Enumerate Applications on Webserver (OTG-INFO-004)

[Up]
OWASP Testing Guide v2 Table of Contents

Brief Summary

A common step for testing vulnerabilities in a Web presence is to find out which particular applications are hosted on a Web Server.
Many different applications, in fact, have known vulnerabilities and known attack strategies than can be exploited in order to gain remote control and/or data exploitation.
In addition to this many applications are often hosted on a particular web server without reference from the main website: this is true for internal and/or extranet website which could be misconfigured or not updated due to the perception they're used only "internally".
In addition to this many application use common path for administrative interfaces which can be used to guess or bruteforce administrative passwords.

Description of the Issue

With the proliferation of virtual web servers, the traditional 1:1-type relationship between an IP address and a web server is loosing much of its original significance. It is not uncommon to have multiple web sites / applications whose symbolic names resolve to the same IP address (and this scenario is not limited to hosting environments, but applies to ordinary corporate environments as well).
Sometimes you, as a security professional, are given a set of IP addresses (or maybe just one) as a target to test. No other knowledge. It is arguable that this setting is more akin to a pentest-type engagement, but in any case it is expected that such an assignment would test all web applications accessible through this target (and possibly other things...). The problem is, the given IP address hosts an http service on port 80, but if you access it specifying the IP address (which is all you know) it reports "No web server configured at this address" or a similar message. But that system could "hide" a bunch of web applications, associated to unrelated symbolic (DNS) names. Obviously the extent of your analysis is deeply affected by the fact that you test the applications, or you do not - because you don't notice them, or you notice only SOME of them. Sometimes the target specification is richer – maybe you are handed out a list of IP addresses and their corresponding symbolic names. Nevertheless, this list might convey partial information, i.e. it could omit some symbolic names – and the client might not even being aware of that! (this is more likely to happen in large organizations).
Other issues affecting the scope of the assessment are represented by web applications published at non-obvious URLs (e.g., http://www.example.com/some-strange-URL), which are not referenced elsewhere. This may happen either by error (due to misconfigurations), or intentionally (for example, unadvertised administrative interfaces).
To address these issues it is necessary to perform a web application discovery.

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...

OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents