PART II
Chapter 7: Security Concerns 285
Web Application Reconnaissance Review
To improve an application’s security posture, the first item to be addressed should be the
most basic idea of stemming information leakage. Just like criminals “casing the joint”
before a crime, smart hackers will try to gather as much useful information as possible to
plan a successful attack, thus appropriate anti-reconnaissance countermeasures must be
applied. Camouflage, deception, and propaganda are used in warfare to hide from or
confuse enemies, and the same techniques can be applied to Web applications. In the case of
Web application hacking, intruders want to know how the site or application is built, how it
is hosted, and potentially who runs it, so then let’s introduce camouflage, obfuscation, and
misdirection ideas for all the areas of information the intruder may desire to know.
Table 7-1 presents a number of pieces of information that may interest a potential
intruder and how they determine it. A few countermeasures are also mentioned in case you
desire to prevent this information leakage used to target sites and applications.
An illustration of the differences in approaches based upon the ideas in Table 7-1 is
presented in Figure 7-2.
On the left side of Figure 7-2, you see a number of things being determined: server type,
application environment, site owner, potential weakness points, database information, and
much more. Yet it is possible, as shown on the right, to remove these details. It is much
harder in this case for the potential intruder to determine what attacks they should perform.
In addition, if you actively monitor, they are likely to consider the effort not worth it unless
they really want to compromise your particular site. So let’s take a brief moment and
discuss intentions and then we’ll get to the attack.What They
Want to KnowWhy They Want
to Know It How They Determine It Possible Countermeasures
Web server
operating
systemTo determine if
any operating
system specific
flaws or bugs
can be used for
accessSimple inspection of name (for
example, Redhat.ajaxref.com)“Banner grabbing” if login or
similar prompts presented
Network fingerprinting the TCP
stack using a tool like Nmap
(insecure.org)Generic machine namingDisabling or modifying network bannersDeploying special antireconnaissance
network appliances to mask serverWeb server
softwareTo determine if
any specific Web
server bugs can
be exploitedSimple inspection of Server:
header found in responsesInspection of error pages if
defaults usedUse of special Web server finger
printer that looks for status code
and header patternsRemoving server header by tool or
configurationInstalling sanitized error pageDeploying server masking
antireconnaissance software
(servermask.com)TABLE 7-1 Web Application Reconnaissance Goals, Methods, and Countermeasures