Hello!
When using httpx to detect technologies used by subdomains, it was verified that the CPE (Common Platform Enumeration) is coming without the product version.
This is the CPE structure:
In httpx, the product version is not displayed, only the asterisks are shown.
{
"cpe": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:*:*:*",
"vendor": "vercel",
"product": "next.js"
}
However, the Wappalyzer shows the product version.
Why is this important?
With the product version, the Pentester or Bug Hunter can search for product CVEs in the NIST API:
https://nvd.nist.gov/developers/vulnerabilities
httpx version:
1.9.0
Current Behavior:
HTTPX is not detecting the product version in the CPE. However, in some cases the version appears in the "tech" field. Example:
{"Apache HTTP Server:2.4.7",Bootstrap,PHP:5.5.9,Ubuntu,bun,jQuery}
Expected Behavior:
The product version should appear in the CPE.
Considering that detecting the "tech" version will depend on what the server delivers in its headers, it would be interesting to check if the version is also shown in the CPE.
Thanks!
Hello!
When using httpx to detect technologies used by subdomains, it was verified that the CPE (Common Platform Enumeration) is coming without the product version.
This is the CPE structure:
In httpx, the product version is not displayed, only the asterisks are shown.
However, the Wappalyzer shows the product version.
Why is this important?
With the product version, the Pentester or Bug Hunter can search for product CVEs in the NIST API:
https://nvd.nist.gov/developers/vulnerabilities
httpx version:
1.9.0
Current Behavior:
HTTPX is not detecting the product version in the CPE. However, in some cases the version appears in the "tech" field. Example:
{"Apache HTTP Server:2.4.7",Bootstrap,PHP:5.5.9,Ubuntu,bun,jQuery}Expected Behavior:
The product version should appear in the CPE.
Considering that detecting the "tech" version will depend on what the server delivers in its headers, it would be interesting to check if the version is also shown in the CPE.
Thanks!