1
00:00:01,020 --> 00:00:08,280
Review technology and architecture information, as we talked about previously, the technology stack

2
00:00:08,430 --> 00:00:11,750
behind an application can vary widely.

3
00:00:12,570 --> 00:00:18,740
So that means is in the real world, it's very common to see complex applications everywhere you turn,

4
00:00:20,370 --> 00:00:24,840
different technologies, different vendors, different versions and so on and so forth.

5
00:00:25,350 --> 00:00:32,100
So naturally, these technologies can have vulnerabilities were configuration, well, shall we say

6
00:00:32,100 --> 00:00:33,010
shortcomings.

7
00:00:34,080 --> 00:00:43,650
So in order to discover these vulnerabilities, extracting that technology information is a one priority.

8
00:00:44,040 --> 00:00:47,400
It's absolutely critical for your career as a pen tester.

9
00:00:49,560 --> 00:00:55,830
So that's why we need to detect the type in the version of the server software and the application framework

10
00:00:55,830 --> 00:00:57,630
or application platform.

11
00:00:58,520 --> 00:01:05,240
This information will help you to shape the payloads that you're going to use and deploy, and it will

12
00:01:05,240 --> 00:01:14,660
also bring you the awareness that you need to have about known vulnerabilities if the framework has

13
00:01:14,660 --> 00:01:17,690
any as well, because that's part of your research.

14
00:01:18,790 --> 00:01:24,970
So I think that you detected Jake query library or an old server version, which has some insecure functions

15
00:01:24,970 --> 00:01:26,000
or vulnerabilities.

16
00:01:26,470 --> 00:01:34,450
Yes, what a coincidence, because it just happens to be perfect in order to compromise the application

17
00:01:34,460 --> 00:01:35,200
we're about to do.

18
00:01:37,090 --> 00:01:39,190
So first, open up your terminal in Carly.

19
00:01:40,570 --> 00:01:49,450
And we are going to use what web to get some information, so see the options for the tool and then

20
00:01:49,450 --> 00:01:56,680
before using the tool, I want to just tell you a few more things so it's not hard to detect the server

21
00:01:56,680 --> 00:01:58,270
and the framework information.

22
00:01:58,930 --> 00:02:03,580
You can get this information from the HTTP headers are cookies, error messages, whatever.

23
00:02:04,720 --> 00:02:08,920
So the first place to look is the HTTP response headers.

24
00:02:09,820 --> 00:02:11,650
So type what web.

25
00:02:11,650 --> 00:02:21,520
That's A3 http colon's one nine two dot one six eight two zero four zero one three zero be web slash.

26
00:02:22,640 --> 00:02:26,720
So perimeter aid determines the aggression level of the tool.

27
00:02:28,030 --> 00:02:35,230
And then the target, your URL comes up and what Web will analyze some http headers for you?

28
00:02:36,480 --> 00:02:38,130
It has a very colorful output.

29
00:02:39,260 --> 00:02:43,760
And the tool also follows the redirections, so that's a very good feature.

30
00:02:45,420 --> 00:02:50,400
And here you can see the server header for the server software information.

31
00:02:51,820 --> 00:02:57,370
And the application framework and platform information from the X powered by header.

32
00:02:59,870 --> 00:03:07,010
Now, there may be some other HTP headers specific to some particular technology.

33
00:03:07,930 --> 00:03:09,970
So you always need to look out for the headers.

34
00:03:11,220 --> 00:03:13,560
OK, so now we're going to just minimize it terminal.

35
00:03:15,150 --> 00:03:23,280
Now, you can also view headers manually in berp, so open up your browser and burp.

36
00:03:24,560 --> 00:03:27,380
And enable Foxy proxy to send traffic to.

37
00:03:29,270 --> 00:03:31,430
Now request a login page of B Web.

38
00:03:32,420 --> 00:03:34,010
I'm going to forward the request.

39
00:03:35,040 --> 00:03:40,200
And here are the headers server and it's powered by headers.

40
00:03:41,470 --> 00:03:42,810
So easy is very easy.

41
00:03:43,710 --> 00:03:47,430
However, these headers are configurable.

42
00:03:48,490 --> 00:03:54,920
That means the administrator can easily change these entries from the configuration of the server and

43
00:03:54,920 --> 00:03:59,640
application or even some security products can do this.

44
00:04:00,290 --> 00:04:06,380
That's why you need to dig into the application and the environment to gain more clues about the server

45
00:04:06,380 --> 00:04:08,370
framework and the platform.

46
00:04:09,020 --> 00:04:16,130
So let's say, for example, a different Web server software can have different http header orders.

47
00:04:17,120 --> 00:04:23,750
And then these servers can behave in a different way if you send some malformed requests.

48
00:04:23,930 --> 00:04:31,490
Also, you can look at HTTP headers, cookies, e-mail sources, file types and extensions, and the

49
00:04:31,490 --> 00:04:36,220
error messages are a great way to detect things as well.