
Test if a URL uses Node.js - wlaurance
http://dotheyusenode.herokuapp.com/#/
======
sisk
In addition to the coffeescript / browserify detection, here are the headers
it checks[0]:

    
    
      var frameworks = [
        {name: 'express.js', s: "express", h: 'x-powered-by'},
        {name: 'koa.js', s: 'koa', h: 'x-powered-by'},
        {name: 'sails.js', s: "sails", h: 'x-powered-by'},
        {name: 'ecstatic', s: 'ecstatic', h: 'server'},
        {name: 'flatiron', s: 'flatiron', h: 'x-powered-by'}
      ]
    

All in all, this should prove relatively inaccurate. A vanilla http server
from node sets neither server nor x-powered-by headers. Many frameworks don't
set them, either (Walmart's hapi, PayPal's krakenjs, etc).

Fun toy project but if you're really interesting in fingerprinting, check out
the OWASP entry on the subject[1].

[0]:
[https://github.com/dotheyusenode/dotheyusenode/blob/ea235619...](https://github.com/dotheyusenode/dotheyusenode/blob/ea23561918ba7ae41b8bc88f25bbf7e777e62359/checkers/headers.js#L3-L9)

[1]:
[https://www.owasp.org/index.php/Testing_for_Web_Application_...](https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_\(OWASP-
IG-004\))

~~~
wlaurance
Yes, it is just a toy project. It is a lot more work to fingerprint
successfully. OWASP looks very interesting. Thanks for the link and
subsequently the white paper links!

------
laumars
Pretty pointless since all this does is check the x-powered-by HTTP response
header (which can be turned off[1]). If this captured other web frameworks as
well (eg PHP also outputs to x-powered-by in it's default config) then this
might be a little less pointless - but even then, most production sites should
have those information leaks sealed anyway (you don't actually improve
security, but at least it slows the attacker down a little as you're not
spoon-feeding them information about your server build)

[1] [http://stackoverflow.com/questions/5867199/cant-get-rid-
of-h...](http://stackoverflow.com/questions/5867199/cant-get-rid-of-header-x-
powered-byexpress)

~~~
wlaurance
It checks x-powered-by and Server in some cases.
[https://github.com/dotheyusenode/dotheyusenode/blob/master/c...](https://github.com/dotheyusenode/dotheyusenode/blob/master/checkers/headers.js#L3)

It also tries to read through the Javascript served up to see if it uses
browserify.
[https://github.com/dotheyusenode/dotheyusenode/blob/master/c...](https://github.com/dotheyusenode/dotheyusenode/blob/master/checkers/needsjs/browserify.js#L1)

But yes it is a glorified `curl -I www.foo.com | grep -i 'x-powered-by` UI

~~~
laumars
Technically it's more like "curl -i" rather than "-I" since it does a GET
request rather than a HEAD request. Which is a good thing as the former is
more accurate. There are rare occasions when a web server might be sending
wrong headers which get overwritten with the correct headers from the
executing code (I think one of OVH's portals suffered from this issue - though
that may have since been fixed)

You probably might want to stick "-s" in there too; silence the transfer
statistics which curl (annoyingly) adds when output is piped / redirected.

~~~
wlaurance
I should clarify that I am using the request module to make GET requests on
the url submitted. But yes, I dislike that the curl stats print by default
when output is redirected :/

~~~
laumars
_> I should clarify that I am using the request module to make GET requests on
the url submitted._

Yeah I saw (I had a browse through your source after your previous post).

As a side note, I was impressed with just how readable your code was (even for
someone like myself with very poor Javascript skills). I can't comment on how
much credit node.js deserves for that, but I've seen people turn even the most
readable of languages into line noise in the past. So it's always a pleasure
to read code that doesn't require lines of comments to explain their function.

~~~
wlaurance
Thanks! Node can thanked because it makes writing modular code painless, so
separating concerns is very easy.

------
dylanpyle
Just a heads up, there's already a handful of private staging/demo server URLs
@
[http://dotheyusenode.herokuapp.com/cache](http://dotheyusenode.herokuapp.com/cache)
\- you may want to reconsider exposing that for the publicly available
instance.

------
panarky
nodejs.org

"Maybe, but we cannot tell"

~~~
wlaurance
Haha yeah, for anything static not served up by a framework that leaks headers
it doesn't really do very well :)

------
Gurrewe
Does anyone know if Node.js has any "easter egg" like PHP < 5.5 has?

You can simply add ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 to the URI of
most PHP-sites and the server will respond with the PHP-credits [0].

[0]:
[http://thepiratebay.se/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1...](http://thepiratebay.se/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000)

~~~
avree
No, that would be insanity.

------
pornel
I hoped for something smarter, like testing quirks/bugs in the node's HTTP
server.

~~~
wlaurance
Put in a PR! Currently, it is easy to do things with the Request object. Any
ideas on what quirks/bugs to look into?

------
randunel
"Maybe, but we cannot tell". Great script, I could build in in node.js in 10
seconds :D

------
hayksaakian
If you can't tell if airbnb uses node, I'm note sure it works at all.

~~~
camus2
I guess it's just checking for some header,like express has a special
header... by the way, framework authors, please refrain from doing stuffs like
that. The framework i use is nobody's business but mine.

~~~
mattgreenrocks
It's also dangerous and irresponsible from a security standpoint. Not
advocating security by obscurity, but advertising it doesn't help.

------
ebbv
"Maybe but we cannot tell."

I win!

------
vivekn
What if you don't set the "Server" header?

------
ninjakeyboard
If your server is detected, that's a security vulnerability. You should never
be able to identify the underlying technology of your stack or you open
yourself to attack on any known vulnerabilities where as if your stack is
unknown, then the vectors for attack are much less obvious.

~~~
dmytrish
Security through obscurity is not effective.

~~~
Thaxll
Yes it is, in fact it's better than nothing and will prevent some form of
basic attacks.

