blind elephant
play

Blind Elephant: Web Application Fingerprinting & Vulnerability - PowerPoint PPT Presentation

Jul 07, 2023 •137 likes •832 views

Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas Qualys 7/28/10 Outline Web Apps & Security Existing Fingerprinting Approaches Static File Approach Observations From A Net Survey

  1. Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas Qualys 7/28/10

  2. Outline • Web Apps & Security • Existing Fingerprinting Approaches • Static File Approach • Observations From A Net Survey • Q & A 2 BLACKHAT USA 2010

  3. Well-Known Web Applications • Every conceivable use… • Content Management/Blogging • Forums • Email • E-Commerce • DB Admin • Backup and File Storage Admin • Device/System/VM Admin • Version Control UI • Intranet/Collaboration 3 BLACKHAT USA 2010

  4. Well-Known Web Applications 4 BLACKHAT USA 2010

  5. Special Challenges Securing Web Apps • Remotely accessible by nature • Lots of attack surface exposed (direct and indirect) • Easy to set up and admin  Fly under IT radar 5 BLACKHAT USA 2010

  6. Special Challenges Securing Web Apps • Fast release cycle (often open-source) • Exploits are (often) simpler to create & comprehend “ wget http://example.com/wp-login.php?action=rp&key []=” “ wget –header “Cookie: tinybrowser_lang=../../../../../../../ZOMGSECRETS\r\ n” http://example.com/plugins/editors/tinymce/jscripts/tiny_mce/pl ugins/tinybrowser/folders.php • (…and of course everything the WAF vendors are saying) 6 BLACKHAT USA 2010

  7. WAS Is Overkill For Well-Known Apps • Known app + known-vulnerability list = traditional vulnerability management • Knowing the version is good enough to infer vulnerabilities • It‟s not nearly as sexy, but it works • Discovering the app and version  Fingerprinting 7 BLACKHAT USA 2010

  8. Existing Fingerprinting Approaches • Labor intensive to add/update signatures • Manually locate version in files or build regexes for headers • If selected strings go away, human effort to notice and update • Decent hardening pretty much nukes them • Built-in options to remove identifiers (eg, meta generator) • Remove standard files • Easy to lie to Fingerprinters like this: • Sedusa (in nmap), Wappalyzer, BackendInfo, Plecost, etc, etc… 8 BLACKHAT USA 2010

  9. More Advanced Tools • Typically improve in one area • Resistant to hardening • Less labor intensive • Have their own downsides • Less specific results • Some request massive amounts of data (> 20 megs!) • Some are less generic (Plecost = Wordpress Only) Fingerprinters like this: • Sucuri , WAFP, WhatWeb, BackEndInfo (sortof), 9 BLACKHAT USA 2010

  10. Goals for a (WebApp) Fingerprinter • Very Generic • Fast • Low resource usage • Accurate (Low FP/FN) • Resistant to hardening/banner removal • Super easy to support new versions/apps 10 BLACKHAT USA 2010

  11. The Blind Men and the Elephant 11 BLACKHAT USA 2010

  12. Collect and Eliminate Possibilities Tree or Elephant Fan or Elephant Spear or Elephant Vine or Elephant 12 BLACKHAT USA 2010

  13. Intersect the Possibilities and… 13 BLACKHAT USA 2010

  14. Preparing the Data Web App 1.0.2 Versions What versions 1.0.3 (eg, Joomla-*.zip) will a path give 1.0.4 Paths me info on? Table 2.0.1 If I want to confirm or rule out a 3.1.6 version/versions, Versions what‟s a path that Table will do that? 3.2.10 14 BLACKHAT USA 2010

  15. HashesTable PathsTable /templates/subSilver/admin/index_frameset.tpl File 74057e1687fa4edfd1ba0207e073e100 ['2.0'] wordpress-0.71-gold/*/*.* fc9388927f44fd90698936837070b525 ['2.0.1'] Hash  Version wordpress-0.72-beta-1/*/*.* 7ec0529fd736950a3dd0c7b66f7b5f2c ['2.0.2', … wordpress-0.72-RC1/*/*.* 264974c35d7a66d32ddfa118b1bc359d ['2.0.18', … Hash  Version wordpress-1.0.1-miles/*/*.* Hash  Version wordpress-1.0.1-RC1/*/*.* /install/schemas/schema_data.sql wordpress-1.0.2/*/*.* b1fdcba066491e22d7b2b84ace8c94e0 ['3.0.6-RC3'] wordpress-1.0.2-blakey/*/*.* 10d66666d443fb0eb5970c4c5cadc844 ['3.0.6'] wordpress-1.0-platinum/*/*.* 1129aeae10003398b500d11cc9b26acd ['3.0.5-RC1'] File wordpress-1.0-RC1/*/*.* 8db031ced0c0377ded71ebed82e14408 ['3.0.6-RC1'] Hash  Version wordpress-1.2.1/*/*.* 560143ba7cbcaa48b58d17a28970be04 ['3.0.2'] wordpress-1.2.2/*/*.* ad0ca453932b8cce946345a998403401 ['3.0.4'] Hash  Version wordpress-1.2-beta/*/*.* 59065f5fed0d801ab04a1eef7ca4fad4 ['3.0.4-RC1'] wordpress-1.2-delta/*/*.* Hash  Version 89e85ef960aef6f461cbe71907890057 ['2.2b'] wordpress-1.2-mingus/*/*.* e060676be3191f2a7bd95df62711e28d ['3.0.6-RC2'] wordpress-1.2-RC1/*/*.* ce2b47359e50e2a83fea2f3bbec9a8b1 ['3.0.5'] wordpress-1.2-RC2/*/*.* efb06c117f2681bedcc704ea10223394 ['3.0.3'] … 045634305e36af4fea75f3a95c415f49 ['3.0.6-RC4'] wordpress-2.9/*/*.* VersionsTable wordpress-2.9.1/*/*.* wordpress-2.9.1-beta1/*/*.* wordpress-2.9.1-beta1-IIS/*/*.* 3.0.3,3.0.4,3.0.4-RC1 Version, Version, Version wordpress-2.9.1-IIS/*/*.* ('/styles/prosilver/template/ucp_pm_viewmessage.html', '314fe5725db… wordpress-2.9.1-RC1/*/*.* File  Hash ('/styles/subsilver2/template/viewforum_body.html', 'f4002089f99384bf4… wordpress-2.9.1-RC1-IIS/*/*.* ('/adm/style/acp_styles.html', '39e7ad0dbeda3f8d7731e844eba62622') wordpress-2.9-beta-1/*/*.* File  Hash ('/styles/subsilver2/template/mcp_warn_user.html', '6fce7b9564afb5aa6d.. wordpress-2.9-beta-1-IIS/*/*.* ('/styles/prosilver/template/mcp_warn_user.html', 'c56f962be418102b8… File  Hash wordpress-2.9-beta-2/*/*.* ('/styles/subsilver2/template/index_body.html', '64c9a99b3b53f4… wordpress-2.9-beta-2-IIS/*/*.* ('/styles/prosilver/theme/content.css', '5f264fed8971c7d00e7092f48f379… wordpress-2.9-IIS/*/*.* …. wordpress-2.9-RC1/*/*.* Version 2.0.20,2.0.21 wordpress-2.9-RC1-IIS/*/*.* ('/language/lang_english/email/user_activate_passwd.tpl', '4375947c68… File  Hash wordpress-1.5-strayhorn/*/*.* ('/templates/subSilver/confirm_body.tpl', „1ead54515b2b537… wordpress-2.0.7-RC2/*/*.* File  Hash ('/templates/subSilver/admin/board_config_body.tpl', 'f8519d018f9850d… wordpress-2.2.1/*/*.* ('/language/lang_english/email/group_request.tpl', '6192f8bbb9e4596ad… wordpress-2.5.1/*/*.* ('/install/schemas/mssql_schema.sql', '045c0fcfaa4f89d771b07b66a74…. … ('/contrib/README.html', '61f46292c72f73935bcc2b74403d8b74„)

  16. How Many Files? Wordpress ~83k files in 166 versions phpBB ~17k files in 32 versions MediaWiki ~68k files in 68 versions Joomla ~109k files in 33 versions MovableType ~164k files in 95 versions Drupal ~33k files in 114 versions … and many more Wordpress Plugins ~103k files in 1200 versions Drupal Plugins ~76K files in 983 versions 16 BLACKHAT USA 2010

  17. Fingerprinting Fitness Heuristic Paths Best Candidates to Identify the Version Table '/htaccess.txt', 14 hashes/31 versions, fitness=15.0 '/language/en-GB/en-GB.ini', 14 hashes/20 versions, fitness=14.64 '/language/en-GB/en-GB.com_content.ini', 13 hashes/20 versions, fitness=13.64 '/configuration.php-dist', 10 hashes/28 versions, fitness=10.90 '/includes/js/joomla.javascript.js', 8 hashes/28 versions, fitness=8.90 '/media/system/js/validate.js', 8 hashes/20 versions, fitness=8.64 '/media/system/js/caption.js', 8 hashes/20 versions, fitness=8.64 '/language/en-GB/en-GB.mod_feed.ini', 8 hashes/20 versions, fitness=8.64 '/media/system/js/openid.js', 8 hashes/20 versions, fitness=8.64 '/language/en-GB/en-GB.com_contact.ini', 8 hashes/20 versions, fitness=8.64 '/language/en-GB/en-GB.mod_breadcrumbs.ini', 7 hashes/20 versions, fitness=7.64 '/media/system/js/combobox.js', 7 hashes/20 versions, fitness=7.64 '/language/en-GB/en-GB.mod_search.ini', 7 hashes/20 versions, fitness=7.64 '/templates/rhuk_milkyway/css/template.css', 7 hashes/20 versions, fitness=7.64 '/media/system/js/switcher.js', 7 hashes/20 versions, fitness=7.64 17 BLACKHAT USA 2010

  18. Candidate Files: Wordpress /readme.html /wp-includes/js/tinymce/tiny_mce.js /wp-includes/js/autosave.js /wp-includes/js/swfupload/handlers.js /wp-includes/js/tinymce/themes/advanced/about.htm /wp-includes/js/tinymce/themes/advanced/link.htm /wp-includes/js/tinymce/themes/advanced/source_editor.htm /wp-includes/js/tinymce/plugins/inlinepopups/editor_plugin.js /wp-includes/js/tinymce/themes/advanced/image.htm /wp-includes/js/tinymce/themes/advanced/color_picker.htm … 18 BLACKHAT USA 2010

  19. Candidate Files: Mediawiki /RELEASE-NOTES /skins/common/wikibits.js /install-utils.inc Fully data-driven /skins/monobook/main.css approach finds useful /docs/hooks.txt info in obscure and /HISTORY counterintuitive files /UPGRADE /skins/monobook/rtl.css /math/texutil.ml /INSTALL … 19 BLACKHAT USA 2010

  20. Fingerprinting 403 Best Candidates 404 '/htaccess.txt' '/language/en-GB/en-GB.ini' '/language/en-GB/en-GB.com_content.ini' 200 OK '/configuration.php-dist', '/includes/js/joomla.javascript.js' 200 OK '/media/system/js/validate.js' '/media/system/js/caption.js' 2.0.1, 2.0.2… '/language/en-GB/en-GB.mod_feed.ini' 200 OK 3.0.4-RC4, '/media/system/js/openid.js' 3.0.4 2.5.1, 2.3.16… '/language/en-GB/en-GB.com_contact.ini' 3.0.4-RC4, '/language/en-GB/en- 3.0.4 GB.mod_breadcrumbs.ini' '/media/system/js/combobox.js' '/language/en-GB/en-GB.mod_search.ini' '/templates/rhuk_milkyw/css/template.css' '/media/system/js/switcher.js' 3.0.4-RC4, 3.0.4-RC4, 3.0.4 3.0.4, 3.5 3.0.4-RC4, 3.0.4, 3.5.1 20 BLACKHAT USA 2010

  21. Winnowing (confirm or rule out versions) 3.0.0, 3.0.1 3.0.2, 3.0.3, 3.0.4-RC1, Versions 3.0.4-RC2 Table ? ? ? Darn, Not Enough Data 3.0.0 or 3.0.3? 3.0.5 or 3.0.1? 3.0.6? 3.0.4? 3.0.2? 21 BLACKHAT USA 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

to the Background at 3 GHz B Jim Condon NRAO, Charlottesville The blind men and the elephant

to the Background at 3 GHz B Jim Condon NRAO, Charlottesville The blind men and the elephant

The Contribution of Galaxies to the Background at 3 GHz B Jim Condon NRAO, Charlottesville The blind men and the elephant Due to extreme delusion produced on account of a partial viewpoint, the immature deny one aspect and try to establish

634 views • 31 slides
The Blind Men and the Elephant: The Problem of Resource Adequacy in US Organized Power Markets

The Blind Men and the Elephant: The Problem of Resource Adequacy in US Organized Power Markets

The Blind Men and the Elephant: The Problem of Resource Adequacy in US Organized Power Markets Dr. Eric Gimon Senior Fellow Energy Innovation, LLC Each in his own opinion Exceeding stiff and strong, Though each was partly in the right, And

372 views • 21 slides
Measuring wellbeing A case of the blind men and the elephant? Introductory presentation made by

Measuring wellbeing A case of the blind men and the elephant? Introductory presentation made by

Measuring wellbeing - and changes to wellbeing - in Newcastle, 21 May 2013 Measuring wellbeing A case of the blind men and the elephant? Introductory presentation made by Helen Wilding, Wellbeing for Life development lead Introductory

351 views • 20 slides
N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind men called to Jesus using the Messianic title Son of David . Matthew implied that these blind men saw more than the Pharisees and other national leaders

639 views • 27 slides
YOUNG ELEPHANT CONTEST THE YOUNG ELEPHANT CONTEST The 1st contest devoted to the Young Event

YOUNG ELEPHANT CONTEST THE YOUNG ELEPHANT CONTEST The 1st contest devoted to the Young Event

Presents YOUNG ELEPHANT CONTEST THE YOUNG ELEPHANT CONTEST The 1st contest devoted to the Young Event professionals (< 28 y.old) will take place during the EuBEA Festival, the International Festival of Events and Live Communication, Seville

185 views • 3 slides
Elephant & Castle Urban Forest Interim Use Strategy Elephant Amenity Network 24 November 2011

Elephant & Castle Urban Forest Interim Use Strategy Elephant Amenity Network 24 November 2011

Elephant & Castle Urban Forest Interim Use Strategy Elephant Amenity Network 24 November 2011 Contributors Authorship of Images Adrian Glasspool Email applications for use of images and text should Ali Kaviani be addressed to

690 views • 57 slides
Bug bites Elephant? T est-driven Quality Assurance in Big Data Application Development Dr.

Bug bites Elephant? T est-driven Quality Assurance in Big Data Application Development Dr.

Bug bites Elephant? T est-driven Quality Assurance in Big Data Application Development Dr. Dominik Benz, Inovex GmbH 2013/06/03, Berlin Buzzwords Who speaks the Elephant language? Class A ? TDD! extends Mapper ? ? ROI, $$, ?

630 views • 34 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Breathe new life into a special part of Central London Elephant Parks new homes,

Breathe new life into a special part of Central London Elephant Parks new homes,

1 Breathe new life into a special part of Central London Elephant Parks new homes, shops, offices and restaurants are adding new energy to the Elephant. Mature trees and new, green, open spaces connected by tree-lined streets make

341 views • 8 slides
How I Got Run Over by the Carbon Elephant or Buildings

How I Got Run Over by the Carbon Elephant or Buildings

How I Got Run Over by the Carbon Elephant or Buildings as a Climate Change Solu2on Chris Magwood ONBC 2018 Where Im coming from A

479 views • 22 slides
CANADIANS WHO ARE BLIND, DEAF-BLIND, AND PARTIALLY- SIGHTED Keith D Gordon Ph.D. Senior

CANADIANS WHO ARE BLIND, DEAF-BLIND, AND PARTIALLY- SIGHTED Keith D Gordon Ph.D. Senior

THE IMPACT OF THE COVID-19 PANDEMIC ON CANADIANS WHO ARE BLIND, DEAF-BLIND, AND PARTIALLY- SIGHTED Keith D Gordon Ph.D. Senior Research Officer Canadian Council of the Blind COVID-19 Impact Survey Objective To determine the impact that

822 views • 36 slides
Quantifying Elephant Social Structure: Using a Bilinear Mixed Effects Model to Elicit Qualities

Quantifying Elephant Social Structure: Using a Bilinear Mixed Effects Model to Elicit Qualities

Quantifying Elephant Social Structure: Using a Bilinear Mixed Effects Model to Elicit Qualities of Elephant Behavior Eric Vance Institute of Statistics & Decision Sciences Duke University Graduate Student Research Day March 30, 2005

335 views • 33 slides
Blind/Visually Impaired Silvia Ludena Veronica Sarabia Katie Stoddard Huong Vo Blind/Visually

Blind/Visually Impaired Silvia Ludena Veronica Sarabia Katie Stoddard Huong Vo Blind/Visually

Blind/Visually Impaired Silvia Ludena Veronica Sarabia Katie Stoddard Huong Vo Blind/Visually Impaired Any loss of ability to gather information by seeing might be considered a visual impairment Total Blindness - vision Legally blind - is the

1.19k views • 42 slides
How do marula trees respond to elephant browsing? Rob Taylor, Peter Scogings & Dave Ward

How do marula trees respond to elephant browsing? Rob Taylor, Peter Scogings & Dave Ward

How do marula trees respond to elephant browsing? Rob Taylor, Peter Scogings & Dave Ward Elephants Important non-ruminants that consume woody plants in African savannas Little is known of the plant-level responses to elephant

180 views • 14 slides
AN EVALUATION OF THE DESIGN FOR COMMUNICATION OF THE PROPOSED ELEPHANT MANAGEMENT PLAN IN SOUTH

AN EVALUATION OF THE DESIGN FOR COMMUNICATION OF THE PROPOSED ELEPHANT MANAGEMENT PLAN IN SOUTH

AN EVALUATION OF THE DESIGN FOR COMMUNICATION OF THE PROPOSED ELEPHANT MANAGEMENT PLAN IN SOUTH AFRICAN NATIONAL PARKS. Kevin Moore Main research question : How effective is the elephant management communication plan likely to be in raising

186 views • 16 slides
Visual disability Low vision 2015 Estimated blind people 2020 Visually impaired 285 M Blind

Visual disability Low vision 2015 Estimated blind people 2020 Visually impaired 285 M Blind

Visual disability Low vision 2015 Estimated blind people 2020 Visually impaired 285 M Blind 54 M Blind 39 M Global data souce: WHO, IBU See the world through the eyes of a visually impaired person Normal vision Cataract Glaucoma

562 views • 28 slides
Kate Klaus, Esq. Courtney Young, Esq. January 16, 2018 Ripped from the Headlines: Medmarcs

Kate Klaus, Esq. Courtney Young, Esq. January 16, 2018 Ripped from the Headlines: Medmarcs

Kate Klaus, Esq. Courtney Young, Esq. January 16, 2018 Ripped from the Headlines: Medmarcs Risk Management Team Discusses Lessons Learned from Life Sciences in the News and What to Watch for in 2019 Agenda Opioid Update Digital Health

781 views • 41 slides
e s a e l e R MNC-I BUA Intel Daily Slides r o f d e v Nov 07 o r p p A

e s a e l e R MNC-I BUA Intel Daily Slides r o f d e v Nov 07 o r p p A

Declassified by: MG Michael X. Garrett, USCENTCOM Chief of Staff Declassified on: 201505 e s a e l e R MNC-I BUA Intel Daily Slides r o f d e v Nov 07 o r p p A CONFIDENTIAL//REL TO USA, MCFI//20171101// Declassified by: MG

872 views • 37 slides
HILTI: An Abstract Execution Environment for Deep, Stateful Network Traffic Analysis Robin

HILTI: An Abstract Execution Environment for Deep, Stateful Network Traffic Analysis Robin

HILTI: An Abstract Execution Environment for Deep, Stateful Network Traffic Analysis Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin A Tale

557 views • 21 slides
High-Impact Practices In States Ken ODonnell, Associate Vice President, CSU Dominguez Hills

High-Impact Practices In States Ken ODonnell, Associate Vice President, CSU Dominguez Hills

Taking Student Success to Scale High-Impact Practices In States Ken ODonnell, Associate Vice President, CSU Dominguez Hills Deborah Keyek-Franssen, Associate Vice President, University of Colorado System High Impact Practices Webinar

420 views • 28 slides
Direct Marketing Analytics with R useR! 2008 Dortmund, Germany August, 2008 Jim Porzak, Senior

Direct Marketing Analytics with R useR! 2008 Dortmund, Germany August, 2008 Jim Porzak, Senior

Direct Marketing Analytics with R useR! 2008 Dortmund, Germany August, 2008 Jim Porzak, Senior Director of Analytics Responsys, Inc. San Francisco, California Revised Sep08 Outline Introduction What is Direct Marketing (DM)? How

532 views • 24 slides
Strictification of Circular Programs J.P. Fernandes 1 J. Saraiva 1 D. Seidel 2 ander 2 J. Voigtl

Strictification of Circular Programs J.P. Fernandes 1 J. Saraiva 1 D. Seidel 2 ander 2 J. Voigtl

Strictification of Circular Programs J.P. Fernandes 1 J. Saraiva 1 D. Seidel 2 ander 2 J. Voigtl 1 University of Minho 2 University of Bonn IFIP WG 2.1 meeting #66 Multi-Traversal Programs data Tree a = Leaf a | Fork (Tree a ) (Tree a ) treemin

592 views • 55 slides
On the back-and-forth relation on Boolean Algebras. Antonio Montalb an. U. of Chicago AMS -

On the back-and-forth relation on Boolean Algebras. Antonio Montalb an. U. of Chicago AMS -

On the back-and-forth relation on Boolean Algebras. Antonio Montalb an. U. of Chicago AMS - NZMS joint meeting, December 2007 Joint work with Kenneth Harris (University of Michigan). Antonio Montalb an. U. of Chicago On the

408 views • 20 slides
Back to the future : the Back and Forth Nudging Scaling Up and Modeling for Transport and Flow in

Back to the future : the Back and Forth Nudging Scaling Up and Modeling for Transport and Flow in

Jacques Blum Didier Auroux University of Nice Sophia Antipolis University of Toulouse jblum@unice.fr auroux@math.univ-toulouse.fr Back to the future : the Back and Forth Nudging Scaling Up and Modeling for Transport and Flow in Porous Media

786 views • 27 slides

More recommend