3.4. Site Information

• Determine the website operating system

  • Linux case sensitive

  • Windows case insensitive

• Scan sensitive files

  • robots.txt

  • crossdomain.xml

  • sitemap.xml

  • xx.tar.gz

  • xx.bak

  • other

• Determine the language of the website

  • Such as PHP / Java / Python etc.

  • Find the suffix, such as php/asp/jsp

• front-end framework

  • like jQuery / BootStrap / Vue / React / Angular etc.

  • View source code

• Intermediate server

  • Such as Apache / Nginx / IIS etc.

  • View the information in the header

  • Judging from the error message

  • Judging from the default page

• web container server

  • Such as Tomcat / Jboss / Weblogic etc.

• backend framework

  • Judging by cookies

  • Judging by the hash value of resources such as CSS/images

  • Judging by URL routing

    • such as wp-admin

  • Judging by keywords in web pages

  • According to X-Powered-By in the response header

• CDN information

  • Common ones are Cloudflare, yunjiasu

• Detect whether there is a WAF, and if so, what type

  • There is WAF, find a way to bypass

  • No, go to the next step

• Scan sensitive directories for information leaks

  • Before scanning, try a few urls yourself to see the response artificially

• Use crawler to crawl website information

• After getting certain information, understand the naming ideas of website developers through the obtained directory names, file names and file extensions, determine their naming rules, and infer more directory and file names

• Common entry targets

  • low attention system

  • Systems with long lines of business