Thursday, May 15, 2008

Client FingerPrint.

Leaving the classical Server attacks paradigms, the newest attacks' trend is going toward Client side attacks.In my opinion It make sense, because nowadays the client's side is more complicated and for that more easy to exploit. Computec has figured out this problem and it has started a really interesting project called "Advanced Web Browser Fingerprinting" (of course :).

The browserrecon project is doing some research in the field of web client fingerprinting. The goal is the highly accurate identification of given web browser implementations. This became important within professional vulnerability analysis (e.g. drive-by pharming and phishing).

Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches known from http fingerprinting (e.g. header-order) are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web client fingerprinting. Some basics of application fingerprinting were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).

One of the most interesting features about it, is the easy and fast way to install it on your source code. Written in php it's enough to copy the scripts of browserrecon to your web server; for example you might extract the downloaded archive into the directory /browserrecon. Afterwards you have to include the scripts. In PHP you can use the following call: 

Afterwards you are able to access all functions of browserrecon within your application. To run an analysis of the client while he was accessing the site you can use the following call:

This will initiate the fingerprinting of the client regarding the headers sent for requesting the given web document. Afterwards the result of the analysis is echoed. In this case you are able to show your visitors that you are able to determine their client software accurately. 
You may download the script files and also the Database files from here.

No comments: