-
wappaylzer
you can use wappaylyzer extension for firefox or chrome browsers for web apps fingerprinting
-
builtwith
you can use builtwith extension for firefox or chrome browsers for web apps fingerprinting
-
httpx
you can use httpx
-web-serverand-tech-detectoptions# a single domain echo example.com | httpx -web-server -tech-detect # a list of subdomins cat subdomains_list.txt | httpx -web-server -tech-detect httpx -l subdomains_list.txt -web-server -tech-detect
-
Aquatone
Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
cat hosts.txt | aquatone -
nuclei
nuclei project has a good list of templates to fingerprint web apps
nuclei -t ~/nuclei-templates -tags tech -u https://example.com -c 200 -
whatweb
whatweb has an 1800 plugin to identify technologies, you can use it to fingerprint web apps
# a single host whatweb example.com # a list of hosts whatweb --input-file=hosts.txt
-
Error messages
you can identify technologies via error messages, if a web app does not handle errors, and you sent malformed data to the web app, this data will cause an error, and this error may reveal the back-end technology
POST / HTTP/1.1 Host: example.com User-Agent: curl/7.74.0 Accept: */* Content-type: application/json Content-Length: 8 {"test":d
you can enumerate the web app endpoints and start fuzzing them with different http methods, http headers, and body
- fuzzing http methods
METHOD /ENDPOINT HTTP/1.1 Host: example.com User-Agent: curl/7.74.0 Accept: */*
ffuf -w http_methods.txt:METHOD -w endpoints.txt:ENDPOINT -request http_request.txt
- fuzzing http headers
GET /ENDPOINT HTTP/1.1 Host: example.com User-Agent: curl/7.74.0 Accept: */*
ffuf -w http_headers_names.txt:NAME -w http_headers_values.txt:VALUE -w endpoints.txt:ENDPOINT -request http_request.txt -H "NAME: VALUE"