OWASP ASVS - How to find, what are the application components?


(srinivas) #1

Verify that all application components are identified and
are known to be needed.


(Jesper) #2

ah. you are looking at point 1.1 under V1: Architecture, design and threat modelling

I read “Verify that all application components are identified and are known to be needed” as list all the stuff and know that you need it. example: You run on a Linux-Apache-MSql-Perl (LAMP) machine, but you you don’t use perl.


(srinivas) #3

Yes. I was reading that.

As a Black box tester and If There is no wiki available to know what components or third party components used in the application. How to know it


(David Shute) #4

Start by fingerprinting the server and working outward from there. https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)


(srinivas) #5

Thank you. Online tools are helpful.

I tried httpprint, but was receiving error in establishing connection.
I tried input file as

inputs for httprint can be:

- individual IP addresses (default port 80)

- http://servername:[port]/

- https://servername:[port]/

- IP ranges xx.xx.xx.xx-yy.yy.yy.yy

https://www.websitename.com:80

Also used: Web Developer tools -> Network : to find out details of server details.