Mapping the Application

Identifying Server-Side Functionality

by

It is often possible to infer a great deal about server-side functionality and structure, or at least make an educated guess, by observing clues that the application discloses to the client. Dissecting Requests Consider the following URL, which is used to access a search function: https://wahh-app.com/calendar.jsp?name=new%20applicants&isExpired= 0&startDate=22%2F09%2F2006&endDate=22%2F03%2F2007&OrderBy=name As we have seen, the .jsp file extension … Read more

Identifying Server-Side Technologies

by

It is normally possible to fingerprint the technologies employed on the server via various clues and indicators. Banner Grabbing Many web servers disclose fine-grained version information, both about the web server software itself and about other components that have been installed. For example, the HTTP Server header discloses a huge amount of detail about some … Read more

Analyzing the Application

by

Enumerating as much of the application’s content as possible is only one element of the mapping process. Equally important is the task of analyzing the application’s functionality, behavior, and technologies employed, in order to identify the key attack surfaces that it exposes, and begin formulating an approach to probing the application for exploitable vulnerabilities. Some … Read more

Application Pages vs. Functional Paths

by

The enumeration techniques described so far have been implicitly driven by one particular picture of how web application content may be conceptualized and catalogued. This picture is inherited from the pre application days of the World Wide Web, in which web servers functioned as repositories of static information, retrieved using URLs that were effectively filenames. … Read more

Discovering Hidden Content

by

It is very common for applications to contain content and functionality which is not directly linked or reachable from the main visible content. A common example of this is functionality that has been implemented for testing or debugging purposes and has never been removed. Another example arises where the application presents different functionality to different … Read more

User-Directed Spidering

by

This is a more sophisticated and controlled technique, which is usually preferable to automated spidering. Here, the user walks through the application in the normal way using a standard browser, attempting to navigate through all of the application’s functionality. As he does so, the resulting traffic is passed through a tool combining an intercepting proxy … Read more

Enumerating Content and Functionality

by

In a typical application, the majority of the content and functionality can be identified via manual browsing. The basic approach is to walk through the application starting from the main initial page, following every link and navigating through all multistage functions (such as user registration or password resetting). If the application contains a “site map,” … Read more

Mapping the Application

by

The first step in the process of attacking an application is to gather and examine some key information about it, in order to gain a better understanding of what you are up against. The mapping exercise begins by enumerating the application’s content and functionality, in order to understand what the application actually does and how … Read more