Implementation differences of the HTTP Protocol

HTTP Response Headers

File Extensions (.asp vs. jsp)

Cookies (ASPSESSION)

Error Pages (Default?)

Directory Structures and Naming Conventions (Windows/Unix)

Web Developer Interfaces (Frontpage/WebPublisher)

Web Administrator Interfaces (iPlanet/Comanche)

OS Fingerprinting Mismatches (IIS on Linux?)

The normal SOP for attackers is to footprint the target's web

presence and enumerate as much information as possible.  With this

information, the attacker may develop an accurate attack scenario,

which will effectively exploit a vulnerability in the software

type/version being utilized by the target host.

Accurately identifying this information for possible attack vectors is

vitally importantly since many security vulnerabilities (such as buffer

overflows, etc ) are extremely dependent on a specific software

vendor and version numbers.  Additionally, correctly identifying the

software versions and choosing an appropriate exploit reduces the

overall  noise  of the attack while increasing its effectiveness.  It is for

this reason that a web server/application, which obviously identifies

itself, is inviting trouble.

In fact, the HTTP RFC 2068 discusses this exact issue and urges

web administrators to take steps to hide the version of software being

displayed by the  Server  response header:

 Note: Revealing the specific software version of the server may

allow the server machine to become more vulnerable to attacks

against software that is known to contain security holes. Server

implementers are encouraged to make this field a configurable

option. 

70

Copyright 2004, Web Application Security Consortium. All rights reserved.