WingNews logo WingNews GitHub [2]
top | item 7546750

Test if a URL uses Node.js

37 points| wlaurance | 12 years ago |dotheyusenode.herokuapp.com | reply

32 comments

order
[+] sisk|12 years ago|reply
In addition to the coffeescript / browserify detection, here are the headers it checks[0]:

  var frameworks = [
    {name: 'express.js', s: "express", h: 'x-powered-by'},
    {name: 'koa.js', s: 'koa', h: 'x-powered-by'},
    {name: 'sails.js', s: "sails", h: 'x-powered-by'},
    {name: 'ecstatic', s: 'ecstatic', h: 'server'},
    {name: 'flatiron', s: 'flatiron', h: 'x-powered-by'}
  ]
All in all, this should prove relatively inaccurate. A vanilla http server from node sets neither server nor x-powered-by headers. Many frameworks don't set them, either (Walmart's hapi, PayPal's krakenjs, etc).

Fun toy project but if you're really interesting in fingerprinting, check out the OWASP entry on the subject[1].

[0]: https://github.com/dotheyusenode/dotheyusenode/blob/ea235619...

[1]: https://www.owasp.org/index.php/Testing_for_Web_Application_...

[+] wlaurance|12 years ago|reply
Yes, it is just a toy project. It is a lot more work to fingerprint successfully. OWASP looks very interesting. Thanks for the link and subsequently the white paper links!
[+] laumars|12 years ago|reply
Pretty pointless since all this does is check the x-powered-by HTTP response header (which can be turned off[1]). If this captured other web frameworks as well (eg PHP also outputs to x-powered-by in it's default config) then this might be a little less pointless - but even then, most production sites should have those information leaks sealed anyway (you don't actually improve security, but at least it slows the attacker down a little as you're not spoon-feeding them information about your server build)

[1] http://stackoverflow.com/questions/5867199/cant-get-rid-of-h...

[+] avree|12 years ago|reply
Does node even have an x-powered-by response header by default?

I thought you need a framework (like Express.js) and then to not have turned off the header.

[+] panarky|12 years ago|reply
nodejs.org

"Maybe, but we cannot tell"

[+] wlaurance|12 years ago|reply
Haha yeah, for anything static not served up by a framework that leaks headers it doesn't really do very well :)
[+] pornel|12 years ago|reply
I hoped for something smarter, like testing quirks/bugs in the node's HTTP server.
[+] wlaurance|12 years ago|reply
Put in a PR! Currently, it is easy to do things with the Request object. Any ideas on what quirks/bugs to look into?
[+] randunel|12 years ago|reply
"Maybe, but we cannot tell". Great script, I could build in in node.js in 10 seconds :D
[+] hayksaakian|12 years ago|reply
If you can't tell if airbnb uses node, I'm note sure it works at all.
[+] camus2|12 years ago|reply
I guess it's just checking for some header,like express has a special header... by the way, framework authors, please refrain from doing stuffs like that. The framework i use is nobody's business but mine.
[+] wlaurance|12 years ago|reply
I'm not sure what they are using to serve up their site, other than nginx. But they do have this header, "X-Hi-Human: The AIRBNB SRE team added this header. Come work with us! Email [email protected]"
[+] meritt|12 years ago|reply
AirBNB is Ruby/RoR and Java.
[+] ebbv|12 years ago|reply
"Maybe but we cannot tell."

I win!

[+] vivekn|12 years ago|reply
What if you don't set the "Server" header?
[+] ninjakeyboard|12 years ago|reply
If your server is detected, that's a security vulnerability. You should never be able to identify the underlying technology of your stack or you open yourself to attack on any known vulnerabilities where as if your stack is unknown, then the vectors for attack are much less obvious.
[+] dmytrish|12 years ago|reply
Security through obscurity is not effective.