I think that it's fundamental for security testers to gather information about how a web application works and eventually what language it's written in.
I know that URL extensions, HTTP headers, session cookies, HTML comments and style-sheets may reveal some information but it's still hard and not assured.
So I was wondering: is there a way to determine what technology and framework are behind a website ?
There's no way to be 100% sure if you don't have access to the server, so it's about guessing. Here are some clues:
login.php is most likely a PHP script.X-Powered-By: PHP/7.0.0 means that the page was rendered by PHP.Warning: Division by zero in /var/www/html/index.php on line 3 is PHP, for example.CREATOR: gd-jpeg v1.0 (using IJG JPEG v90), default quality, which may help to guess which language is used./ and /index.php are the same page./humans.txt), you can check their public repos or their skills on online profiles (GitHub, LinkedIn, Twitter, ...).You may also want to know if the website is built with a framework or a CMS, since this will give information about the language used:
/wp-content/ directory, it means that WordPress have been used.Note that all information coming from the server may be altered to trick you. You should always try to use multiple sources to validate your guess.
For guessing the programming language, you can follow the three steps approach detailed below:
Search on a site page at the bottom for phrases like:
-> "Powered by XXX"
-> "Proudly Powered by XXX"
-> "Running on XXX"
-> ...
Search on the site if it will attend any conference where they could talk about the website from a technical point of view
Read the HTML code downloaded by your browser
Fire up the Network Tab in developer toolbar and study the exchanges made between the browser and the server.
Search for some known hidden page:
wget -head http://the-site.com/private/admin
If you get 200, the site may be running on a plublicly (free, paid etc) available software.
You can look for some errors produced by the website.
Some keywords to type in a search engine:
You can even guess the technologies used in the backend:
Find what technology is popular in the website industry
Find what technology competitors are using
Find comparisons of the site with other competitors.
Those comparisons may talk about technologies in use
Those sites can provide great info to the the site you target. They may have already done some part of the job for you.
http://w3techs.com/sites
=> Enter the url of the site you're targetting and see what technologies (client or server side) have been detected.
Note that the site must be in the top 1M Alexa ranking.
http://stackshare.io/search/q=<keyword>
=> <keyword> can be anything company name, website name, etc
The evidences you have found in step 1 may be wrong because the site owner can alter them. Try to find contradictions between those evidences. Eliminate contradictional evidences.
Merge the evidences in step 2 between the various sources and yours. Again eliminate contradictional evidences.
Resume all your findings in a table like the one below.
+-------------+-----------+------------------+ ... +----------+-------+--------+
| EVIDENCES | ON SITE | Search Engine 1 SOURCE n SCORE PCT (%)
+-------------+------------------------------+ ... +----------+-------+--------+
| PHP 7 | X | X | X | 3 | 300/n
+-------------+------------------------------+ ... +----------+-------+--------+
| Wordpress | | X | X | 2 | 200/n
+-------------+------------------------------+ ... +----------+-------+--------+
...
+-------------+------------------------------+ ... +----------+-------+--------+
| EVIDENCE m | | | | | (100*SCORE)/n
+-------------+------------------------------+ ... +----------+-------+--------+
Finally, you will be able to say "I'm confident at XX% that this site runs on YY (EVIDENCE i)".
It's simple. Add Wapplyzer extension available for Chrome as well as Firefox.
It tells about programming language, server, analytics tool or about CMS & Frameworks on which website is built.
Give it a try, you will love it.
Besides the Wappalizer browser extension, there are several sites that detect what technologies power a given website:
The answer is that you can never "Be assured". Whilst 99.9% of the time the highly up voted answers will find the "tells" of the framework behind the site but it's never a certainty.
Basically your browser receives the end results of the codes processing. (html, CSS and JavaScript ) Between you and the code itself sits a webserver (nginx, Apache etc) and potentially a load balancer and a CDN. Because your not interacting directly there is no way for certainty.
If a website is serving content from wp-uploads/ It's a safe bet that it's running Wordpress but it's not a certainty. Perhaps the site was using Wordpress but when it was migrated to something else the wp-uploads/ path was kept to avoid breaking links and bookmarks.
Sometimes you can know, sometimes you cannot.
If the HTML is generated on the client-side, then you can easily tell which language by looking at the source in your web browser. These languages include: ruby on rails, javascript, java, etc. On the client-side the source is open to the user, and it must be honest about which technology it is.
If the HTML is generated on the server-side you may not know which programming language generated it. These languages include: PHP, C++, and many other languages. On the server-side, for as many ways as you can think of to guess which language it is, there are just as many ways to for the technology to hide itself.
Suppose you are a web administrator that wants to hide the server-side technology. Pick one of the techniques listed in another question for attempting to identify the language. For example, the *.php extension for a file. Now, configure your web server to execute C code from a file with a *.php extension. Your users will have no way to view the source (since both languages are equally capable of producing the same output, by Turing completeness), but they will be misled into thinking you are running PHP.
Why would someone want to obfuscate the server-side choice of technology? Because CGI languages have various vulnerabilities that are easier to target if the end-users know which of those languages you are using. Misleading the users about which server-side technologies you are using is a very reasonable security measure.
I think that it's fundamental for security testers to gather information about how a web application works and what language it's written in.I think that, if even a security tester can't figure out what language the site is built in, that makes it more secure because then no one will know which exploits to try. (Yes, there are occasionally valid use cases for security through obscurity.)