httpx icon indicating copy to clipboard operation
httpx copied to clipboard
verified publisher icon projectdiscovery

Tech detection fails on root path, but works on .aspx endpoint (ASP.NET version missing)

Open onorridg opened this issue 8 months ago • 3 comments

httpx version:

v1.7.0

Current Behavior:

When using httpx with the -tech-detect flag, the ASP.NET technology (specifically version Microsoft ASP.NET:2.0.50727) is not detected when scanning the root path of the site (http://testaspnet.vulnweb.com/), even though the server response contains the following headers:

X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

However, when making a request to a non-existent .aspx file (e.g., /nonexistent.aspx), httpx correctly detects and displays the ASP.NET version in the tech field.

Expected Behavior:

httpx -tech-detect should detect ASP.NET version regardless of the URL path suffix if the relevant headers are present in the response.

Steps To Reproduce:

  1. Run:
httpx -u http://testaspnet.vulnweb.com/ -tech-detect -json

❌ The "tech" field does not include ASP.NET version.

  1. Run:
httpx -u http://testaspnet.vulnweb.com/nonexistent.aspx -tech-detect -json

✅ The "tech" field includes: "Microsoft ASP.NET:2.0.50727"

Anything else:

  • Manual check with curl confirms the headers are also present on the root path:
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
  • It appears httpx uses the .aspx suffix as a heuristic for enabling ASP.NET detection, which leads to missing detections for other paths.
  • Would be useful if -tech-detect considered headers independently from the path.

Thanks for the great tool!

Reported on: 2025-05-07 10:22

onorridg avatar May 07 '25 10:05 onorridg

@onorridg Thanks for letting us know! I've tried with dev branch and it shows the version in the output. Could you retry it with dev branch:

$ go run . -u http://testaspnet.vulnweb.com/ -tech-detect -silent -json | jq
{
  "timestamp": "2025-05-14T10:26:06.944784+07:00",
  "cdn_name": "aws",
  "cdn_type": "cloud",
  "port": "80",
  "url": "http://testaspnet.vulnweb.com/",
  "input": "http://testaspnet.vulnweb.com/",
  "title": "acublog news",
  "scheme": "http",
  "webserver": "Microsoft-IIS/8.5",
  "content_type": "text/html",
  "method": "GET",
  "host": "44.238.29.244",
  "path": "/",
  "time": "840.737125ms",
  "a": [
    "44.238.29.244"
  ],
  "tech": [
    "IIS:8.5",
    "Microsoft ASP.NET:2.0.50727",
    "Microsoft Visual Studio",
    "Windows Server"
  ],
  "words": 774,
  "lines": 87,
  "status_code": 200,
  "content_length": 13876,
  "failed": false,
  "knowledgebase": {
    "PageType": "other",
    "pHash": 0
  },
  "resolvers": [
    "103.196.38.39:53",
    "1.1.1.1:53"
  ]
}

dogancanbakir avatar May 14 '25 03:05 dogancanbakir

I was initially sure that httpx wasn't detecting any technology version in the "tech" field, but it turns out the results are non-deterministic — running the exact same command against the same host multiple times gives different outputs. Sometimes the version is detected, sometimes not. The difference between the requests is just a few seconds.

Image

This behavior was observed using httpx version 1.7.0 with the --tech-detect flag enabled.

onorridg avatar May 14 '25 08:05 onorridg

@onorridg Thanks for retesting! I've also tried, but with dev branch, and I wasn't able to repro this. Could you also retry with dev branch?

dogancanbakir avatar May 22 '25 08:05 dogancanbakir

Closing this. Feel free to reopen if the issue persits.

dogancanbakir avatar Jun 16 '25 12:06 dogancanbakir