HTTP Fingerprinting - the next generation presented at OWASP AppSecAsiaPac 2012

by Eldar Marcussen,

Tags: Security

Summary : The next generation of HTTP Fingerprinting - builds on existing web server fingerprinting research to accurately detect and identify load balancers, web application firewalls, reverse proxies and web servers. Through in-depth analysis of HTTP traffic it is possible to detect and identify intermediate agents. Some of these techniques can also be used to identify server configuration such as loaded modules.
Todays tools for identifying web technologies dont do an adequate job of identifying the sub-components comprising the architecture. Most HTTP based fingerprinting tools only focus on fingerprinting the web server(s) on the target or behind the load balancer. While there are some tools that identify load balancing, namely halberd and lbd, these tools focus on enumerating the actual back ends without any fingerprinting.
By taking HTTP fingerprinting to the next level we can detect and identify both the intermediate agents and the web server. There are some tools aimed at detecting web application firewalls, for example waffit/wafW00f, relies on strings commonly used in malicious payloads to detect if requests are blocked by the web application firewall. Through fault injection and fuzzing of vaguely defined (RFC 2616) request properties I was able to identify distinct responses in intermediary HTTP agents without relying on default/common WAF rules to be enabled.
These tools and techniques will enable target identification to be more effective, and speed up the process of detecting potentially vulnerable systems that are normally transparent.
Two tools will be released along with the presentation: lbmap Identifies and fingerprints load balancers, WAFs, reverse proxies and web servers. aprof Profiles apache configuration, including determining which modules are loaded.