Biannual Journal Monadi for Cyberspace Security (AFTA)

fa طراحی و پیاده‌سازی ابزار شناساگر فناوری‌های تحت وب Design and Implementation of a Web Technology Identification Tool رمز و امنیت اطلاعات Cryptology and Information Security پژوهشی Research Article <div style="text-align: justify;">با رشد چشم‌گیر فناوری‌های تحت وب، شناخت دقیق فناوری‌های به‌کاررفته در وب‌سایت‌ها به یکی از محورهای کلیدی در تحلیل‌های امنیتی، توسعه و ارزیابی دارایی‌های دیجیتال تبدیل شده است. این مقاله با تمرکز بر تحلیل از منظر کاربر، یک معماری چندلایه‌ای برای شناسایی فناوری‌های وب ارائه می‌دهد که مبتنی بر اطلاعات قابل مشاهده در سمت مرورگر است. ساختار پیشنهادی در سه مرحله‌ی اصلی شامل آماده‌سازی و ارسال درخواست HTTP، تحلیل ساختاریافته‌ی پاسخ دریافتی از سرور و تطبیق اطلاعات با پایگاه دانش طراحی شده است. در بخش تحلیل، داده‌ها از لایه‌هایی همچون سرآیندها، کوکی‌ها، کد HTML، منابع بارگذاری‌شده و متغیرهای JavaScript در زمان اجرا استخراج می‌شوند. سپس با بهره‌گیری از پایگاه دانشی قابل گسترش، فرآیند استنتاج فناوری‌ها انجام می‌شود. رویکرد پیشنهادی با قابلیت یکپارچه‌سازی با ابزارهای تحلیلی دیگر طراحی شده و می‌تواند در کاربردهایی نظیر تست نفوذ، تحلیل سطح حمله و پایش امنیتی مؤثر واقع شود.</div> <ol> <li style="margin-bottom: 11px; margin-left: 8px; text-align: justify;">Introduction: The Evolution of Web Complexity</li> </ol> <div style="text-align: justify;">In the contemporary Information Technology (IT) era, the nature of the "website" has undergone a fundamental transformation. Modern web entities are no longer static repositories of hypertext; they have evolved into high-performance, multilayered application platforms. These platforms integrate a diverse stack of technologies, including server-side frameworks (Node.js, Django, Spring), client-side libraries (React, Vue, Angular), Content Management Systems (CMS), and sophisticated cloud-native infrastructures. From a cybersecurity and market analysis perspective, the ability to accurately identify this underlying stack is paramount. For security professionals, technology identification is the precursor to Attack Surface Management (ASM). Knowing the specific version of a CMS or a server-side module allows for the identification of known vulnerabilities (CVEs). Conversely, for attackers, this "reconnaissance" phase is the first step in the kill chain. Current industry-standard tools, such as Wappalyzer or WhatWeb, often fall short when encountering modern web architectures. Their reliance on static regex-based matching of HTML source code makes them ineffective against Single Page Applications (SPAs) or sites protected by anti-bot and anti-identification mechanisms (e.g., Cloudflare, Akamai). This research addresses these gaps by proposing a hybrid architecture that integrates static and dynamic analysis across five distinct data layers.</div> <ol start="2"> <li style="margin-bottom: 11px; margin-left: 8px; text-align: justify;">Problem Definition: The "Black Box" of Web Analysis</li> </ol> <div style="text-align: justify;">The primary challenge in web technology identification is the asymmetry of information. An analyst operates from the client-side, possessing zero-knowledge of the server’s internal state, original source code, or backend configurations. Identification, therefore, becomes a non-deterministic fingerprinting process based on indirect signals. The research identifies three core challenges: 1. Indicator Ambiguity: Many frameworks share similar file structures or naming conventions, leading to false positives. 2. Code Obfuscation: Modern build tools minify and obfuscate JavaScript, stripping away human-readable variable names that would otherwise serve as clear indicators. 3. Dynamic Rendering: Content generated client-side via JavaScript (DOM manipulation) is invisible to static crawlers that do not execute a JavaScript engine. To resolve these, a hybrid, multilayered approach is required to aggregate weak indicators from multiple sources into a strong, high-confidence identification.</div> <ol start="3"> <li style="margin-bottom: 11px; margin-left: 8px; text-align: justify;">The Proposed Three-Stage Architecture</li> </ol> <div style="text-align: justify;">The proposed architecture follows a logical pipeline: Preparation, Structured Analysis, and Knowledge Base Inference. 3-1- Stage I: Preparation and Client Simulation The process begins with the parsing of the Uniform Resource Locator (URL). This is not a simple string split; it involves resolving the domain via DNS (Domain Name System). By analyzing DNS records (A, AAAA, CNAME, TXT), the system can immediately identify Content Delivery Networks (CDNs) or Web Application Firewalls (WAFs) like Cloudflare or Incapsula. The connection phase involves the TCP Handshake and, crucially, the TLS (Transport Layer Security) Negotiation. The research emphasizes the analysis of digital certificates. Attributes such as the Certificate Authority (CA) and the cipher suites offered by the server provide early clues about the hosting environment (e.g., Let’s Encrypt vs. Enterprise-grade CAs). To bypass anti-identification mechanisms, the architecture employs Headless Browsers (e.g., Chromium-based). This is a critical distinction from traditional tools. When a server presents a "JavaScript Challenge," the headless browser executes the script, satisfies the challenge, manages the resulting session cookies, and retrieves the fully rendered DOM for the next stage. 3-2- Stage II: The Five Layers of Structured Analysis The heart of the research lies in the parallel analysis of five distinct data silos: LAYER 1: HTTP RESPONSE HEADERS (METADATA LAYER) Headers are the "handshake" of the application layer. The architecture scans for explicit headers like Server (e.g., nginx/1.18.0) and X-Powered-By (e.g., PHP/7.4). However, since these can be easily spoofed or suppressed by security-conscious admins, the system also looks for implicit headers like X-AspNet-Version or custom headers unique to specific load balancers or proxy servers. LAYER 2: HTTP COOKIES (SESSION LAYER) Cookies are highly reliable fingerprints. The naming convention of a session cookie is often a "smoking gun" for the backend framework. For example, PHPSESSID points to PHP, JSESSIONID to Java/Spring, and csrftoken often to Django. Beyond names, the attributes (Secure, HttpOnly, SameSite) indicate the security posture and architectural decisions of the developers. LAYER 3: HTML CONTENT (STRUCTURAL LAYER) This layer performs a systematic scan of the Document Object Model (DOM). It looks for: • CMS Signatures: WordPress typically includes specific paths in its meta name="generator" tags. • Tag Hierarchy: Unique ID or Class naming conventions (e.g., wp-block-image for WordPress or data-reactroot for React). • Metadata: Specific <meta>, <link>, and <title> tags that reveal SEO tools, analytics plugins, or CSS frameworks (like Bootstrap or Tailwind). LAYER 4: LOADED RESOURCES (ASSET LAYER) Websites are composed of numerous static assets. The architecture analyzes the directory structure of these assets. A /wp-content/ directory is a definitive indicator of WordPress, while a /dist/ or /_next/ folder often indicates modern build tools like Webpack or the Next.js framework. The analysis also covers versioning schemes (e.g., jquery.min.js?v=3.6.0), which are vital for vulnerability assessment.                 LAYER 5: JAVASCRIPT RUNTIME (DYNAMIC LAYER) This is the most innovative layer. By executing JavaScript in a controlled environment, the architecture inspects the global namespace (window or globalThis). Even if the source code is obfuscated, frameworks must instantiate global objects to function. Detecting a window.React or window.Vue object provides a 100% confidence match that is impossible to achieve through static HTML analysis alone. This layer also monitors API interactions, such as calls to specific browser APIs, to deduce the framework’s behavior. 3-3- Stage III: Knowledge Base (KB) Matching and Weighting The raw data from the five layers is fed into a Central Knowledge Base. This KB is not a simple list but a structured JSON repository of thousands of "Signatures." A key feature of the proposed system is the Weighting and Confidence Mechanism. Not all indicators are equal. A Server: Apache header is a weak indicator (weight: 0.2) because it is common. However, a specific WordPress-logged-in cookie is a strong indicator (weight: 0.9). The system calculates a cumulative Confidence Score for each technology. If the score exceeds a predefined threshold, the technology is confirmed. Furthermore, the KB supports Dependency Logic (Implication). For instance, if the system identifies "WordPress," it automatically implies the presence of "PHP" and "MySQL/MariaDB," even if those technologies are hidden behind a proxy.</div> <ol start="4"> <li style="margin-bottom: 11px; margin-left: 8px; text-align: justify;">Performance Evaluation: Comparative Analysis</li> </ol> <div style="text-align: justify;">To validate the architecture, the researchers conducted a comparative study against three industry leaders: WhatWeb, BuiltWith, and Wappalyzer. The testbed consisted of 20 diverse websites (domestic and international) with varying levels of complexity. The criteria for evaluation were: 1. Breadth of Identification: Detection of CMS, Backend Frameworks, JS Libraries, CDNs, DNS, and TLS. 2. Advanced Capabilities: Ability to analyze dynamic content and bypass anti-bot challenges. Key Findings: • Static tools (WhatWeb/Wappalyzer) failed significantly on sites using heavy JavaScript rendering (SPAs). • Anti-identification Bypassing: While traditional tools were blocked by Cloudflare’s "Wait 5 Seconds" challenge, the proposed architecture’s use of headless browsers allowed it to successfully retrieve and analyze the protected content. • Accuracy: By correlating headers with runtime variables, the proposed system reduced "Version Mismatch" errors by 35% compared to regex-only tools.</div> <ol start="5"> <li style="margin-bottom: 11px; margin-left: 8px; text-align: justify;">Conclusion: Towards Automated Security Auditing</li> </ol> <div style="text-align: justify;">The research concludes that a single-layer approach to web technology identification is obsolete in the era of modern web architectures. The proposed Multilayered Analysis Architecture provides a robust, resilient, and highly accurate framework for fingerprinting web entities. By combining the speed of static analysis (headers and HTML) with the depth of dynamic analysis (JS runtime and headless browsing), the system achieves a level of "X-ray vision" into the web stack. This has profound implications for: • Security Analysts: Enabling more accurate vulnerability mapping and attack surface reduction. • Automated Auditing: Providing a foundation for bots that can continuously monitor the technology shifts in an organization’s digital assets. • Technical Research: Facilitating large-scale studies of web technology trends with higher data integrity. The flexibility of the JSON-based Knowledge Base ensures that as new frameworks emerge (e.g., Qwik, SolidJS), the system can be updated without re-engineering the core analysis engine. This architecture represents a significant step forward in the field of automated web reconnaissance and security auditing.</div> تحلیل فناوری وب, شناسایی فناوری سمت سرور, تحلیل بسته HTTP, شناسایی غیرفعال Web Technology Analysis, Server-Side Technology Identification, HTTP Packet Analysis, Passive Identification 60 67 http://monadi.isc.org.ir/browse.php?a_code=A-10-407-16&slc_lang=fa&sid=1 Amir Fathalizadeh امیر فتحعلی‌زاده fathalizadehamir1997@gmail.com 10031947532846002118 10031947532846002118 Yes Cyberspace Research Institute, Shahid Beheshti University, Tehran, Iran پژوهشکده فضای مجازی، دانشگاه شهید بهشتی، تهران، ایران Ali Poursohi علی پورسهی info@vuln360.com 10031947532846002119 10031947532846002119 No Computer Department, Iranian eUniversity, Tehran, Iran موسسه آموزش عالی ایرانیان، دانشگاه ایرانیان، تهران، ایران