This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Web-metadata"
(45 intermediate revisions by 3 users not shown) | |||
Line 4: | Line 4: | ||
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us]. | If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us]. | ||
− | This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], | + | Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website. |
− | + | ||
− | + | {| class="wikitable" style="margin: 1em auto 1em auto;" | |
+ | |+ '''Examples of Metadata assessing''' | ||
+ | ! scope="col" | Weakness signs | ||
+ | ! scope="col" | Hardening signs | ||
+ | |- | ||
+ | | MetaGenerator[Joomla! 1.5 || X-Frame-Options[SAMEORIGIN | ||
+ | |- | ||
+ | | Microsoft-IIS/6.0 || X-XSS-Protection | ||
+ | |- | ||
+ | | Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish | ||
+ | |} | ||
+ | |||
+ | [http://desenmascara.me Proof of concept in Spanish] | ||
+ | |||
+ | ---- | ||
+ | This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], could serve as the basis for WEB fingerprinting. | ||
+ | A proof of concept tool is available in [http://desenmascara.me as a web service]. | ||
{| class="wikitable" style="text-align: center; " | {| class="wikitable" style="text-align: center; " | ||
+ | |+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected''' | ||
|'''Server HTTP header''' | |'''Server HTTP header''' | ||
|'''Description''' | |'''Description''' | ||
|'''More information''' | |'''More information''' | ||
+ | |- | ||
+ | |AkamaiGHost | ||
+ | |Web server using Akamai Global Hosting | ||
+ | |Need references | ||
+ | |- | ||
+ | |AmazonS3 | ||
+ | |Web server using Amazon cloud | ||
+ | |[http://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html Common Response headers] | ||
|- | |- | ||
|Apache/X.X | |Apache/X.X | ||
Line 26: | Line 51: | ||
|- | |- | ||
|nginx/X.X | |nginx/X.X | ||
− | |Russian web server and | + | |Russian web server and reverse proxy |
|[http://nginx.org/en/ Official site] | |[http://nginx.org/en/ Official site] | ||
|- | |- | ||
Line 68: | Line 93: | ||
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based) | |Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based) | ||
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version] | |[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version] | ||
+ | |- | ||
+ | |Alterian-CME/X.X | ||
+ | |Web server using [http://www.sdl.com/products/acm/ SDL ACM] | ||
+ | |[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian] | ||
+ | |- | ||
+ | |Tengine | ||
+ | |Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based) | ||
+ | |Need more information | ||
+ | |- | ||
+ | |eZ Publish | ||
+ | |Web server using [http://ez.no/ EZ technology] | ||
+ | |[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS] | ||
+ | |- | ||
+ | |GSE | ||
+ | |Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger) | ||
+ | |Need more information | ||
+ | |- | ||
+ | |gws | ||
+ | |Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages) | ||
+ | |Need more information | ||
+ | |- | ||
+ | |sffe | ||
+ | |Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files) | ||
+ | |Need more information | ||
+ | |- | ||
+ | |tfe | ||
+ | |Web server using [http://www.twitter.com/ Twitter infrastructure] | ||
+ | |Need more information | ||
+ | |- | ||
+ | |YTS | ||
+ | |Web server using [http://www.yahoo.com/ Yahoo! infrastructure] | ||
+ | |Need more information | ||
+ | |- | ||
+ | |cloudflare-nginx | ||
+ | |Web server using [https://www.cloudflare.com/ CloudFlare infrastructure] | ||
+ | |Need more information | ||
|} | |} | ||
{| class="wikitable" style="text-align: center; " | {| class="wikitable" style="text-align: center; " | ||
+ | |+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)''' | ||
|'''Powered-by HTTP header''' | |'''Powered-by HTTP header''' | ||
|'''Description''' | |'''Description''' | ||
|'''More information''' | |'''More information''' | ||
|- | |- | ||
− | | | + | |eBD/3.5.5 |
− | |Web server using [http://www. | + | |Web server using [http://www.ebdsoft.com/ EBD technology] |
− | |[http:// | + | |Need more info |
+ | |- | ||
+ | |eWAY | ||
+ | |Web server using [http://www.eway.com.au/ eWay payment gateway] | ||
+ | |[http://www.eway.com.au Need more info] | ||
+ | |- | ||
+ | |Express | ||
+ | |Web server using [http://expressjs.com/api.html nodejs with express] | ||
+ | |[http://expressjs.com/api.html x-powered-by Enables the "X-Powered-By: Express" HTTP header, enabled by default.] | ||
+ | |- | ||
+ | |PHP/x.x | ||
+ | |Web server using [http://php.net/ PHP technology] | ||
+ | |[http://php.net/manual/en/function.header-remove.php How to remove header] | ||
+ | |- | ||
+ | |ASP.NET | ||
+ | |Web server using [http://www.asp.net/ Microsoft ASP technology] | ||
+ | |[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers] | ||
+ | |- | ||
+ | |Servlet/X.X JSP/X.X | ||
+ | |Web server using [http://tomcat.apache.org/ Tomcat application server] | ||
+ | |[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation] | ||
+ | |- | ||
+ | |Plesklin | ||
+ | |Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology] | ||
+ | |[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header] | ||
+ | |- | ||
+ | |(mod_rails/mod_rack) | ||
+ | |Web server using [http://rubyonrails.org/ Ruby on Rails technology] | ||
+ | |[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger] | ||
+ | |- | ||
+ | |ARR/X.X | ||
+ | |Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology] | ||
+ | |[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information] | ||
+ | |- | ||
+ | |JSF/2.0 | ||
+ | |Web server using [http://www.oracle.com/technetwork/java/javaee/javaserverfaces-139869.html JavaServer Faces technology] | ||
+ | |Need more info | ||
+ | |} | ||
+ | |||
+ | {| class="wikitable" style="text-align: center; " | ||
+ | |+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Uncommon HTTP headers] collected (this headers aren't an HTTP standard)''' | ||
+ | |'''Custom HTTP headers''' | ||
+ | |'''Description''' | ||
+ | |'''More information''' | ||
+ | |- | ||
+ | |access-control-allow-origin, access-control-allow-headers | ||
+ | |Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)] | ||
+ | |Need more info | ||
+ | |- | ||
+ | |x-generator | ||
+ | |Web server running under Drupal | ||
+ | |[https://api.drupal.org/api/drupal/includes!common.inc/function/_drupal_default_html_head/7 function _drupal_default_html_head] | ||
+ | |- | ||
+ | |x-amz- | ||
+ | |Web server running under Amazon services | ||
+ | |[http://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html common response headers] | ||
|- | |- | ||
− | | | + | |x-cache-hits,x-timer,x-served-by, x-varnish, x-varnish-cache |
− | |Web server using [ | + | |Web server using [https://www.varnish-cache.org/ Varnish cache technology] |
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header] | |[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header] | ||
+ | |- | ||
+ | |x-drupal-cache | ||
+ | |Web server using [https://drupal.org/ Drupal technology] | ||
+ | |[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats] | ||
+ | |- | ||
+ | |x-dynatrace | ||
+ | |Web server using [http://www.compuware.com/en_us/application-performance-management.html dynatrace technology] | ||
+ | |Need more data | ||
+ | |- | ||
+ | |x-server-name | ||
+ | |Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology] | ||
+ | |[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers] | ||
+ | |- | ||
+ | |strict-transport-security | ||
+ | |opt-in security enhancement that is specified by a web application | ||
+ | |[https://www.owasp.org/index.php/HTTP_Strict_Transport_Security HTTP Strict Transport Security] | ||
|} | |} | ||
+ | |||
{| class="wikitable" style="text-align: center; " | {| class="wikitable" style="text-align: center; " | ||
+ | |+ '''HTML metadata / HTTP headers collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] ''' | ||
|'''HTML metadata''' | |'''HTML metadata''' | ||
|'''Description''' | |'''Description''' | ||
|'''More information''' | |'''More information''' | ||
|- | |- | ||
− | | | + | |moodle |
− | |Web server using [http://www. | + | |Web server using [https://moodle.org/ Moodle] technology |
− | |[http:// | + | |[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats] |
+ | |- | ||
+ | |MetaGenerator[Infopark CMS Fiona | ||
+ | |Web server using [https://www.infopark.de/produkte/CMS-Fiona CMS Fiona technology] | ||
+ | |6.10 Last version. Need more info. | ||
+ | |- | ||
+ | |MetaGenerator[Sitefinity | ||
+ | |Web server using [http://www.sitefinity.com/ SiteFinity technology] | ||
+ | |[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model] | ||
+ | |- | ||
+ | |HTTPServer[BigIP / Cookies[BIGip | ||
+ | |Web server using [http://www.f5.com/products/big-ip/ F5 technology] | ||
+ | |Need more info | ||
+ | |- | ||
+ | |Cookies: PHPSESSID | ||
+ | |Web server using [http://php.net/ PHP technology] | ||
+ | |[http://php.net/manual/en/function.session-start.php Session cookie] | ||
+ | |- | ||
+ | |Cookies: JSESSIONID | ||
+ | |Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology] | ||
+ | |[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie] | ||
+ | |- | ||
+ | |Cookies: ASPSESSION | ||
+ | |Web server using [http://www.asp.net/ ASP technology] | ||
+ | |See ASP.NET in the Powered-by HTTP header section | ||
+ | |- | ||
+ | |Cookies: fe_typo_user | ||
+ | |Web server using [http://typo3.org/ TYPO3 technology] | ||
+ | |[http://cookiepedia.co.uk/cookies/fe_typo_user Ref] | ||
+ | |- | ||
+ | |Cookies: CFID | ||
+ | |Web server using [http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-7ffc.html Coldfusion technology] | ||
+ | |Need more data | ||
+ | |- | ||
+ | |Cookies: CFTOKEN | ||
+ | |Web server using [http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-7ffc.html Coldfusion technology] | ||
+ | |Need more data | ||
+ | |- | ||
+ | |MetaGenerator[Square One, Meta-Author[Jeremy | ||
+ | |Web server using [https://github.com/square-one/square-one-cms Square One CMS (light version of Joomla)] | ||
+ | |Looks like is discontinued | ||
+ | |- | ||
+ | |MetaGenerator[LFC | ||
+ | |Web server using [http://www.getlfs.com/ LFS technology] | ||
+ | |CMS based on Python, Django and jQuery | ||
+ | |- | ||
+ | |MetaGenerator[Percussion | ||
+ | |Web server using [https://www.percussion.com Percussion CMS] | ||
+ | |CMS for Marketers | ||
|- | |- | ||
− | | | + | |RiOS[ |
− | |Web server using [http://www. | + | |Web server using Riverbeed WAN optimization [http://www.riverbed.com/products/wan-optimization/ Riverbeed WAN optimization] |
− | |[http:// | + | |[http://en.wikipedia.org/wiki/Riverbed_Technology Riverbeed Technology] |
|} | |} | ||
+ | |||
+ | TODO: https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009)#Common_Application_Identifiers |
Latest revision as of 14:28, 13 October 2014
CALL FOR CONTRIBUTORS: If you would like collaborate in this project join with us.
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (assessing favourably the signs of hardening and assessing negatively the signs of weakness) with an overall interpretation of this information from any website.
Weakness signs | Hardening signs |
---|---|
MetaGenerator[Joomla! 1.5 | X-Frame-Options[SAMEORIGIN |
Microsoft-IIS/6.0 | X-XSS-Protection |
Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 | UncommonHeaders[x-varnish |
This information collected plus more input from other OWASP projects as Top 10 2013-Top 10, could serve as the basis for WEB fingerprinting. A proof of concept tool is available in as a web service.
Server HTTP header | Description | More information |
AkamaiGHost | Web server using Akamai Global Hosting | Need references |
AmazonS3 | Web server using Amazon cloud | Common Response headers |
Apache/X.X | Web server using Apache technology | Technology lider in Internet |
Microsoft-IIS/X | Web server using Microsoft IIS technology | How to modify this header |
PWS | Small Microsoft Web server for old Windows versions | Microsoft Personal Web Server |
nginx/X.X | Russian web server and reverse proxy | Official site |
lighttpd/X.X | Web server optimized for speed-critical environments | Official site |
OpenCms/X.X | Open source content management system written in Java | Official site |
Netscape-Enterprise/X.X | Web server using old Netscape technology | Current server family |
Sun-ONE-Web-Server/X | Web server using iPlanet web server technology | Current server family |
Oracle-Application-Server-Xx | Web server using Oracle applications server | Official site |
Lotus-Domino | Web server using IBM Lotus Domino technology | Official site |
Sun-Java-System-Web-Server/X | Web server using Oracle iPlanet technology | Official site |
Oracle-iPlanet-Web-Server/7.0 | Web server using Oracle iPlanet technology | iPlanet Web server |
IBM_HTTP_Server/X.X | Web server using IBM technology (Apache based) | How to hide version |
LiteSpeed/X.X | Web server using LiteSpeed technology (Apache based) | How to hide version |
Alterian-CME/X.X | Web server using SDL ACM | SDL acquires Alterian |
Tengine | Web server using Tengine technology (nginx based) | Need more information |
eZ Publish | Web server using EZ technology | Open Source CMS |
GSE | Web server using Google infrastructure (blogger) | Need more information |
gws | Web server using Google infrastructure (search pages) | Need more information |
sffe | Web server using Google infrastructure (static files) | Need more information |
tfe | Web server using Twitter infrastructure | Need more information |
YTS | Web server using Yahoo! infrastructure | Need more information |
cloudflare-nginx | Web server using CloudFlare infrastructure | Need more information |
Powered-by HTTP header | Description | More information |
eBD/3.5.5 | Web server using EBD technology | Need more info |
eWAY | Web server using eWay payment gateway | Need more info |
Express | Web server using nodejs with express | x-powered-by Enables the "X-Powered-By: Express" HTTP header, enabled by default. |
PHP/x.x | Web server using PHP technology | How to remove header |
ASP.NET | Web server using Microsoft ASP technology | Custom headers |
Servlet/X.X JSP/X.X | Web server using Tomcat application server | Header implementation |
Plesklin | Web server using Parallels technology | How to disable header |
(mod_rails/mod_rack) | Web server using Ruby on Rails technology | Phusion Passenger |
ARR/X.X | Web server using IIS with request routing technology | More header information |
JSF/2.0 | Web server using JavaServer Faces technology | Need more info |
Custom HTTP headers | Description | More information |
access-control-allow-origin, access-control-allow-headers | Web server using HTTP access control (CORS) | Need more info |
x-generator | Web server running under Drupal | function _drupal_default_html_head |
x-amz- | Web server running under Amazon services | common response headers |
x-cache-hits,x-timer,x-served-by, x-varnish, x-varnish-cache | Web server using Varnish cache technology | How to modify this header |
x-drupal-cache | Web server using Drupal technology | Vulnerabilities stats |
x-dynatrace | Web server using dynatrace technology | Need more data |
x-server-name | Web server using Websphere technology | node HTTP headers |
strict-transport-security | opt-in security enhancement that is specified by a web application | HTTP Strict Transport Security |
HTML metadata | Description | More information |
moodle | Web server using Moodle technology | Vulnerabilities stats |
MetaGenerator[Infopark CMS Fiona | Web server using CMS Fiona technology | 6.10 Last version. Need more info. |
MetaGenerator[Sitefinity | Web server using SiteFinity technology | Security based on ASP.NET model |
HTTPServer[BigIP / Cookies[BIGip | Web server using F5 technology | Need more info |
Cookies: PHPSESSID | Web server using PHP technology | Session cookie |
Cookies: JSESSIONID | Web server using JSP technology | Session cookie |
Cookies: ASPSESSION | Web server using ASP technology | See ASP.NET in the Powered-by HTTP header section |
Cookies: fe_typo_user | Web server using TYPO3 technology | Ref |
Cookies: CFID | Web server using Coldfusion technology | Need more data |
Cookies: CFTOKEN | Web server using Coldfusion technology | Need more data |
MetaGenerator[Square One, Meta-Author[Jeremy | Web server using Square One CMS (light version of Joomla) | Looks like is discontinued |
MetaGenerator[LFC | Web server using LFS technology | CMS based on Python, Django and jQuery |
MetaGenerator[Percussion | Web server using Percussion CMS | CMS for Marketers |
RiOS[ | Web server using Riverbeed WAN optimization Riverbeed WAN optimization | Riverbeed Technology |