[Owasp-testing] New article on Web Application Fingerprint

Eoin eoinkeary at gmail.com
Thu Dec 7 08:26:52 EST 2006


Thanks for updating that document.
I did it initially over the summer, now it is more exhaustive and complete.
Good job!!, Thanks Javier,
Eoin



On 07/12/06, Javier Fernandez-Sanguino <jfernandez at germinus.com> wrote:
>
> Mauro Bregolin dijo:
> > I would add looking at cookies as another viable technique to perform
> > fingerprinting. Depending on cookies names and formats it is possible to
> > infer what web server / application server is being used.
>
> True. It can also be used to detect elements inline which need to
> per-session tracking and avoid sending users to different backend
> servers. Nortel's Application Switch (formerly Alteon), Arrowpoint, F5's
> BIG-IPs and others do this.
>
> >
> > The idea is documented in a couple of posts (and maybe in other places I
> am
> > not aware of)
> > http://seclists.org/pen-test/2006/Jan/att-0210/cookie_fingerprinting_txt
> > http://seclists.org/pen-test/2006/Jan/0249.html
> >
> > Don't know if Javier or others pursued further the idea or expanded the
> > cookie db.
>
> I did not pursue this much, attached is my latest version of the file.
> If you do some Google research on this subject you can probably fill it
> up more.
>
> Regards
>
> Javier
>
>
>
> Cookie Fingerprinting
> =====================
>
>
>
>
>
> BEA WebLogic (www.bea.com)
> ------------
>
> Set-Cookie:
> WebLogicSession=PLLHV8No5ImB2wUo2mupD49Bdo2HxEXq7OjhAAEl1EP6tMr1KbtI|-2011799079004677001/-1062729195/6/7001/7001/7002/7002/7001/-1|-3433517045111774782/-1062729194/6/7001/7001/7002/7002/7001/-1;
> path=/
>
>
> Sane NetTracker (www.sane.com)
> ---------------
>
> Set-Cookie: SaneID=213.63.123.42-1018349510644; path=/; expires=Tue,
> 09-Apr-07 06:51:50 GMT; domain=.sane.com
>
>
> Vignette (www.vignette.com)
> --------
>
> Set-Cookie:  ssuid=Maxliw00vvM00001fbb6Oxn0wa; path= /; expires=Saturday,
> 06-Sep-2014 23:50:08 GMT
> Set-Cookie:  vgnvisitor=Mawd0M00heY0000~fBiFkE0035; path= /;
> expires=Saturday, 06-Sep-2014 23:50:08 GMT
>
>
> Microsoft IIS (www.microsoft.com)
> -------------
>
> Format:
> Set-Cookie: ASPSESSIONIDXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX; path=/
> where 'X' is a upper case letter
>
> Sample:
> Set-Cookie: ASPSESSIONIDGQQGQYDC=KDGFBFGBLPNCMIIELPAINNJH; path=/
>
> Microsoft ASP.Net (www.microsoft.com)
> -----------------
>
> Set-Cookie: ASP.NET_SessionId=0hqed4qelkxvjj153tplacm0; path=/
>
>
> IBM Net.Commerce (www.ibm.com)
> ----------------
>
> Set-cookie:  SESSION_ID=203363,JdjXE+hB9ph06hBJ4NSD04uHsq/FktC/rNib7MJjNS3jk5fXEK9XBtkAx0zI7NkI;
> path=/;
>
>
> Netscape Enterprise Server (www.sun.com)
> --------------------------
>
> Set-cookie:
> NSES40Session=2%253A3e57d375%253Adc59172283a7e72c;path=/;expires=Sat,
> 22-Feb-2003 20:15:57 GMT
>
>
> iPlanet (www.sun.com)
> -------
>
> Set-Cookie: iPlanetUserId=213.23.123.42:29511018555049; EXPIRES=Friday,
> 31-Dec-2010 23:59:59 GMT; DOMAIN=.iplanet.com; PATH=/
>
>
> RealMedia OpenAdStream ()
> ----------------------
>
> Set-Cookie: RMID=d442af2b3d1ccf30; expires=Fri, 31-Dec-2010 23:59:59 GMT;
> path=/; domain=.xxxx.net
>
>
> Caucho Resin ()
> ------------
>
> Set-Cookie: JSESSIONID=afbx7QRlFZje; path=/
>
>
> Jakarta Tomcat/JSERV (jakarta.apache.org/tomcat/)
> --------------------
>
> Set-Cookie: JSESSIONID=4ah34a8xo1;Path=/
>
>
> Macromedia Jrun (www.macromedia.com)
> ---------------
>
> Set-Cookie: JSESSIONID=80302068121025709931685;path=/
>
>
> Roxen Web Server (www.roxen.com)
> ----------------
>
> Set-Cookie: RoxenUserID=07761bc31df67ae8c4441a89bc7ceed5
>
>
> ApacheJServ (java.apache.org/jserv)
> -----------
>
> Set-Cookie: JServSessionIdroot=vvni7vxu8n; path=/
>
>
> IBM Tivoli Policy Director WebSeal (www.ibm.com)
> ----------------------------------
> Format:
> Set-Cookie:
> PD-S-SESSION-ID=2_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; Path=/;
> Secure
> where 'x' is {[A-Z],[a-z],[0-9],+,-}
>
> Example:
> Set-Cookie:
> PD-S-SESSION-ID=2_L7kl8vzZ9b8LMEwpm0PgqqQRIh2ZZakRamBlgvMXqIIAABDZ; Path=/;
> Secure
>
> When accessing a stateful sesion:
> Set-Cookie: PD_STATEFUL_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx=/LOCATION;
> Path=/
>
> WEBTRENDS ()
> ---------
>
> Set-Cookie: WEBTRENDS_ID=223.53.123.13-1091519275.658578; expires=Fri,
> 31-Dec-2010 00:00:00 GMT; path=/
>
>
> IBM WebSphere Application Server ()
> ---------------------------------
>
> Set-Cookie: sesessionid=ZJ0DMWIAAA51VQFI50BD0VA;Path=/
>
>
> Sun Java System Application Server (Netscape/iPlanet Applicaton Server)
> -----------------------------------------------------------------------
>
> Set-Cookie: gx_session_id_=f42d0282513ff402; path=/
>
>
> OpenMarket/FatWire Content Server (www.fatwire.com)
> ---------------------------------
>
> Set-Cookie: SS_X_CSINTERSESSIONID=0001P73k2FUEYEU4Ks5TtKxcs2K:vv0b9pej;
> path=/
> Set-Cookie: CSINTERSESSIONID=0001xquPwAx2NFUFvi7yw-43f35:vv7sdeqs;Path=/
>
>
> Siebel CRM
> ----------
>
> Set-Cookie: _sn=u3YBSdYfaf0oa5H1hz7Tc0ccApc0T1Iz60QWgeSiMEA_; Version=1;
> Path=/
>
> BlueCoat Proxy (www.bluecoat.com)
> --------------------------
>
> Set-Cookie: BCSI-CSC2B35314=1; Path=/
>
> Coldfusion (www.macromedia.com
> ----------
>
> CFID, CFTOKEN, and CFGLOBALS
>
> More info at
> http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17919
> http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17915
>
> Urchin Tracking Module
> ----------------------
>
> __utmz
> __utma
>
> More info at:
>
> http://www.google.com/support/urchin45/bin/answer.py?answer=28307&topic=7425
>
> HAproxy
> -------
>
> SERVERID
>
> More info at: http://haproxy.1wt.eu/download/1.2/doc/architecture.txt
>
> TBD
> ---
>
> This need to be determined yet:
>
> ASNINFO
> CNBOOK
> -- Are they IIS related?
>
>
> (http://z.iwethey.org/forums/render/content/show?contentid=273077)
>
> PHPSESSION : session identifier for PHP.
> ASP.NET_Sessionid : session identifier for ASP.NET
> __utma, __utmb, __utmc, __utmv : Urchin Tracking Module (I see these a
> lot)
> sc_id, s_sq, s_sess (probably others) : Omniture (I see these a lot, too)
> - they own 2o7.net, FWIW
> BIGipServer* : BigIP load balancer from F5? (I thought they were a network
> like Akamai)
> CP=null* : no idea, yet I see it a lot
> he=lo : also no idea
> bblastactivity, bblastvisit (probably others) : some sort of bulletin
> board software
> T3CK : no idea. I see this one a fair bit, too.
> MintUnique, Mint* : again, I dunno, but I see it from time to time.
> WEBTRENDS_ID : I imagine this is probably WebTrends.
>
> The MintUnique and Mint* stuff come from a (fairly nice, if you're just
> looking for personal use) stats package called Mint [*]. It's popular among
> the web-design crowd.
>
>
> I know the __utm* and the s_* cookies are for tracking website usage. The
> basic way they work is to give you a uniqueID and then see what pages you
> load from that site with it. This data is used to see which pages are
> popular, which links are more often followed, how often people come back to
> the site, and so on. There's more to it than that, of course, but that's the
> purpose. Of course, there are a lot of people who don't understand that's
> what those cookies are for, or don't want to be individually tracked, or
> don't like cookies generally, so such statistics have high error margins. I
> see a lot of sites use several methods, perhaps for this reason.
>
> Enabling application level persistence between a server and another
> resource over a network
> Document Type and Number:       United States Patent 6970933
> Link to this Page:      http://www.freepatentsonline.com/6970933.html
> Abstract:       A method and system for inserting and examining Cookies in
> the data streams of HTTP connections for the purpose of persistently
> directing HTTP connections to the same destination. The invention enables a
> network device to direct subsequent HTTP connections from the same client to
> the same server (destination) for accessing the requested resources. There
> are four modes for employing the Cookie to persistently direct HTTP
> connections. The associative mode inserts a Cookie that uniquely identifies
> the client into an HTTP response. The passive mode inserts Cookie
> information that uniquely identifies a previously selected destination into
> an HTTP response. In the rewrite mode, a network device manages the
> destination information that is rewritten over blank Cookie information
> generated by the destination producing the HTTP response. The insert mode
> inserts and removes Cookie information in the data packets for HTTP requests
> and responses prior to processing by the destination.
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061207/c1f24688/attachment-0001.html 


More information about the Owasp-testing mailing list