Web Application Fingerprinting with Static Files Whitepaper (Version 2)

File uploaded by Robert Dell'Immagine Employee on Jul 25, 2010Last modified by pthomas on Aug 4, 2010
Version 7Show Document
  • View in full screen mode

Abstract—While Operating System and Web Server fingerprinting are well established in the toolkit of penetration testers and network administrators, reliable tooling for fingerprinting at the application level has been slow to emerge. This paper introduces BlindElephant, a fast, accurate, and very generic web application fingerprinter that identifies application and plugin versions via static files. The paper also provides results from large-scale tests of the tool, and makes some observations about the state of web application security on the internet at large, and discusses future work on countermeasures and counter-countermeasures for static file fingerprinting.

 

BlackHat USA - July 28, 2010

Version 2 Update: August 3, 2010

Outcomes