1
00:00:01,050 --> 00:00:08,310
‫Review technology and architecture information, as we talked about previously, the technology stack

2
00:00:08,460 --> 00:00:11,780
‫behind an application can vary widely.

3
00:00:12,600 --> 00:00:18,770
‫So that means is in the real world, it's very common to see complex applications everywhere you turn,

4
00:00:20,400 --> 00:00:24,860
‫different technologies, different vendors, different versions and so on and so forth.

5
00:00:25,250 --> 00:00:33,030
‫So naturally, these technologies can have vulnerabilities or configuration, well, shall we say shortcomings.

6
00:00:34,080 --> 00:00:43,670
‫So in order to discover these vulnerabilities, extracting the technology information is a one priority.

7
00:00:44,040 --> 00:00:47,430
‫It's absolutely critical for your career as a pen tester.

8
00:00:49,560 --> 00:00:55,860
‫So that's why we need to detect the type in the version of the server software and the application framework

9
00:00:55,860 --> 00:00:57,660
‫or application platform.

10
00:00:58,530 --> 00:01:05,280
‫This information will help you to shape the payloads that you're going to use and deploy, and it will

11
00:01:05,280 --> 00:01:14,670
‫also bring you the awareness that you need to have about known vulnerabilities if the framework has

12
00:01:14,670 --> 00:01:17,700
‫any as well, because that's part of your research.

13
00:01:18,810 --> 00:01:24,990
‫So I think that you detected Jake query library or an old server version, which has some insecure functions

14
00:01:24,990 --> 00:01:26,040
‫or vulnerabilities.

15
00:01:26,510 --> 00:01:34,490
‫Yes, what a coincidence, because it just happens to be perfect in order to compromise the application.

16
00:01:34,500 --> 00:01:35,220
‫We're about to do.

17
00:01:37,110 --> 00:01:39,210
‫So first, open of your terminal in Carly.

18
00:01:40,590 --> 00:01:49,470
‫And we are going to use what web to get some information, so see the options for the tool and then

19
00:01:49,470 --> 00:01:56,700
‫before using a tool, I want to just tell you a few more things so it's not hard to detect the server

20
00:01:56,700 --> 00:01:58,290
‫and the framework information.

21
00:01:58,950 --> 00:02:03,600
‫You can get this information from the HTTP headers are cookies, error messages, whatever.

22
00:02:04,740 --> 00:02:08,940
‫So the first place to look is the HTTP response headers.

23
00:02:09,840 --> 00:02:11,670
‫So type what web.

24
00:02:11,670 --> 00:02:21,540
‫That's A3 http colon's one nine two dot one six eight two zero four to one three zero be web slash.

25
00:02:22,660 --> 00:02:26,730
‫So Perimeter A. determines the aggression level of the tool.

26
00:02:28,030 --> 00:02:35,260
‫And then the target you URL comes up and what Webb will analyze some HTP headers for you.

27
00:02:36,500 --> 00:02:38,150
‫It has a very colorful output.

28
00:02:39,290 --> 00:02:43,760
‫And the tool also follows the redirections, so that's a very good feature.

29
00:02:45,440 --> 00:02:50,420
‫And here you can see the server header for the server software information.

30
00:02:51,840 --> 00:02:57,390
‫And the application framework and platform information from the X powered by header.

31
00:02:59,890 --> 00:03:07,030
‫Now, there may be some other HDP headers specific to some particular technology.

32
00:03:07,950 --> 00:03:09,990
‫So you always need to look out for the headers.

33
00:03:11,240 --> 00:03:13,580
‫OK, so now we're going to just minimize it terminal.

34
00:03:15,170 --> 00:03:23,300
‫Now, you can also view headers manually in berp, so open up your browser and burp.

35
00:03:24,580 --> 00:03:27,650
‫And enable Foxy proxy to send traffic to Bert.

36
00:03:29,300 --> 00:03:31,460
‫Now, request the login page of B Web.

37
00:03:32,450 --> 00:03:34,040
‫I'm going to forward the request.

38
00:03:35,030 --> 00:03:40,220
‫And here are the headers server and it's powered by headers.

39
00:03:41,490 --> 00:03:47,430
‫So easy is very easy, however, these headers are configurable.

40
00:03:48,540 --> 00:03:54,950
‫That means the administrator can easily change these entries from the configuration of the server and

41
00:03:54,950 --> 00:03:59,670
‫application or even some security products can do this.

42
00:04:00,320 --> 00:04:06,410
‫That's why you need to dig into the application and the environment to gain more clues about the server

43
00:04:06,410 --> 00:04:08,390
‫framework and the platform.

44
00:04:09,050 --> 00:04:16,160
‫So let's say, for example, a different Web server software can have different http header orders.

45
00:04:17,150 --> 00:04:23,760
‫And then these servers can behave in a different way if you send some malformed requests.

46
00:04:23,930 --> 00:04:31,880
‫Also, you can look at HTTP headers, cookies, HBL sources, file types and extensions, and the error

47
00:04:31,880 --> 00:04:36,220
‫messages are a great way to detect things as well.