3.2. HTTP Headers Inspection

 

The next step in gathering information is to check and analyze the headers sent by the server. This will help us find the following information:

  • The server's operating system.
  • Web server software and its version.
  • Programming language used to create the application.
  • Framework/CMS information.

To do this, we look for the following HTTP headers:

  • Server – provides the web server's version and name, sometimes even the name of the operating system.
  • Cookie – these headers contain session tokens/identifiers, and their names are specific and unique to various server technologies. Here are some examples:
    • JSESSIONID—The Java Platform
    • ASPSESSIONID—Microsoft IIS server
    • NET_SessionId—Microsoft ASP.NET
    • CFID/CFTOKEN—Cold Fusion
    • PHPSESSID—PHP
  • X-Powered-By – contains the framework and other software information.
  • X-Generator – also includes software information.
  • Non-standard headers – developers sometimes add custom headers to transmit specific information. You can find more detailed information about this software through Google/Yandex searches.
  • Additionally, the order of HTTP headers may vary among different web servers, which can also serve as an indicator, even if the above-mentioned headers are absent.

You can inspect headers using your web browser or certain software tools, which we will discuss later.

 

Header Inspection Using a Browser

To check headers using a web browser, open the bWAPP application. In my case, the link looks like this: http://10.0.2.4/bWAPP/login.php. Your IP address may differ. Then, open the developer tools using Ctrl+Shift+I and navigate to the Network tab:

Network tab in Developer console of browser

At first, the tab is empty, so refresh the page and find the request with the file "login.php":

Representation of login.php file in Dev console

If you have noticed, we are trying to open this page. In the tab itself, there will be other messages with styles and images. Click on the found file "login.php," and on the right side, a panel with request and response headers will open. We are interested in the response headers:

Vulnerable HTTP headers of bWAPP

Please note the indicated headers. They contain a significant amount of information. It's important not to trust everything you see in these headers 100%, as developers may intentionally alter their contents. Therefore, it's always a good practice to look for additional markers and verify information from multiple sources.

 

Netcat

Netcat is a versatile program used for various tasks, including displaying server response headers. To view response headers using Netcat, open a terminal in Kali and enter the command:

nc 10.0.2.4 80

where “10.0.2.4” is the address of the target server, and “80” is the port. Netcat will establish a TCP connection and wait for further instructions. Then, enter "HEAD / HTTP 1.1" and press Enter twice:

Displaying HTTP headers with Netcat

Sometimes, the use of the HEAD method may be blocked. In such cases, you can use the GET method to retrieve headers, but keep in mind that this will also display the HTML code in the terminal.

 

Nmap

Nmap also can display HTTP headers and detect the operating system. You can try running the following command:

sudo nmap -O 10.0.2.4

OS detection with NMAP

The program has detected the type and version of the operating system using the -O option. The program has also found open ports. To determine which services they belong to, simply add the -sV option:

Software Version detection with NMAP

Now, against each port, you will see the software (service) and its version. However, there's more to explore. Let's try displaying HTTP headers using the "http-headers" script. The command will look like this:

nmap -sV 10.0.2.4 --script=http-headers

HTTP headers enumeration with NMAP

To determine server technologies, I also recommend using the "http-enum" script:

Web technologies enumeration via NMAP http_enum script

You can indeed determine the server technologies used based on the names of links/directories. In our case, we've identified the presence of WordPress (CMS) and phpMyAdmin (for database management).

You can also combine scripts to run them simultaneously. For example, to run both the "http-enum" and "http-headers" scripts together, you can use the following command:

nmap --script=http-enum,http-headers 10.0.2.4

 

Whatweb

Whatweb is another excellent tool for determining server technologies, using multiple methods for this purpose. You can simply enter the following command to start scanning:

whatweb -v 10.0.2.4

Web enumeration with Whatweb

Whatweb will use its various methods to identify and provide information about the technologies and web applications running on the target server.