Web Application Fingerprinting with Static Files

Presented at DEF CON 18 (2010), July 30, 2010, 2 p.m. (20 minutes)

Web Application fingerprinting before 2010 has been a hodge-podge of different techniques, usually relying on meta tags or other clues helpfully added by well meaning (but security challenged) developers. Current hardening approaches hamper standard web application fingerprinting, but new static file techniques provide extremely high accuracy and require new hardening approaches. We will discuss implementation details of static file fingerprinting, demonstrate the effectiveness, and release both a fingerprinting tool and a hardening tool to help administrators harden their machines against this approach.

Presenters:

• Patrick Thomas - Vulnerability Detection Engineer (Qualys)
  Patrick Thomas is a graduate of Cal Poly and a Vulnerability Detection Engineer with Qualys. He works on automated vulnerability detection tools, malware analysis, pragmatic security, and dabbles in the security implications of public policy and vice versa. He percolates and occasionally dispenses ideas on the above at CoffeeToCode.net.

Links:

• https://defcon.org/html/defcon-18/dc-18-speakers.html#Thomas

Similar Presentations:

• Black Hat USA 2014 / Fingerprinting Web Application Platforms by Variations in PNG Implementations
• ToorCon San Diego 17 (2015) / New Techniques for Browser Fingerprinting
• DEF CON 11 (2003) / Revolutionizing Operating System Fingerprinting