Most Oracle applications contain a main subfolder called /pls/. This is where everything in the application is appended. This /pls/ folder is actually Oracle’s PL/SQL module,
Figure 2-8 Teleport Pro’s many options
and everything that follows it are call parameters. To help you understand, take a look at this Oracle Application URL:
http://site.com/pls/Index/CATALOG.PROGRAM_TEXT_RPT?
p_arg_names=prog_nbr&p_arg_values=39.001
In this example, /pls/ is the PL/SQL gateway; /Index/ is the Database Access Descriptor;
and CATALOG. is a PL/SQL package that has the PROGRAM_TEXT_RPT procedure, which accepts the parameters on the rest of the URL.
Detecting an Oracle server is typically very easy because the www.site.com/pls/
directory is a dead giveaway. Also, Oracle’s convention of naming its scripts and PL/
SQL package with full words such as somename.someothername is another telltale sign.
It is also common to see Oracle names in all capital letters, such as NAME.SOMENAME.
And many Oracle names will also end with a procedure such as .show or a URL that looks like this:
http://www.site.com/cs/Lookup/Main.show?id=4592 Figure 2-9 Black Widow mirrors site contents to the local drive.
When you see this type of structure, you are most likely looking at an Oracle application.
BroadVision
Here’s an example of a BroadVision URL. We’ve placed numbers in bold within this example to highlight some key features.
http://www.site.com/bvsn/bvcom/ep/
programView.(2)do?(3)pageTypeId=8155&programPage=/jsp/www/content/
generalContentBody.jsp&programId=8287&channelId=-8246&(1)BV_
SessionID=NNNN1053790113.1124917482NNNN&BV_
EngineID=cccdaddehfhhlejcefecefedghhdfjl.0
1. The killer signature here is the parameter names: BV_SessionID and BV_
EngineID. If you see these anywhere in a URL, you have nailed a BroadVision application. How much more simple can it get?
2. BroadVision applications also usually have .do script extensions.
3. Most BroadVision applications also have parameter names that tend to end in xxxxId=nnnn. By looking at the URL, you’ll notice three parameters that are named this way (pageTypeId=8155, programId=8287,
channelId=-8246). This naming scheme is unique in that ID is spelled with a capital I and lowercase d, and usually the value contains a number that is four or more digits. This is a nice way of detecting BroadVision without obvious clues.
Here’s another example BroadVision URL:
http://www.site.com/store/stores/
Main.jsp?pagetype=careers&template=Careers.
jsp&categoryOId=-8247&catId=-8247&subCatOId=-8320&subtemplate=Content.jsp
At first glance, we would suspect BroadVision is present because of the lowercase ds in the IDs and the familiar four or more numeric digits in the values. Another clue that raises our confidence level is the fact that they’re negative numbers—something you see a lot of in BroadVision applications.
PeopleSoft
Here’s an example of a PeopleSoft URL. We’ve again placed numbers in bold within this example to highlight some key features.
http://www.site.com/psp/hrprd/(3)EMPLOYEE/HRMS/c/
ROLE_APPLICANT.ER_APPLICANT_HOME(1).GBL?(2)NAVSTACK=Clear
1. The fi le extension is a clear giveaway here: .GBL exists in most URLs of sites that run PeopleSoft.
2. NAVSTACK= is also a fairly common thing to see in most PeopleSoft
installations. But be careful! There are a lot of PeopleSoft installations without this parameter.
3. Folders and fi lenames in PeopleSoft tend to be all capitalized.
Another item that gives away PeopleSoft is cookies. PeopleSoft usually sets the following cookies:
You will usually see the PORTAL-PSJSESSIONID cookie in most PeopleSoft applications.
The other three cookies that you see are far less common. In most cases, you’ll find detecting PeopleSoft installations easy because PeopleSoft is clearly identified in the URL. But you can’t just rely on URLs to spot PeopleSoft; many times developers so heavily customize their applications that detecting what application is actually running becomes difficult. So we’ll spend some time discussing how PeopleSoft applications behave and look. Trying to recognize an application through its behavior and “feel” will become easier as you gain experience dealing with web applications. Let’s walk through an example of how to fingerprint an application based on feel and look.
Like many applications, PeopleSoft acts in a unique way. Most PeopleSoft applications will have a menu on the left and a large frame on the right. When clicking the menu items on the left—they are typically direct URLs; you will see the URLs change as you click—the page will load on the right. The content of the page on the right will usually be heavily written with JavaScript. And each link and button typically launches some type of JavaScript action. That’s why, as you hover over these links, you’ll often see plenty of “javascript:” links that will either perform a submit command or open a new window. That’s one of the reasons you can spot a PeopleSoft application right away.
Because most web application servers are highly customizable, telling one web server from another is difficult without studying the URL or the technical specifications. But there are subtle things that you can look for that will help to indicate what application is running. For example, a PeopleSoft application is highly customizable, so it might be difficult to tell a PeopleSoft application by the standard profiling methods via URL or query recognition. Yet most PeopleSoft applications are easily distinguishable by the interface components that are used. For example, in the following two screenshots, you can see both the menu and standard login screen of a known PeopleSoft application:
The following shows a screenshot of an application that is suspected to be a PeopleSoft application, but the URL gives no indication of the usual PeopleSoft parameter structure (https://www.site.com/n/signon.html):
Compare the look and feel of this screenshot with the known PeopleSoft menu shown above. Look at the menus. PeopleSoft’s menus always tend to be very square and almost Xwindows-like. And they will usually have a – in front of all items. Notice how the menu font, size, and color are the same. Also notice the color and shape of the Continue button.
Do you see how the button color and look are the same? We have detected that this application is running PeopleSoft just by looking at it. Another example of this might be Lotus Domino; Lotus makes heavy use of collapsible trees that usually have a certain feel to them. For instance, they may have arrows that point to the side for closed trees or point down for open trees. If we see that behavior on a tree on a web site, it may be a clue that Domino is being used.