How can an attacker identify if a website is using PHP? How about the PHP version?
Alberto last edited by
I have a vulnerable test site up that runs PHP. How can an attacker identify that PHP is used? if I type
.../add.phpthe site gives back an error message, although the file is
add.php. If I type
.../addthe site runs.
Maybe I can inject code to identify PHP? Or is it impossible to check for PHP (including version) if a site is well coded?
Here is the code for the test site: Elastic Beanstalk + PHP Demo App
There is no method that is guaranteed to work.
The way PHP works is that the HTTP server receives the HTTP request, identifies that it's meant to be PHP and relays the request to the PHP module. This could either be a module built into the web server or be a dedicated "PHP server". The server then checks which PHP code is meant to be executed with which parameters, then executes it, generates a result and relays that result back to the HTTP server, which returns it as HTTP response.
Whether or not this process occurs, or whether or not the result received stems from a static page or any number of processes, is unknown to the user.
There are a number of possible ways PHP could "reveal" itself. The first and most obvious is the
X-Powered-ByHTTP response header. PHP likes to advertise itself, and so in some installations, the
X-Powered-Byheader is set, which includes that the site is running PHP and which version.
There is also a very strange "easter egg" in PHP, which returns specific information such as credits to the development team or the PHP logo, when a specific query string is sent. This behavior can be disabled in the configuration, so it isn't foolproof either. If it works, then it's overwhelmingly likely to be a PHP installation, but if it doesn't, you can't exactly deduce that it's not a PHP installation. Absence of evidence isn't evidence of absence, afterall.
Stack traces and other PHP errors, such as this beautiful masterpiece taken from this question, can be an indication as well:
Of course, all of these methods only work because of some misconfiguration. On a properly configured server, it is not possible to know for sure if PHP is used or not.