Re: favicon survey script

[Joao Correa <joao () livewire com br>]

Hi Guys,

I've written a small patch to Kost's script. This patch makes the
script parse the initial page looking for a favicon tag inside of the
html, in cases where just grabbing /favicon.ico doesn't work.

The lines added to the script are responsible for fetching the initial
web page, parsing it for <link rel="icon"> or <link rel="shortcut
icon"> tags, checking if the href field provides a relative or
absolute path, parsing and fixing the path if needed, and fetching the
referenced favicon.

I've also replaced the argument favicon.uri by favicon.root and
favicon.name. Having this two arguments have some benefits: When you
are trying to retrieve a favicon that is in a subdirectory, you won't
need to retype the favicon default name; It gets much easier to fix
some parsed favicons from html, because sometimes they are provided as
"./fav.ico", and all we need to do is replace . by the root argument;
It is also much simpler to build the get request for the initial web
page (that is going to be parsed). The obvious problem with this
scheme is having two arguments, instead of only one.

I don't see favicon.name being widely used (if you don't know which is
the application you are scanning, you also won't know the favicon
filename, unless you parse the index page). For this reason, I believe
that having this two arguments might fit slightly better with everyday
use.

I've added a few comments, but if anyone has a doubt about anything,
I'll be glad to answer.

Thanks,
Joao.

On Mon, Aug 10, 2009 at 11:11 PM, Joao Correa<joao () livewire com br> wrote:
> On Mon, Aug 10, 2009 at 9:25 PM, Fyodor<fyodor () insecure org> wrote:
> > On Sun, Aug 09, 2009 at 08:08:35AM -0300, Joao Correa wrote:
> > > Hi Guys,
> > >
> > > Here are 14 more common favicons:
> > >
> > > D8BA35521DFC638F134CF3A64D1A6875:IBM
> > > F31837841BADDC72BB5AF80A532A75FA:Microsoft
> >
> > So a variety of IBM and Microsoft products use this favicon, or you
> > just mean that the IBM/MS web sites themselves use these?
> I don't know about any product that use such favicons.
>
> > > D037EF2F629A22DDADCF438E6BE7A325:PHPMyAdmin
> > > CA3B716F25AAF139D83CA205B39F6A87:MediaWiki
> > > A2C4C351F8BA8EC02C8AEC910E3D0E8C:Sun
> > > A9F0F82E141D8543916559BA574D965A:Java
> > > CEDDC34CBEC02D74FE40368E2DC1FA90:Mambo
> > > 3905C0D2E530753B4C54A18C554B0B42:Zope
> >
> > We may want to describe what the products do.  e.g. "PHPMyAdmin MySQL
> > web administration" and "Zope content management system".  I think our
> > script should accept comments in the list so we can comment on what
> > systems/versions we've found to use these favicons (similar to the
> > comments you'll find in nmap-os-db).
> >
> > Similarly, "Java" is pretty vague.  What systems have you seen using
> > this favicon?
>
> Just java.com, I've been running the script against a list of common
> websites. Also, Sun favicon also refers to its website, and not to an
> application.
>
> > > FF2C8612B75B5F9A6175E016FE4AA609:nmap.org/insecure.org/seclists.org/sectools.org
> >
> > Those are indeed some of the best sites on the Internet, but I think
> > we should focus on favicons included with platform software (used on
> > many sites) rather than mathcing the custom favicons that most
> > individual sites create.  After all, you usually know the name of the
> > site you're scanning.  But you might not know the infrastructure
> > information (e.g. what blogging software is running) which can be
> > disclosed by the favicons).
> I agree with you. I've been motivated to retrieve these favicons
> because I've seen many Providers/Hosting favicons on Brandon's common
> list or even in other lists from scripts that do the same. Also, I've
> seen Google's and Apple's, that are website specific favicons.
>
> The only situation I believe that it would help, would be when
> scanning an IP, that occasionally is the place where the web server is
> running (and you don't know whose the IP belongs to). Anyway,
> whois.nse already takes care of this task.
>
> > Cheers,
> > -F
>
> Thanks,
> João

Attachment: http-favicon-parsing.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org