Difference between revisions of "Web-metadata"

From OWASP
Jump to: navigation, search
m (Typo correction)
(30 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
{{Social Media Links}}
 +
 
'''CALL FOR CONTRIBUTORS''':
 
'''CALL FOR CONTRIBUTORS''':
 
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].
 
If you would like collaborate in this project [https://lists.owasp.org/mailman/listinfo/owasp_unmaskme_project join with us].
  
Under development...
+
Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (''assessing favourably the signs of hardening and assessing negatively the signs of weakness'') with an overall interpretation of this information from any website.
 +
 
 +
{| class="wikitable" style="margin: 1em auto 1em auto;"
 +
|+ '''Examples of Metadata assessing'''
 +
! scope="col" | Weakness signs
 +
! scope="col" | Hardening signs
 +
|-
 +
| MetaGenerator[Joomla! 1.5  || X-Frame-Options[SAMEORIGIN
 +
|-
 +
| Microsoft-IIS/6.0 || X-XSS-Protection
 +
|-
 +
| Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 || UncommonHeaders[x-varnish
 +
|}
 +
 
 +
[http://desenmascara.me Proof of concept in Spanish]
 +
 
 +
----
 +
This information collected plus more input from other OWASP projects as [[Top 10 2013-Top 10]], will serve as the basis for the development of the [[OWASP Unmaskme Project]] as a web service.
  
 
{| class="wikitable" style="text-align: center; "
 
{| class="wikitable" style="text-align: center; "
 +
|+ '''[http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 Server HTTP header] metadata collected'''
 
|'''Server HTTP header'''
 
|'''Server HTTP header'''
 
|'''Description'''
 
|'''Description'''
Line 22: Line 42:
 
|-
 
|-
 
|nginx/X.X
 
|nginx/X.X
|Russian web server and revere proxy
+
|Russian web server and reverse proxy
 
|[http://nginx.org/en/ Official site]
 
|[http://nginx.org/en/ Official site]
 
|-
 
|-
Line 36: Line 56:
 
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]
 
|Web server using [http://en.wikipedia.org/wiki/Netscape_Enterprise_Server old Netscape technology]
 
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]
 
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]
 
+
|-
 +
|Sun-ONE-Web-Server/X
 +
|Web server using [http://docs.oracle.com/cd/E19554-01/ iPlanet web server technology]
 +
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server Current server family]
 +
|-
 +
|Oracle-Application-Server-Xx
 +
|Web server using [http://en.wikipedia.org/wiki/Oracle_Application_Server Oracle applications server]
 +
|[http://www.oracle.com/technetwork/middleware/ias/overview/index.html?ssSourceSiteId=ocomen Official site]
 +
|-
 +
|Lotus-Domino
 +
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino IBM Lotus Domino technology]
 +
|[http://www-01.ibm.com/software/lotus/category/messaging/ Official site]
 +
|-
 +
|Sun-Java-System-Web-Server/X
 +
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]
 +
|[http://www.oracle.com/technetwork/middleware/iplanetwebserver-098726.html Official site]
 +
|-
 +
|Oracle-iPlanet-Web-Server/7.0
 +
|Web server using [http://en.wikipedia.org/wiki/IBM_Lotus_Domino Oracle iPlanet technology]
 +
|[http://en.wikipedia.org/wiki/Oracle_iPlanet_Web_Server iPlanet Web server]
 +
|-
 +
|IBM_HTTP_Server/X.X
 +
|Web server using [http://www-03.ibm.com/software/products/us/en/http-servers IBM technology] (Apache based)
 +
|[http://publib.boulder.ibm.com/httpserv/ihsdiag/questions.html#ihshideserver How to hide version]
 +
|-
 +
|LiteSpeed/X.X
 +
|Web server using [http://www.litespeedtech.com/docs/webserver/intro/ LiteSpeed technology] (Apache based)
 +
|[http://www.litespeedtech.com/support/forum/showthread.php?t=4893 How to hide version]
 +
|-
 +
|Alterian-CME/X.X
 +
|Web server using [http://www.sdl.com/products/acm/ SDL ACM]
 +
|[http://www.sdl.com/aboutus/news/pressreleases/2012/sdl_acquires_alterian.html SDL acquires Alterian]
 +
|-
 +
|Tengine
 +
|Web server using [http://tengine.taobao.org/index.html Tengine technology] (nginx based)
 +
|Need more information
 +
|-
 +
|eZ Publish
 +
|Web server using [http://ez.no/ EZ technology]
 +
|[http://es.wikipedia.org/wiki/EZ_Publish Open Source CMS]
 +
|-
 +
|GSE
 +
|Web server using [https://code.google.com/p/opengse/ Google infrastructure] (blogger)
 +
|Need more information
 +
|-
 +
|gws
 +
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (search pages)
 +
|Need more information
 +
|-
 +
|sffe
 +
|Web server using [http://en.wikipedia.org/wiki/Google_Web_Server#Software Google infrastructure] (static files)
 +
|Need more information
 +
|-
 +
|tfe
 +
|Web server using [http://www.twitter.com/ Twitter infrastructure]
 +
|Need more information
 +
|-
 +
|YTS
 +
|Web server using [http://www.yahoo.com/ Yahoo! infrastructure]
 +
|Need more information
 +
|-
 +
|cloudflare-nginx
 +
|Web server using [https://www.cloudflare.com/ CloudFlare infrastructure]
 +
|Need more information
 
|}
 
|}
  
 
{| class="wikitable" style="text-align: center; "
 
{| class="wikitable" style="text-align: center; "
 +
|+ '''[http://en.wikipedia.org/wiki/List_of_HTTP_header_fields Powered-by HTTP header] metadata collected (this header isn't an HTTP standard)'''
 
|'''Powered-by HTTP header'''
 
|'''Powered-by HTTP header'''
 
|'''Description'''
 
|'''Description'''
 
|'''More information'''
 
|'''More information'''
 
|-
 
|-
|Apache/X.X
+
|PHP/x.x
|Web server using [http://www.apache.org/ Apache] technology
+
|Web server using [http://php.net/ PHP technology]
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]
+
|[http://php.net/manual/en/function.header-remove.php How to remove header]
 
|-
 
|-
|Microsoft-IIS/X
+
|ASP.NET
|Web server using [http://www.iis.net/ Microsoft IIS technology]
+
|Web server using [http://www.asp.net/ Microsoft ASP technology]
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]
+
|[http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders Custom headers]
 +
|-
 +
|Servlet/X.X JSP/X.X
 +
|Web server using [http://tomcat.apache.org/ Tomcat application server]
 +
|[https://issues.apache.org/bugzilla/show_bug.cgi?id=48006 Header implementation]
 +
|-
 +
|Plesklin
 +
|Web server using [http://www.parallels.com/es/products/plesk/addons/ Parallels technology]
 +
|[http://forum.parallels.com/showthread.php?260694-Disable-HTTP-header-X-Powered-By-PleskLin How to disable header]
 +
|-
 +
|(mod_rails/mod_rack)
 +
|Web server using [http://rubyonrails.org/ Ruby on Rails technology]
 +
|[http://en.wikipedia.org/wiki/Phusion_Passenger Phusion Passenger]
 +
|-
 +
|ARR/X.X
 +
|Web server using [http://www.iis.net/downloads/microsoft/application-request-routing IIS with request routing technology]
 +
|[http://blogs.iis.net/finbarryan/archive/2013/06/05/application-request-routing-and-server-headers-quot-x-powered-by-arr-2-5-quot.aspx More header information]
 +
|-
 +
|JSF/2.0
 +
|Web server using [http://www.oracle.com/technetwork/java/javaee/javaserverfaces-139869.html JavaServer Faces technology]
 +
|Need more info
 
|}
 
|}
  
 
{| class="wikitable" style="text-align: center; "
 
{| class="wikitable" style="text-align: center; "
 +
|+ '''HTML metadata collected which could allow [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Fingerprinting fingerprinting] '''
 
|'''HTML metadata'''
 
|'''HTML metadata'''
 
|'''Description'''
 
|'''Description'''
 
|'''More information'''
 
|'''More information'''
 
|-
 
|-
|Apache/X.X
+
|moodle
|Web server using [http://www.apache.org/ Apache] technology
+
|Web server using [https://moodle.org/ Moodle] technology
|[http://news.netcraft.com/archives/category/web-server-survey/ Technology lider in Internet]
+
|[http://www.cvedetails.com/vendor/2105/Moodle.html Vulnerabilities stats]
 
|-
 
|-
|Microsoft-IIS/X
+
|x-cache-hits,x-timer,x-served-by, x-varnish, x-varnish-cache
|Web server using [http://www.iis.net/ Microsoft IIS technology]
+
|Web server using [https://www.varnish-cache.org/ Varnish cache technology]
 
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]
 
|[http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx How to modify this header]
 +
|-
 +
|MetaGenerator[Sitefinity
 +
|Web server using [http://www.sitefinity.com/ SiteFinity technology]
 +
|[http://www.sitefinity.com/documentation/documentationarticles/developers-guide/deep-dive/security Security based on ASP.NET model]
 +
|-
 +
|HTTPServer[BigIP / Cookies[BIGip
 +
|Web server using [http://www.f5.com/products/big-ip/ F5 technology]
 +
|Need more info
 +
|-
 +
|x-drupal-cache
 +
|Web server using [https://drupal.org/ Drupal technology]
 +
|[http://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 Vulnerabilities stats]
 +
|-
 +
|Cookies[PHPSESSID
 +
|Web server using [http://php.net/ PHP technology]
 +
|[http://php.net/manual/en/function.session-start.php Session cookie]
 +
|-
 +
|Cookies[JSESSIONID
 +
|Web server using [http://en.wikipedia.org/wiki/JavaServer_Pages JSP technology]
 +
|[http://blog.whitehatsec.com/tag/jsessionid/#.UcxS4PnOuSp Session cookie]
 +
|-
 +
|Cookies[ASPSESSION
 +
|Web server using [http://www.asp.net/ ASP technology]
 +
|See ASP.NET in the Powered-by HTTP header section
 +
|-
 +
|x-server-name
 +
|Web server using [http://www-01.ibm.com/software/websphere/ Websphere technology]
 +
|[http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fac00477_.htm node HTTP headers]
 +
|-
 +
|access-control-allow-origin, access-control-allow-headers
 +
|Web server using [https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS HTTP access control (CORS)]
 +
|Need more info
 +
|-
 +
|MetaGenerator[Square One, Meta-Author[Jeremy
 +
|Web server using [https://github.com/square-one/square-one-cms Square One CMS (light version of Joomla)]
 +
|Looks like is discontinued
 +
|-
 +
|MetaGenerator[LFC
 +
|Web server using [http://www.getlfs.com/ LFS technology]
 +
|CMS based on Python, Django and jQuery
 
|}
 
|}

Revision as of 07:53, 23 September 2013


CALL FOR CONTRIBUTORS: If you would like collaborate in this project join with us.

Collection of HTTP and HTML metadata information in order to categorize its relevance as a sign of possible security weakness or signs of hardening in any website. The final goal is to raise web security awareness (assessing favourably the signs of hardening and assessing negatively the signs of weakness) with an overall interpretation of this information from any website.

Examples of Metadata assessing
Weakness signs Hardening signs
MetaGenerator[Joomla! 1.5 X-Frame-Options[SAMEORIGIN
Microsoft-IIS/6.0 X-XSS-Protection
Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 UncommonHeaders[x-varnish

Proof of concept in Spanish


This information collected plus more input from other OWASP projects as Top 10 2013-Top 10, will serve as the basis for the development of the OWASP Unmaskme Project as a web service.

Server HTTP header metadata collected
Server HTTP header Description More information
Apache/X.X Web server using Apache technology Technology lider in Internet
Microsoft-IIS/X Web server using Microsoft IIS technology How to modify this header
PWS Small Microsoft Web server for old Windows versions Microsoft Personal Web Server
nginx/X.X Russian web server and reverse proxy Official site
lighttpd/X.X Web server optimized for speed-critical environments Official site
OpenCms/X.X Open source content management system written in Java Official site
Netscape-Enterprise/X.X Web server using old Netscape technology Current server family
Sun-ONE-Web-Server/X Web server using iPlanet web server technology Current server family
Oracle-Application-Server-Xx Web server using Oracle applications server Official site
Lotus-Domino Web server using IBM Lotus Domino technology Official site
Sun-Java-System-Web-Server/X Web server using Oracle iPlanet technology Official site
Oracle-iPlanet-Web-Server/7.0 Web server using Oracle iPlanet technology iPlanet Web server
IBM_HTTP_Server/X.X Web server using IBM technology (Apache based) How to hide version
LiteSpeed/X.X Web server using LiteSpeed technology (Apache based) How to hide version
Alterian-CME/X.X Web server using SDL ACM SDL acquires Alterian
Tengine Web server using Tengine technology (nginx based) Need more information
eZ Publish Web server using EZ technology Open Source CMS
GSE Web server using Google infrastructure (blogger) Need more information
gws Web server using Google infrastructure (search pages) Need more information
sffe Web server using Google infrastructure (static files) Need more information
tfe Web server using Twitter infrastructure Need more information
YTS Web server using Yahoo! infrastructure Need more information
cloudflare-nginx Web server using CloudFlare infrastructure Need more information
Powered-by HTTP header metadata collected (this header isn't an HTTP standard)
Powered-by HTTP header Description More information
PHP/x.x Web server using PHP technology How to remove header
ASP.NET Web server using Microsoft ASP technology Custom headers
Servlet/X.X JSP/X.X Web server using Tomcat application server Header implementation
Plesklin Web server using Parallels technology How to disable header
(mod_rails/mod_rack) Web server using Ruby on Rails technology Phusion Passenger
ARR/X.X Web server using IIS with request routing technology More header information
JSF/2.0 Web server using JavaServer Faces technology Need more info
HTML metadata collected which could allow fingerprinting
HTML metadata Description More information
moodle Web server using Moodle technology Vulnerabilities stats
x-cache-hits,x-timer,x-served-by, x-varnish, x-varnish-cache Web server using Varnish cache technology How to modify this header
MetaGenerator[Sitefinity Web server using SiteFinity technology Security based on ASP.NET model
HTTPServer[BigIP / Cookies[BIGip Web server using F5 technology Need more info
x-drupal-cache Web server using Drupal technology Vulnerabilities stats
Cookies[PHPSESSID Web server using PHP technology Session cookie
Cookies[JSESSIONID Web server using JSP technology Session cookie
Cookies[ASPSESSION Web server using ASP technology See ASP.NET in the Powered-by HTTP header section
x-server-name Web server using Websphere technology node HTTP headers
access-control-allow-origin, access-control-allow-headers Web server using HTTP access control (CORS) Need more info
MetaGenerator[Square One, Meta-Author[Jeremy Web server using Square One CMS (light version of Joomla) Looks like is discontinued
MetaGenerator[LFC Web server using LFS technology CMS based on Python, Django and jQuery