Source code disclosure

OWASP 2013-A5 OWASP 2017-A3 CAPEC-118 CWE-540 HIPAA-540 ISO27001-A.9.4.5 WASC-13

By knowing the version and type of a running web server, an attacker can quickly determine all known vulnerabilities and the appropriate exploits to use during an attack. Fetching the information about the types and version of the services that are running in the web server will help to find all the known vulnerabilities and exploits for that services during the test. An attacker can also store information related to how each type of web server responds to specific commands. To exploit the application, the attacker will:-

  • send necessary commands to the web server.
  • analyse the response.
  • compare the response to the database of known signatures.

Fingerprinting technique is based on finding specific patterns in the HTML page source code. Often an attacker can see a lot of information that helps him to recognise a particular web application. One of the standard markers for fingerprinting is an HTML comment. The HTML comment can directly lead to application disclosure. More often, in the comments, there might be specific application-specific paths. That is, the comment might link to application-specific CSS and js folders. If there are self-explanatory specific script variables, it might also point to a particular application.

The attacker follows the following methods to fingerprint a web application:-

  • HTML data inspection: The attacker will scan the HTML code for accessing sensitive information about the server. The attacker will scan the meta tags, link tags and many more tags to obtain information about the server.
  • File and Folder Presence: Here the attacker will send hits to the application and analyses the response.
  • Identification using checksum: This is the most accurate method to fingerprint a web application. The attacker will create a local checksum file and stores it in the database. The attacker will then download a static file from the server. The attacker creates a checksum again and compares the checksum with the checksum in the database.

    Example

From the meta tag below, an attacker can easily understand that the application used by the website is WordPress and its version is 3.9.2. Also, the comments and specific paths along with script variables can all help an attacker to determine an instance of an application.

        <meta name="generator" content="WordPress 3.9.2" />

    

Usually these information are placed between < head></head> tags, in < meta> tags or at the end of the page. However, it is recommended to check the whole document. It can be useful for other purposes such as inspection of other user comments and hidden fields.

Impact

Using this vulnerability, an attacker gets access to the application’s source code. The attacker can also:-

  • leak sensitive information from the server.
  • pinpoint areas in the web server to attack. eg: If the server has a vulnerable PHP version, the attacker can attack according to the PHP version’s vulnerability.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable all the HTTP-headers that disclose information.
  • Remove any unnecessary comments.
  • Remove all the META and generator tags.
  • Protect the application’s presentation layer using a strong and hardened reverse proxy.

Latest Articles