Fingerprinting Web Applications

On July 3, 2010, in IT, by Lee Mangold

Fingerprinting servers for OS details has been a common practice in the hacker community for years. However, little attention has been given to the fingerprinting of the specific applications. I’m not talking about determining what server or OS you run, I want to know specifically what CMS, portal package or even what API you use!

What if you could go to a site and determine that the specific version of CMS the target uses has a vulnerability that you just happened to find a CVE for (http://cve.mitre.org/cve/cve.html)?  The answer is obvious, but how prevalent is this and how easy is that information to find? DAMN prevalent and DAMN easy (okay it’s not all damn easy). The following are a few quick (and dirty) fingerprinting techniques to add to your arsenal. For the sake of brevity, we’ll limit this to the application and not specific versions.

WordPress

  1. Search the source of any WordPress page for the generator meta tag (which will give you WordPress X.Y).
  2. Look for links to wp-admin and wp-content.
  3. Try to navigate to the /wp-admin and look for a login screen (or a 200)

Drupal

  1. Search for drupal.css in the source. Add system.css and any specific module css files (like project.css, cck, etc…)
  2. Look for links to “/sites/all/modules/*”, “/sites/default/*”.
  3. Navigate to “/user” and look for a login screen

(ehm…Whitehouse.gov)

Joomla

  1. Look for information in the generator meta tag (man these CMS’s are greedy for attention)
  2. Navigate to /components and look for a blank 200 page
  3. Try navigating to /administrator for a login prompt

Symfony Framework

  1. This one is a bit tricky… However I was able to fingerprint InfosecIsland.com (hi guys!) by searching the source for any calls with an “sf” prefix like “sfConfig”
  2. I’m sure there are more ways… I don’t use this API though…

… The list goes on …

Good news and bad… The good news is that this can ALL be changed (and there are tons more, by the way)!! The bad news is that it’s annoying and time consuming. However, if you’re the guy who changes his “server” output to “null” or “Windows” (for a Linux box), why not avoid fingerprinting of your webapps?

  • Change path names (and/or mod_rewrite where you can)
  • Change CSS filenames
  • Customize your Theme files (and remove the <– Header –> crap)
  • Remove or spoof the generator tag

All easier said than done, I know…! Have fun…

Followup: Supposedly WAPF (http://www.mytty.org/) does a lot of this, but I haven’t been able to download a recent version to test…I get server errors… HA!

Followup 2: Prototype at http://consulting.themangolds.com/webprint/

 

1 Response » to “Fingerprinting Web Applications”

  1. Tweets that mention Fingerprinting Web Applications -- Topsy.com says:
    July 5, 2010 at 3:50 am

    [...] This post was mentioned on Twitter by Jovi Umawing. Jovi Umawing said: "Fingerprinting Web Applications" –> http://bit.ly/aOnaxh [...]

Leave a Reply

CAPTCHA Image
*



Go To Top »