search

urbanadventurer / WhatWeb

Next generation web scanner
https://www.morningstarsecurity.com/research/whatweb
GNU General Public License v2.0
5.57k stars 907 forks source link

WhatWeb Not Enumerating PHP Correctly #362

Closed Greenwolf closed 3 years ago

Greenwolf commented 3 years ago

I want to extract php sites from the whatweb results using grep, which i've done before. However WhatWeb seems to be missing key indicators of the server language in the response.

When I tested it against 2 random sites from google found using a 'filetype:php' search, WhatWeb isn't marking them as php, even though in the proxy response, there is clear use of .php throughout.

These are the commands used, slightly sanitised, 

# useragent="Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0"
# echo "https://www.test1.fr/" | whatweb -i /dev/stdin --proxy 127.0.0.1 --user-agent "$useragent" | tee test.txt
https://www.test1.fr/ [200 OK] Country[UNITED STATES][US], HTML5, IP[censored], Open-Graph-Protocol[website], Script, Title[test1], UncommonHeaders[link,x-mod-pagespeed,x-amz-cf-pop,x-amz-cf-id], Via-Proxy[1.1 b9ead8d9e99fb1a70cc9b3ee9d847ec6.cloudfront.net (CloudFront)], X-Frame-Options[sameorigin], X-Powered-By[Express]
# echo "https://www.test2.com/" | whatweb -i /dev/stdin --proxy 127.0.0.1 --user-agent "$useragent" | tee test.txt 
https://www.test2.com/ [200 OK] CloudFlare, Cookies[__cf_bm,__cfduid], Country[UNITED STATES][US], Frame, HTML5, HTTPServer[cloudflare], HttpOnly[__cf_bm,__cfduid], IP[censored], Script[6efe741a6daaa4cab79fa4cd-text/javascript,text/javascript], Title[test2], UncommonHeaders[x-content-type-options,x-nginx-cache-status,x-server-powered-by,cf-cache-status,cf-request-id,expect-ct,cf-ray], X-XSS-Protection[1; mode=block]

These are some extracts from the responses, each site contained around 15-20 references to php. 

<a class="cbm-btn--3" rel="nofollow" href="https://www.test1.fr/panier.php">
<a href="https://www.test1.fr/compte_menu.php?mod=1&pro=&service=" rel="nofollow" data-xtclick='{"label":"PART::Mes_annonces", "typeClick":"navigation"}'>
|| <a href="https://www.test2.com/2021/up-abhyuday-yojna.php" target=_blank><b>
| | <a href="https://www.test2.com/2020/iit-gate-2021.php" target=_blank><b>
urbanadventurer commented 3 years ago

I have updated the php plugin so that it detects php through the file extension, however I don't currently plan to detect file extensions on links.