Exercise: What a web application are we facing?

We want to know more about a "target" application

Suppose we have been ordered to check for the security of the BFH-TI web site.

Draw a map

Use Web Scarab to draw a map of the application used by the site www.ti.bfh.ch.
The map contains two types of directories. On one side you have pseudo directories corresponding to the structure of the pages:

de/
fr/

for the languages, followed by the large parts of the site:

de/

de/bachelor/

de/bachelor/automobiltechnik/

de/bachelor/automobiltechnik/studieninteressierte

These directories are reflecting the logical structure of the application, not its file structure.
On the other side, some directories are not related to the structure, but are real directories:

typo3conf/

typo3conf/ext/tipafriend_plus/res/

fileadmin/templates/img/logos/

typo3temp/

uploads/

See the content of the different directories (in case some former source code would still be available) The directories are all protected, the content returned is always "forbidden"

Check which application is used

Use the view source function of your browser to see which application is used to generate the pages. In the html source, one can read:
<meta name="generator" content="TYPO3 4.2 CMS" />
So the site is using the content management system Typo3 version 4.2. This fact is confirmed by the session cookie produced by the site
fe_typo_user=ba773d07a8b4a9f472ad8f5eacc0b018

Use google to gather information

Use information to find the "install" page and the Back End user page.
Try with default password and/or users.
Check if a brute force protection exists. Looking into the documentation of typo3, you learn that there are different interesting hidden pages:

/typo3/index.php contains the back end admin pages

The install file has been removed. Default password is: joh316 but does not work.

The backend login page is not protected against brute force attacks (one can try 10 logins without making the site react).

Find which pages are not "standard"

Search in the site map for "extensions". Write all the entry points of the different extensions. Try to fake input to all those entries. The search page has a specific URL:
suche.html?cx=002941251596693344392%3Ao5iuas0yxd8&cof=FORID%3A10&ie=UTF-8&q= test&sa=Suchen&siteurl=www.ti.bfh.ch%2Fde%2Fsearch%2Fpersonensuche.html%3Fid%3D383%26L%3D0%26no_cache%3D1%26name%3Dbenoist%26firstname%3D%26div%3Dall%26tx_personlistform_pi1%255Bsubmit_button%255D%3DSuche
When you write something odd in the cx parameter, you get a "google" search page. So we have here an extension that integrates the google search engine. This is confirmed when looking at the source code of the result page.
Another page has some specific URL's, it is the schedule.
http://www.ti.bfh.ch/index.php?id=546&class=V1a&text=1&L=0
Entering some dummy input does not influence the comportment. We can not see any error messages.