More information can be gathered from http://search.msn.com/developer/ To be able to use SEARCH.MSN, you will require an Application ID. This can be obtained using MSN passport. Queries are limited to 10,000 a day and allow a total of 50 results for each query. This provides great flexibility to the application. As a security tool, substantial information can be queried from MSN search, making it a handy tool to have in your toolkit. For the examples outlined in this paper, some of the information is retrieved using this interface, with a sample application called wapawn.

Web application footprinting with MSN search

One of the challenging tasks for security professionals is to discover web applications belonging to specific clients, using a limited set of information. Often, the only information we have in place is an IP address or a higher-level domain, like, for instance, “icenet.net� (a local ISP of the city). Beginning with this zero-level information, we attempt to see what else we can discover. We can divide our footprinting exercise into two sections – host-level and domain-level.

Host footprinting

One of the problems faced, is to find reverse DNS lookup in a multihosting scenario. When more than one web applications is hosted on one IP address, it is important to know the correct application host name in order to retrieve information related to this specific web application. This host information can be passed to “Host:� in the HTTP header section, while making HTTP requests to specific IP addresses.

Here is a result of a query run using the IP directive – ip:203.88.128.11 – on a web API interface. This is a sample application to query MSN search over their web services. The same objective can also be achieved on the traditional web interface provided on their web site.

We have successfully obtained the above hosts running on specific IP address, 203.88.128.11. Shown below is a screenshot of running the exact same query on their web interface.

This directive is very useful in doing reverse host finding despite DNS not having a PTR record. MSN search discovers an IP address and reports each web application host found pointing to this IP address. It is possible to choose how results of a search query appear. To get a unique value or just one value for each of the sites “discovered�, use settings. This is very useful to make sure we get just one value. In the above example, we were interested only in unique hosts pointing to a particular IP address. Here is the option that needs to be modified that would allow you to set up just such a scenario.

Domain footprinting

MSN search supports the “site� directive that fetches all possible applications running on that particular domain and any child domains. For example, we can run the following query and fetch this result set.

The above screenshot shows all the different applications running on the “icenet.net� domain. All applications running on the child domain are also fetched. This is the easiest way of getting all applications belonging to a sample domain. Here is how you can get it from their web interface instead of from web services.

Getting cross-domains pointing to a domain

Cross-domains are domains that point to the application but do not reside on the same domain despite belonging to the same client or group. Such domains cannot be footprinted using either DNS or the “site� directive. But if we are able to analyze and somehow obtain a list of web applications or sites that are pointing to this particular application, we will be able to get access to all cross-domain references.

An example should make things clearer: Let us assume that the application called “www.icetel.co.in� belongs to the “icenet.net� domain and is part of their IP address range. How do we go about footprinting this domain? In other words, is there a way to discover domains or applications that are pointing to the “icenet.net� domain?

Incidentally, there is a way. The “linkdomain� directive on MSN does precisely this – retrieve a list of pages that point to any page residing on this particular domain. Interestingly, the following query can fetch an important list of hosts and domains.

linkdomain:icenet.net –site:icenet.net

There are two parts to this query: one, we search for “linkdomain: results and the second, we negate(–) any of the results that are part condition “–site:icenet.net�. Shown below is the screenshot:

And here’s the result from the web interface.

This cross-domain harvesting method gives us access to another set of applications that belong to the same family or group, based solely on their IP range. Needless to say, “linkdomain� is an interesting switch to explore while performing web application footprinitng; it may throw up some unexpected sets of results.

Other tricks and tips that can be leveraged in web application assessment

1. Tuning search with interesting directives One of the interesting directives that MSN search supports is selecting parameters for tuning search results, as is shown in the screenshot below:

This can help in generating “fuzzy� search results as well as recently updated pages. Using this directive we can locate the most recently updated pages and can differentiate these from the last set of links or pages collected. This differentiation method is required in order to generate incremental security assessment and perform assessment on newly added resources from the clients. For example, here’s how we can obtain fresh search results for “icenet.net�: site:icenet.net {frsh=100}

2. Web application profiling

We can also use the “site� directive to grab all links for specific web applications. Simultaneously, we can also fetch cached pages and perform HTML sifting. This would provide information such as forms, applets, objects, etc. With this information in place, resource mapping can be performed on the application to define attack points for SQL injection or Java decompilation.

3. Assessment and file search

MSN provides directives like “contains� and “filetype�. contains provide a page which points to specific file types. For instance, the following search would return a page location that points to the location of the “pdf� files, residing on, say, the “icenet.net� domain. site:icenet.net contains:pdf This directive can help in profiling high value targets and resources which point to important resources. “filetype� is the directive that can help in locating different file extensions such as html and pdf.

4. Page scrubbing with in* directives

It is possible to look for specific information at specific locations within an HTML page with different directives like inurl, inanchor, inbody, intitle, etc. These directives allow crafty search queries to be built to look for specific information. For example, if we want to find all PHP pages residing on the“icenet.net� domain, our query would be “site:icenet.net inurl:php�. Such queries assist in web application assessment for large domains.

5. Restricting query with respect to location

MSN has an interesting directive called “loc� which can be used to find specific resources located in specific countries. For instance, to see all pages of the “icenet.net� domain residing in India only, our query would be “site:icenet.net loc:IN�. This can be useful in cases where the scope of assessment on large domains is limited to specific geographic locations.

Conclusion

Web application security assessment is always a challenge; more so, when beginning with zerolevel information about the application. Out of intense complexities emerge intense simplicities. By utilizing the extremely powerful search options provided by the MSN search engine to construct intelligent queries that fetch critical information, this article seeks to offer simple solutions to footprinting web applications in different domains or those that are mapped to a single IP address.

( )