Skill Name: HTTP Vulnerability Scanning - 2
Categorize Tag: HTTP
Skill Content: No matter what methods of VAPT are used, most of the response code(value) in HTTP services(applications) should generate large amounts of HTTP 404 unless some Web's Vulnerability is found.
Skill Description: The response code(value) 404 in HTTP protocol means the HTTP request is negative with HTTP resource name. A HTTP resource may represent an HTML page, a PHP/ASPX/JSP of Web applications, a folder or a multimedia(picture) file. This HTTP 404 code can be triggered by a missing file or alpha word capital case difference. However, in well designed Web pages, it is an abnormal appearance for HTTP reactions. In most cases, lots of HTTP 404 are obviously caused by Vulnerability Scanning behaviors to the Web hosts. Only a few situations of HTTP 404 are generated by non-security issues. The exception situations of non-security reason from HTTP 404 are the following items:
- (A) The HTTP 404 caused by missing robots.txt file in a Web host.
- (B) The HTTP 404 caused by missing favicon.ico file in a Web host.
- (C) The HTTP 404 caused by missing old page files in a Web host from a visitor's favourite tag.
We can also observe these HTTP phenomena in a network surrounding from a network packets tool such as the Wireshark. We can not monitor any HTTPS result code(value) unless we can decrypt the TLS payload with some tricks from network devices.
In the HTTPS session, we only can trace back the log files of HTTP services since the HTTPS protocol encrypted their content of network packets. Nomatter what kind of tools, the SOC or IPS/UTM systems can detect these scanning behaviors with signatures(rules).
Beside HTTP 404, for a VAPT processing, the HTTP result code(calue) may also be HTTP 401 or HTTP 403 which means visitors can not access the Web resource. But the HTTP 401 should be treated as 'Vulnerability be found' because the restriction requirements may allow some exceptions, especially some particular hosts from managers. In a PT processing or APT attacking, the next offensive targets will be changed into these managers accounts or computers by social engineering.
NSPA suggested display filter of Wireshark:
http.response.code in {401 404}
Online Course: https://youtu.be/Vy3p3V0Q2A4
Analytical Example: https://www.hugediamond.net/shop
------------------------------------------------------------------------
Extent Information:
Español: Independientemente de los métodos de VAPT que se utilicen, la mayor parte del código de respuesta (valor) en los servicios HTTP (aplicaciones) debería generar grandes cantidades de HTTP 404 a menos que se encuentre alguna vulnerabilidad de la Web.
Franch: Quelles que soient les méthodes de VAPT utilisées, la plupart du code de réponse (valeur) dans les services HTTP (applications) devrait générer de grandes quantités de HTTP 404, à moins qu'une vulnérabilité Web ne soit détectée.
German: Unabhängig davon, welche VAPT-Methoden verwendet werden, sollten die meisten Antwortcodes (Werte) in HTTP-Diensten (Anwendungen) große Mengen von HTTP 404 generieren, es sei denn, es wird eine Schwachstelle im Web gefunden.
Chinese: 無論使用何種 VAPT 方法,除非發現某些 Web 漏洞,否則 HTTP 服務(應用程式)的大部分回應代碼(值)都會產生大量的 HTTP 404。
Japanese: VAPTのどの方法が使用されていても、HTTPサービス(アプリケーション)のほとんどの応答コード(値)は、Webの脆弱性が見つからない限り、大量のHTTP404を生成するはずです。
Vietnamese: Bất kể phương thức VAPT nào được sử dụng, hầu hết mã phản hồi (giá trị) trong các dịch vụ HTTP (ứng dụng) sẽ tạo ra một lượng lớn HTTP 404 trừ khi tìm thấy Lỗ hổng bảo mật của một số trang Web.
Thai(Siamese): ไม่ว่าจะใช้วิธีใดของ VAPT รหัสตอบกลับ (ค่า) ส่วนใหญ่ในบริการ HTTP (แอปพลิเคชัน) ควรสร้าง HTTP 404 จำนวนมาก เว้นแต่จะพบช่องโหว่ของเว็บบางรายการ
Indonesian: Apa pun metode VAPT yang digunakan, sebagian besar kode respons (nilai) dalam layanan (aplikasi) HTTP harus menghasilkan HTTP 404 dalam jumlah besar kecuali jika beberapa Kerentanan Web ditemukan.
Malay: Tidak kira kaedah VAPT apa yang digunakan, kebanyakan kod respons (nilai) dalam perkhidmatan HTTP (aplikasi) harus menghasilkan sejumlah besar HTTP 404 kecuali terdapat Kerentanan Web.
Myanmar: VAPT ၏မည်သည့်နည်းလမ်းများကိုသုံးသည်ဖြစ်စေ၊ အချို့သော Web's Vulnerability ကိုမတွေ့ပါက HTTP 404 ၏တုံ့ပြန်မှုကုဒ် (ပမာဏ) အများစုကိုထုတ်လုပ်သင့်သည်။
