASPSESSION<br />
|Web server using [http://www.asp.net/ ASP technology]<br />
|See ASP.NET in the Powered-by HTTP header section<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|-<br />
|access-control-allow-origin, access-control-allow-headers<br />
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]<br />
|Need more info<br />
|-<br />
|MetaGenerator[Square One, Meta-Author[Jeremy<br />
|Web server using [https://github.com/square-one/square-one-cms Square One CMS (light version of Joomla)]<br />
|Looks like is discontinued<br />
|-<br />
|MetaGenerator[LFC<br />
|Web server using [http://www.getlfs.com/ LFS technology]<br />
|CMS based on Python, Django and jQuery<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154846Web-metadata2013-07-02T11:47:37Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|-<br />
|JSF/2.0<br />
|Web server using [http://www.oracle.com/technetwork/java/javaee/javaserverfaces-139869.html JavaServer Faces technology]<br />
|Need more info<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|Cookies[ASPSESSION<br />
|Web server using [http://www.asp.net/ ASP technology]<br />
|See ASP.NET in the Powered-by HTTP header section<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|-<br />
|access-control-allow-origin, access-control-allow-headers<br />
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]<br />
|Need more info<br />
|-<br />
|MetaGenerator[Square One, Meta-Author[Jeremy<br />
|Web server using [https://github.com/square-one/square-one-cms Square One CMS (light version of Joomla)]<br />
|Looks like is discontinued<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154845Web-metadata2013-07-02T11:43:13Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|Cookies[ASPSESSION<br />
|Web server using [http://www.asp.net/ ASP technology]<br />
|See ASP.NET in the Powered-by HTTP header section<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|-<br />
|access-control-allow-origin, access-control-allow-headers<br />
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]<br />
|Need more info<br />
|-<br />
|MetaGenerator[Square One, Meta-Author[Jeremy<br />
|Web server using [https://github.com/square-one/square-one-cms Square One CMS (light version of Joomla)]<br />
|Looks like is discontinued<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154842Web-metadata2013-07-02T10:10:05Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|-<br />
|access-control-allow-origin, access-control-allow-headers<br />
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]<br />
|Need more info<br />
|-<br />
|MetaGenerator[Square One, Meta-Author[Jeremy<br />
|Web server using [https://github.com/square-one/square-one-cms Square One CMS (light version of Joomla)]<br />
|Looks like is discontinued<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154816Web-metadata2013-07-01T20:40:29Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|-<br />
|access-control-allow-origin, access-control-allow-headers<br />
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]<br />
|Need more info<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154815Web-metadata2013-07-01T20:39:58Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|-<br />
|access-control-allow-origin, access-control-allow-headers]<br />
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]<br />
|Need more info<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154799Web-metadata2013-07-01T19:28:56Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|-<br />
|x-server-name<br />
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]<br />
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154557Web-metadata2013-06-27T15:01:35Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|-<br />
|x-drupal-cache<br />
|Web server using [https://drupal.org/ Drupal technology]<br />
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]<br />
|-<br />
|Cookies[PHPSESSID<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.session-start.php Session cookie]<br />
|-<br />
|Cookies[JSESSIONID<br />
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]<br />
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Testing_for_Web_Application_Fingerprint_(OWASP-IG-004)&diff=154556Testing for Web Application Fingerprint (OWASP-IG-004)2013-06-27T14:49:41Z<p>Emilio Casbas: </p>
<hr />
<div>{{Template:OWASP Testing Guide v4}}<br />
<br />
== Brief Summary ==<br />
Web server fingerprinting is a critical task for the Penetration tester. Knowing the version and type of a running web server allows testers to determine known vulnerabilities and the appropriate exploits to use during testing.<br />
<br />
== Description of the Issue ==<br />
There are several different vendors and versions of web servers on the market today. Knowing the type of web server that you are testing significantly helps in the testing process, and will also change the course of the test. This information can be derived by sending the web server specific commands and analyzing the output, as each version of web server software may respond differently to these commands. By knowing how each type of web server responds to specific commands and keeping this information in a web server fingerprint database, a penetration tester can send these commands to the web server, analyze the response, and compare it to the database of known signatures. Please note that it usually takes several different commands to accurately identify the web server, as different versions may react similarly to the same command. Rarely, however, different versions react the same to all HTTP commands. So, by sending several different commands, you increase the accuracy of your guess.<br />
<br />
== Black Box testing and example ==<br />
The simplest and most basic form of identifying a Web server is to look at the Server field in the HTTP response header. For our experiments we use netcat. <br />
Consider the following HTTP Request-Response: <br />
<pre><br />
$ nc 202.41.76.251 80<br />
HEAD / HTTP/1.0<br />
<br />
HTTP/1.1 200 OK<br />
Date: Mon, 16 Jun 2003 02:53:29 GMT<br />
Server: Apache/1.3.3 (Unix) (Red Hat/Linux)<br />
Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT<br />
ETag: "1813-49b-361b4df6"<br />
Accept-Ranges: bytes<br />
Content-Length: 1179<br />
Connection: close<br />
Content-Type: text/html<br />
</pre><br />
<br />
From the ''Server'' field, we understand that the server is likely Apache, version 1.3.3, running on Linux operating system.<br />
<br />
Four examples of the HTTP response headers are shown below.<br />
<br />
From an '''Apache 1.3.23''' server: <br />
<pre><br />
HTTP/1.1 200 OK <br />
Date: Sun, 15 Jun 2003 17:10: 49 GMT <br />
Server: Apache/1.3.23 <br />
Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT <br />
ETag: 32417-c4-3e5d8a83 <br />
Accept-Ranges: bytes <br />
Content-Length: 196 <br />
Connection: close <br />
Content-Type: text/HTML <br />
</pre><br />
<br />
From a '''Microsoft IIS 5.0''' server:<br />
<pre><br />
HTTP/1.1 200 OK <br />
Server: Microsoft-IIS/5.0 <br />
Expires: Yours, 17 Jun 2003 01:41: 33 GMT <br />
Date: Mon, 16 Jun 2003 01:41: 33 GMT <br />
Content-Type: text/HTML <br />
Accept-Ranges: bytes <br />
Last-Modified: Wed, 28 May 2003 15:32: 21 GMT <br />
ETag: b0aac0542e25c31: 89d <br />
Content-Length: 7369 <br />
</pre><br />
<br />
From a '''Netscape Enterprise 4.1''' server: <br />
<pre><br />
HTTP/1.1 200 OK <br />
Server: Netscape-Enterprise/4.1 <br />
Date: Mon, 16 Jun 2003 06:19: 04 GMT <br />
Content-type: text/HTML <br />
Last-modified: Wed, 31 Jul 2002 15:37: 56 GMT <br />
Content-length: 57 <br />
Accept-ranges: bytes <br />
Connection: close <br />
</pre><br />
<br />
From a '''SunONE 6.1''' server:<br />
<pre><br />
HTTP/1.1 200 OK<br />
Server: Sun-ONE-Web-Server/6.1<br />
Date: Tue, 16 Jan 2007 14:53:45 GMT<br />
Content-length: 1186<br />
Content-type: text/html<br />
Date: Tue, 16 Jan 2007 14:50:31 GMT<br />
Last-Modified: Wed, 10 Jan 2007 09:58:26 GMT<br />
Accept-Ranges: bytes<br />
Connection: close<br />
</pre><br />
However, this testing methodology is not so good. There are several techniques that allow a web site to obfuscate or to modify the server banner string.<br />
For example we could obtain the following answer:<br />
<pre><br />
403 HTTP/1.1 Forbidden <br />
Date: Mon, 16 Jun 2003 02:41: 27 GMT <br />
Server: Unknown-Webserver/1.0 <br />
Connection: close <br />
Content-Type: text/HTML; charset=iso-8859-1 <br />
</pre><br />
<br />
In this case, the server field of that response is obfuscated: we cannot know what type of web server is running.<br />
<br />
=== Protocol behaviour ===<br />
More refined techniques take in consideration various characteristics of the several web servers available on the market. We will list some methodologies that allow us to deduce the type of web server in use.<br />
<br />
'''HTTP header field ordering'''<br />
<br />
The first method consists of observing the ordering of the several headers in the response. Every web server has an inner ordering of the header. We consider the following answers as an example:<br />
<br />
Response from '''Apache 1.3.23''' <br />
<pre><br />
$ nc apache.example.com 80 <br />
HEAD / HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sun, 15 Jun 2003 17:10: 49 GMT <br />
Server: Apache/1.3.23 <br />
Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT <br />
ETag: 32417-c4-3e5d8a83 <br />
Accept-Ranges: bytes <br />
Content-Length: 196 <br />
Connection: close <br />
Content-Type: text/HTML <br />
</pre><br />
Response from '''IIS 5.0''' <br />
<pre><br />
$ nc iis.example.com 80 <br />
HEAD / HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Server: Microsoft-IIS/5.0 <br />
Content-Location: http://iis.example.com/Default.htm <br />
Date: Fri, 01 Jan 1999 20:13: 52 GMT <br />
Content-Type: text/HTML <br />
Accept-Ranges: bytes <br />
Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMT <br />
ETag: W/e0d362a4c335be1: ae1 <br />
Content-Length: 133 <br />
</pre><br />
Response from '''Netscape Enterprise 4.1''' <br />
<pre><br />
$ nc netscape.example.com 80 <br />
HEAD / HTTP/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Server: Netscape-Enterprise/4.1 <br />
Date: Mon, 16 Jun 2003 06:01: 40 GMT <br />
Content-type: text/HTML <br />
Last-modified: Wed, 31 Jul 2002 15:37: 56 GMT <br />
Content-length: 57 <br />
Accept-ranges: bytes <br />
Connection: close <br />
</pre><br />
Response from a '''SunONE 6.1'''<br />
<pre><br />
$ nc sunone.example.com 80 <br />
HEAD / HTTP/1.0<br />
<br />
HTTP/1.1 200 OK<br />
Server: Sun-ONE-Web-Server/6.1<br />
Date: Tue, 16 Jan 2007 15:23:37 GMT<br />
Content-length: 0<br />
Content-type: text/html<br />
Date: Tue, 16 Jan 2007 15:20:26 GMT<br />
Last-Modified: Wed, 10 Jan 2007 09:58:26 GMT<br />
Connection: close<br />
</pre><br />
We can notice that the ordering of the ''Date'' field and the ''Server'' field differs between Apache, Netscape Enterprise, and IIS.<br />
<br />
'''Malformed requests test''' <br />
<br />
Another useful test to execute involves sending malformed requests or requests of nonexistent pages to the server.<br />
Consider the following HTTP responses. <br />
<br />
Response from '''Apache 1.3.23'''<br />
<pre><br />
$ nc apache.example.com 80 <br />
GET / HTTP/3.0 <br />
<br />
HTTP/1.1 400 Bad Request <br />
Date: Sun, 15 Jun 2003 17:12: 37 GMT <br />
Server: Apache/1.3.23 <br />
Connection: close <br />
Transfer: chunked <br />
Content-Type: text/HTML; charset=iso-8859-1 <br />
</pre><br />
Response from '''IIS 5.0''' <br />
<pre><br />
$ nc iis.example.com 80 <br />
GET / HTTP/3.0 <br />
<br />
HTTP/1.1 200 OK <br />
Server: Microsoft-IIS/5.0 <br />
Content-Location: http://iis.example.com/Default.htm <br />
Date: Fri, 01 Jan 1999 20:14: 02 GMT <br />
Content-Type: text/HTML <br />
Accept-Ranges: bytes <br />
Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT <br />
ETag: W/e0d362a4c335be1: ae1 <br />
Content-Length: 133 <br />
</pre><br />
Response from '''Netscape Enterprise 4.1''' <br />
<pre><br />
$ nc netscape.example.com 80 <br />
GET / HTTP/3.0 <br />
<br />
HTTP/1.1 505 HTTP Version Not Supported <br />
Server: Netscape-Enterprise/4.1 <br />
Date: Mon, 16 Jun 2003 06:04: 04 GMT <br />
Content-length: 140 <br />
Content-type: text/HTML <br />
Connection: close <br />
</pre><br />
Response from a '''SunONE 6.1'''<br />
<pre><br />
$ nc sunone.example.com 80 <br />
GET / HTTP/3.0<br />
<br />
HTTP/1.1 400 Bad request<br />
Server: Sun-ONE-Web-Server/6.1<br />
Date: Tue, 16 Jan 2007 15:25:00 GMT<br />
Content-length: 0<br />
Content-type: text/html<br />
Connection: close<br />
</pre><br />
We notice that every server answers in a different way. The answer also differs in the version of the server. Similar observations can be done we create requests with a non-existent protocol. Consider the following responses: <br />
<br />
Response from '''Apache 1.3.23''' <br />
<pre><br />
$ nc apache.example.com 80 <br />
GET / JUNK/1.0 <br />
<br />
HTTP/1.1 200 OK <br />
Date: Sun, 15 Jun 2003 17:17: 47 GMT <br />
Server: Apache/1.3.23 <br />
Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT <br />
ETag: 32417-c4-3e5d8a83 <br />
Accept-Ranges: bytes <br />
Content-Length: 196 <br />
Connection: close <br />
Content-Type: text/HTML <br />
</pre><br />
Response from '''IIS 5.0''' <br />
<pre><br />
$ nc iis.example.com 80 <br />
GET / JUNK/1.0 <br />
<br />
HTTP/1.1 400 Bad Request <br />
Server: Microsoft-IIS/5.0 <br />
Date: Fri, 01 Jan 1999 20:14: 34 GMT <br />
Content-Type: text/HTML <br />
Content-Length: 87 <br />
</pre><br />
Response from '''Netscape Enterprise 4.1''' <br />
<pre><br />
$ nc netscape.example.com 80 <br />
GET / JUNK/1.0 <br />
<br />
<HTML><HEAD><TITLE>Bad request</TITLE></HEAD> <br />
<BODY><H1>Bad request</H1> <br />
Your browser sent to query this server could not understand. <br />
</BODY></HTML> <br />
</pre><br />
Response from a '''SunONE 6.1'''<br />
<pre><br />
$ nc sunone.example.com 80 <br />
GET / JUNK/1.0<br />
<br />
<HTML><HEAD><TITLE>Bad request</TITLE></HEAD><br />
<BODY><H1>Bad request</H1><br />
Your browser sent a query this server could not understand.<br />
</BODY></HTML><br />
</pre><br />
<br />
=== Automated Testing ===<br />
The tests to carry out in order to accurately fingerprint a web server can be many. Luckily, there are tools that automate these tests. "''httprint''" is one of such tools. httprint has a signature dictionary that allows one to recognize the type and the version of the web server in use.<br><br />
An example of running httprint is shown below:<br><br><br />
<br />
[[Image:httprint.jpg]]<br />
<br />
=== OnLine Testing === <br />
An example of on line tool that often delivers a lot of information on target Web Server, is Netcraft. With this tool we can retrieve information about operating system, web server used, Server Uptime, Netblock Owner, history of change related to Web server and O.S.<br><br />
An example is shown below:<br />
<br><br><br />
<br />
[[Image:netcraft2.png]]<br />
<br />
<br />
[[OWASP Unmaskme Project]] expect becomes another online tool to do fingerprinting in any website with an overall interpretation of all the [[Web-metadata]] extracted. The idea behind this project is that anyone in charge of a website could test the metadata their site is showing to the world and assess it from a security point of view.<br />
While this project is being developed, you can test a [http://desenmascara.me/ Spanish Proof of Concept of this idea].<br />
<br />
== References ==<br />
'''Whitepapers'''<br><br />
* Saumil Shah: "An Introduction to HTTP fingerprinting" - http://www.net-square.com/httprint_paper.html<br />
* Anant Shrivastava : "Web Application Finger Printing" - http://anantshri.info/articles/web_app_finger_printing.html<br />
'''Tools'''<br><br />
* httprint - http://net-square.com/httprint.html<br />
* httprecon - http://www.computec.ch/projekte/httprecon/<br />
* Netcraft - http://www.netcraft.com<br />
* Desenmascarame - http://desenmascara.me</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154528OWASP Unmaskme Project2013-06-26T19:31:00Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''': web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge through the interpretation of all [[Web-metadata]] extracted from any website.<br />
<br />
'''Think in this project as a tool which anyone -not only penetration testers- could use to perform a [https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004) fingerprinting] with added capabilities and intelligence.'''<br />
<br />
----<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will [https://www.owasp.org/index.php/Web-metadata extract metadata from any website] (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154526Web-metadata2013-06-26T17:33:03Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|moodle<br />
|Web server using [https://moodle.org/ Moodle] technology<br />
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]<br />
|-<br />
|x-cache-hits,x-timer,x-served-by<br />
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|MetaGenerator[Sitefinity<br />
|Web server using [http://www.sitefinity.com/ SiteFinity technology]<br />
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]<br />
|-<br />
|HTTPServer[BigIP / Cookies[BIGip<br />
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]<br />
|Need more info<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Projects/OWASP_Unmaskme_Project/Roadmap&diff=154525Projects/OWASP Unmaskme Project/Roadmap2013-06-26T17:21:55Z<p>Emilio Casbas: </p>
<hr />
<div>3 months (until september): metadata collected<br />
<br />
2 month (until November): basic infrastructure available, discussion about deployement (tool, webservice, online..) <br />
<br />
5 months (until April 14): core functionalities developed<br />
<br />
1 month (May): visual part adaptation & logo<br />
<br />
1 month (June): testing and feedback<br />
<br />
Continue Improvement (new features, new detections, bug fix...)</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154524OWASP Unmaskme Project2013-06-26T17:09:15Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''' will be a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge through the interpretation of all [[Web-metadata]] extracted from any website.<br />
<br />
'''Think in this project as a tool which anyone -not only penetration testers- could use to perform a [https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004) fingerprinting] with added capabilities and intelligence.'''<br />
<br />
----<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will [https://www.owasp.org/index.php/Web-metadata extract metadata from any website] (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154523OWASP Unmaskme Project2013-06-26T17:08:49Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''' will be a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge through the interpretation of all [[metadata]] extracted from any website.<br />
<br />
'''Think in this project as a tool which anyone -not only penetration testers- could use to perform a [https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004) fingerprinting] with added capabilities and intelligence.'''<br />
<br />
----<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will [https://www.owasp.org/index.php/Web-metadata extract metadata from any website] (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154522OWASP Unmaskme Project2013-06-26T17:05:48Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''' will be a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge through the interpretation of all metadata extracted from any website.<br />
<br />
'''Think in this project as a tool which anyone -not only penetration testers- could use to perform a [https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004) fingerprinting] with added capabilities and intelligence.'''<br />
<br />
----<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will [https://www.owasp.org/index.php/Web-metadata extract metadata from any website] (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154521OWASP Unmaskme Project2013-06-26T17:05:02Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''' will be a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge through the interpretation of all metadata extracted from any website.<br />
<br />
Think in this project as a tool which anyone -not only penetration testers- could use to perform a [https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004) fingerprinting] with added capabilities and intelligence.<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will [https://www.owasp.org/index.php/Web-metadata extract metadata from any website] (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154520Web-metadata2013-06-26T16:58:06Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154519Web-metadata2013-06-26T16:56:59Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''HTML metadata collected which could allow [[OWASP Periodic Table of Vulnerabilities - Fingerprinting fingerprinting]] '''<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154518Web-metadata2013-06-26T16:53:13Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard'''<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154517Web-metadata2013-06-26T16:51:24Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154516Web-metadata2013-06-26T16:50:19Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|+ '''Examples of Metadata assessing'''<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154515Web-metadata2013-06-26T16:48:43Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|-<br />
|(mod_rails/mod_rack)<br />
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]<br />
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]<br />
|-<br />
|ARR/X.X<br />
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]<br />
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154514Web-metadata2013-06-26T16:43:22Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|PHP/x.x<br />
|Web server using [http://php.net/ PHP technology]<br />
|[http://php.net/manual/en/function.header-remove.php How to remove header]<br />
|-<br />
|ASP.NET<br />
|Web server using [http://www.asp.net/ Microsoft ASP technology]<br />
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]<br />
|-<br />
|Servlet/X.X JSP/X.X<br />
|Web server using [http://tomcat.apache.org/ Tomcat application server]<br />
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]<br />
|-<br />
|Plesklin<br />
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]<br />
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154513Web-metadata2013-06-26T16:37:06Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|-<br />
|Alterian-CME/X.X<br />
|Web server using [http://www.sdl.com/products/acm/ SDL ACM] <br />
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]<br />
|-<br />
|Tengine<br />
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) <br />
|Need more information<br />
|-<br />
|eZ Publish<br />
|Web server using [http://ez.no/ EZ technology] <br />
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]<br />
|-<br />
|GSE<br />
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) <br />
|Need more information<br />
|-<br />
|gws<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) <br />
|Need more information<br />
|-<br />
|sffe<br />
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) <br />
|Need more information<br />
|-<br />
|tfe<br />
|Web server using [http://www.twitter.com/ Twitter infrastructure] <br />
|Need more information<br />
|-<br />
|YTS<br />
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure] <br />
|Need more information<br />
|-<br />
|cloudflare-nginx<br />
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] <br />
|Need more information<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154512OWASP Unmaskme Project2013-06-26T15:29:46Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''' will be a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge.<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will [https://www.owasp.org/index.php/Web-metadata extract metadata from any website] (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154511Web-metadata2013-06-26T15:25:56Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154510Web-metadata2013-06-26T15:23:00Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
{| class="wikitable" style="margin: 1em auto 1em auto;"<br />
|+ '''Examples of Metadata assessing'''<br />
! scope="col" | Weakness signs<br />
! scope="col" | Hardening signs<br />
|-<br />
| MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN<br />
|-<br />
| Microsoft-IIS/6.0 || X-XSS-Protection<br />
|-<br />
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish<br />
|}<br />
<br />
[http://desenmascara.me Proof of concept in Spanish]<br />
<br />
----<br />
<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154509Web-metadata2013-06-26T15:11:44Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.<br />
<br />
----<br />
<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154508Web-metadata2013-06-26T15:08:23Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening. The final goal is to raise web security awareness with an overall interpretation of this information from any website.<br />
<br />
----<br />
<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154507Web-metadata2013-06-26T15:03:24Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154506Web-metadata2013-06-26T15:03:04Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [OWASP Unmaskme Project] as a web service.<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154505Web-metadata2013-06-26T15:02:00Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of this project as a web service.<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
|-<br />
|LiteSpeed/X.X<br />
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)<br />
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154504Web-metadata2013-06-26T13:51:52Z<p>Emilio Casbas: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of this project as a web service.<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154500Web-metadata2013-06-26T13:45:30Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of this project as a web service.<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
|-<br />
|Oracle-iPlanet-Web-Server/7.0<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]<br />
|-<br />
|IBM_HTTP_Server/X.X<br />
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)<br />
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]<br />
<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154499Web-metadata2013-06-26T13:41:50Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of this project as a web service.<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154498Web-metadata2013-06-26T13:41:26Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the develop of this project as a web service.<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154497Web-metadata2013-06-26T13:16:13Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Sun-ONE-Web-Server/X<br />
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
|-<br />
|Oracle-Application-Server-Xx<br />
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]<br />
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]<br />
|-<br />
|Lotus-Domino<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]<br />
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]<br />
|-<br />
|Sun-Java-System-Web-Server/X<br />
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]<br />
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]<br />
<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154496Web-metadata2013-06-26T12:53:26Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
|-<br />
|OpenCms/X.X<br />
|Open source content management system written in Java<br />
|[http://www.opencms.org/ Official site]<br />
|-<br />
|Netscape-Enterprise/X.X<br />
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]<br />
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]<br />
<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154495Web-metadata2013-06-26T12:49:12Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|-<br />
|nginx/X.X<br />
|Russian web server and revere proxy<br />
|[http://nginx.org/en/ Official site]<br />
|-<br />
|lighttpd/X.X<br />
|Web server optimized for speed-critical environments<br />
|[http://www.lighttpd.net/ Official site]<br />
<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154492OWASP Unmaskme Project2013-06-26T12:19:52Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''' is a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge.<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will [https://www.owasp.org/index.php/Web-metadata extract metadata from any website] (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154491Web-metadata2013-06-26T12:18:51Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS''':<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
Under development...<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154490Web-metadata2013-06-26T12:17:37Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS'''<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|-<br />
|PWS<br />
|Small Microsoft Web server for old Windows versions<br />
|[http://en.wikipedia.org/wiki/Microsoft_Personal_Web_Server Microsoft Personal Web Server]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154489Web-metadata2013-06-26T12:14:48Z<p>Emilio Casbas: </p>
<hr />
<div>'''CALL FOR CONTRIBUTORS'''<br />
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Powered-by HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''HTML metadata'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154488OWASP Unmaskme Project2013-06-26T12:14:29Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''Unmaskme''' is a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge.<br />
<br />
'''Description'''<br />
Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Unmaskme will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware. <br />
<br />
Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem.<br />
<br />
Unmaskme project will be a public resource which will extract metadata from any website (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata.<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154469Web-metadata2013-06-26T09:44:48Z<p>Emilio Casbas: HTTP headers and HTML metadata collected to use it within unmaskme project</p>
<hr />
<div>'''Server HTTP header'''<br />
<br />
'''Powered-by HTTP header'''<br />
<br />
'''HTML/HTTP header Metadata'''<br />
<br />
<br />
{| class="wikitable" style="text-align: center; "<br />
|'''Server HTTP header'''<br />
|'''Description'''<br />
|'''More information'''<br />
|-<br />
|Apache/X.X<br />
|Web server using [http://www.apache.org/ Apache] technology<br />
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]<br />
|-<br />
|Microsoft-IIS/X<br />
|Web server using [http://www.iis.net/ Microsoft IIS technology]<br />
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]<br />
|}</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Talk:Web-metadata&diff=154468Talk:Web-metadata2013-06-26T09:27:18Z<p>Emilio Casbas: Created page with "Resource created to collect a baseline of Metadata information (from HTTP headers and HTML code) in order serve as base to OWASP Unmaskme Project. ~~~~"</p>
<hr />
<div>Resource created to collect a baseline of Metadata information (from HTTP headers and HTML code) in order serve as base to [[OWASP Unmaskme Project]].<br />
<br />
[[User:Emilio Casbas|Emilio Casbas]] 09:27, 26 June 2013 (UTC)</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=Web-metadata&diff=154467Web-metadata2013-06-26T09:20:51Z<p>Emilio Casbas: Created page with "'''Server HTTP header''' '''Powered-by HTTP header''' '''HTML/HTTP header Metadata'''"</p>
<hr />
<div>'''Server HTTP header'''<br />
<br />
'''Powered-by HTTP header'''<br />
<br />
'''HTML/HTTP header Metadata'''</div>Emilio Casbashttps://wiki.owasp.org/index.php?title=OWASP_Unmaskme_Project&diff=154465OWASP Unmaskme Project2013-06-26T09:15:24Z<p>Emilio Casbas: </p>
<hr />
<div>=Main=<br />
'''unMaskme''' is a web service whose goal is to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge.<br />
<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Unmaskme_Project}} <br />
<br />
[[Category:OWASP Project]]</div>Emilio Casbas