Web Application Debugging
we should first attempt to discover the technology stack in use. Technology stacks generally consist of a host operating system, web server software, database software, and a frontend/backend programming language
modern browsers include developer tools that can assist in the enumeration process
Debugging Page Content
File extensions, which are sometimes part of a URL, can reveal the programming language the application was written in (e.g.,
.php
,.jsp
,.html
)Use
debugger
from Firefox developer toolInspector tool to drill down into specific page content
Inspecting HTTP Response Header and Sitemaps
Tow type of tools:
Proxy like
burpsuite
.Browser own Network Tool
Server Header often revel at least the name of web server software
HTTP headers are not always generated solely by the web server. For instance, web proxies actively insert the X-Forwarded-For352 header to signal the web server about the original client IP address.
Historically, headers that started with “X-” were called non-standard HTTP headers. However, RFC6648353 now deprecates the use of “X-” in favor of a clearer naming convention
Some examples of non-standard headers include
XPowered- By
,x-amz-cf-id
, andX-Aspnet-Version
.x-amz-cf-id” header indicates the application uses Amazon CloudFront.
Sitemap and robots.txt
Sitemaps are another important element we should take into consideration when enumerating web applications. Web applications can include sitemap files to help search engine bots crawl and index their site
robots.txt
excludes URLs from being crawled
Last updated