BSides San Francisco

Voting on BSides SF presentations closes this Friday (Feb 2nd). If you’ll be in San Francisco for RSA, make sure to check out BSides as well. It’s also a chance to learn about a JavaScript-based approach to fingerprinting web app frameworks — but only if you vote for Blind Fury!

Blind Fury: An Alternate Web App Fingerprinting Technique

Web app fingerprinting attempts to identify the type and version of frameworks installed on a web site. Knowledge of frameworks and their version helps determine whether a site has kept up to date with security patches. Accurate fingerprinting can be more efficient and less intrusive than blackbox vulnerability scanning for identifying potential vulnerabilities.

Traditional approaches to fingerprinting web applications rely on brute force enumeration of pages, scraping content with regexes, or hybrids of the two. These are suboptimal. Page enumeration is bandwidth-intensive. Its accuracy falls when “install” files are removed or pages are minified. Regexes are prone to errors of matching incorrect content or are defeated by simple site modification (such as removing <meta> content). These techniques tend to identify the presence of pages on a site, but do not indicate whether the files are actually used of the application.

Blind Fury uses a new approach that does not rely on page enumeration or regexes. Yet it is still able to identify several popular frameworks. In fact, the technique can be extended to generate fingerprints for almost any type of web site. It can create and analyze fingerprints from a completely blackbox perspective; it does not require prior knowledge of a target’s directory structure.

If you love Rutger Hauer movies, vote for Blind Fury.

Fear not, regardless of the outcome of voting, I’ll be posting more about it at the end of the month.

p.s. Regular visitors may have noticed that the site has moved to from Blogger (saying good-bye to negative privacy and policy changes). The only drawback so far is that some of the archive links are broken because they were originally saved as year/month rather than year/month/day. All of the content remains, just under a slightly different link.