Technology Detection¶

Technology detection means identifying the software, frameworks, libraries, and components that make up a web app and its infrastructure. Knowing the tech stack is crucial - it lets you quickly focus on known vulnerabilities and misconfigurations for those specific technologies.

1. Introduction to Technology Detection¶

Find WordPress 5.7? Search for exploits for that version. Know it's Apache Struts? Test for specific RCE vulnerabilities. Technology detection bridges the gap between recon and vulnerability analysis - it tells you where to focus.

Key Information to Uncover¶

• Web Server: Apache, Nginx, IIS, etc.
• Backend Language: PHP, Java, Python, Node.js, ASP.NET.
• Frameworks: WordPress, Drupal, Joomla, Ruby on Rails, Django, Spring.
• Frontend Libraries: React, Angular, Vue.js, jQuery.
• Web Application Firewall (WAF): Cloudflare, Akamai, Imperva, AWS WAF.
• Analytics and Marketing Tools: Google Analytics, New Relic, etc.

2. Core Methodologies¶

Technology detection relies on "fingerprinting" - spotting unique characteristics that give away what tech is being used.

HTTP Header Analysis¶

HTTP response headers are a primary source of information.

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
X-Powered-By: PHP/7.4.3
Set-Cookie: PHPSESSID=a1b2c3d4e5; path=/
X-Generator: Drupal 9 (https://www.drupal.org)

• Server: Often reveals the web server and sometimes the OS.
• X-Powered-By: Explicitly states the backend language/framework.
• Set-Cookie: The name of the session cookie (PHPSESSID, JSESSIONID, ASP.NET_SessionId) is a strong indicator of the backend language.
• X-Generator: Common in CMSs like WordPress and Drupal.

HTML Source Code Analysis¶

The HTML source of a page contains numerous clues.

• Meta Tags: <meta name="generator" content="WordPress 5.8">
• Script/Link Tags: Paths can reveal the framework.
  • /wp-content/ or /wp-includes/ -> WordPress
  • /sites/default/files/ -> Drupal
  • /assets/ with a hash -> Ruby on Rails or other modern frameworks.
• Comments: <!-- Page generated by Sitefinity -->
• Global JavaScript Variables: window.Drupal, window.jQuery, window.angular.

File Extensions and URL Paths¶

The structure of URLs and file extensions are classic indicators.

• .php -> PHP
• .aspx -> ASP.NET
• .jsp -> Java (JSP)
• /wp-admin/ -> WordPress

Favicon Hashing¶

Many web applications have a default favicon.ico file. By fetching this file, calculating its hash (e.g., MD5 or MurmurHash3), and comparing it to a database of known hashes, you can identify the underlying application or framework even when other clues are hidden.

3. Automated Technology Detection Tools¶

Manual analysis is good for understanding, but automated tools are essential for speed and scale.

whatweb¶

WhatWeb is a powerful, next-generation web scanner that identifies technologies with varying levels of aggression.

Usage:

# Basic scan on a single site
whatweb example.com

# Increase aggression level (more requests, more detail)
# Level 1 (default): Stealthy, just one HTTP request.
# Level 3: More aggressive, sends more requests to get more info.
whatweb -a 3 example.com

# Scan a list of URLs
whatweb -i urls.txt

# Example Output:
# http://example.com [200 OK]
# Apache[2.4.29], Country[UNITED STATES], Email[admin@example.com],
# HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[93.184.216.34],
# JQuery, MetaGenerator[WordPress 5.8], PHP[7.4.3],
# Title[Example Domain], WordPress[5.8], X-Powered-By[PHP/7.4.3]

wappalyzer (Browser Extension and CLI)¶

Wappalyzer is famous for its browser extension that shows you the tech stack of the site you're visiting. It also has a command line interface for automation.

Usage (CLI):

# (Requires Node.js and npm)
# npm i -g wappalyzer

wappalyzer https://example.com

httpx (with -tech-detect)¶

httpx from ProjectDiscovery is a fast HTTP toolkit that includes a technology detection feature based on Wappalyzer's fingerprints. It's excellent for scanning a large list of hosts quickly.

# Scan a list of URLs and detect technology
cat urls.txt | httpx -silent -tech-detect

# Example Output:
# http://example.com [200, WordPress, Apache, PHP, MySQL]

4. WAF Detection¶

Identifying a Web Application Firewall (WAF) is a critical part of technology detection. A WAF will affect how you test for vulnerabilities like SQLi and XSS.

wafw00f¶

wafw00f is the premier tool for WAF fingerprinting. It sends a series of benign and malicious probes and analyzes the responses to determine if a WAF is present and which one it is.

Usage:

wafw00f https://example.com

# Example Output:
# [*] Checking https://example.com
# [!] The site https://example.com is behind Cloudflare WAF.

Manual WAF Detection: - Send a simple malicious request like https://example.com/?id=<script>alert(1)</script>. - A 403 Forbidden response, a block page, or a CAPTCHA challenge is a strong indicator of a WAF. - Look at the response headers for clues (e.g., Server: cloudflare).

5. Notes and Pitfalls¶

• Header Spoofing: It's trivial for an administrator to change or remove headers like Server and X-Powered-By. Don't rely on a single indicator; build a complete picture from multiple sources.
• Reverse Proxies: A target may use a reverse proxy like Nginx or Cloudflare in front of their actual application server (e.g., Tomcat). The Server header might show nginx, but the application is actually Java.
• Outdated Information: A tool's fingerprint database might be out of date. whatweb and wappalyzer are actively maintained, but it's a constant battle.
• Custom Applications: Bespoke applications built from scratch won't be identified as a known framework, but you can still identify the language, web server, and libraries used.

6. Quick Reference Table¶