[Owasp-testing] New article on Web Application Fingerprint

Jeff Williams jeff.williams at aspectsecurity.com
Thu Dec 7 09:19:59 EST 2006


Maybe we can get the data into an OWASP page as part of the Guide?

 

http://www.owasp.org/index.php/Category:OWASP_Cookies_Database 

 

--Jeff

 

________________________________

From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Thursday, December 07, 2006 8:27 AM
To: Javier Fernandez-Sanguino
Cc: antonio parata; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] New article on Web Application Fingerprint

 

Thanks for updating that document.

I did it initially over the summer, now it is more exhaustive and
complete.

Good job!!, Thanks Javier,

Eoin



 

On 07/12/06, Javier Fernandez-Sanguino <jfernandez at germinus.com> wrote: 

Mauro Bregolin dijo:
> I would add looking at cookies as another viable technique to perform
> fingerprinting. Depending on cookies names and formats it is possible
to 
> infer what web server / application server is being used.

True. It can also be used to detect elements inline which need to
per-session tracking and avoid sending users to different backend
servers. Nortel's Application Switch (formerly Alteon), Arrowpoint, F5's

BIG-IPs and others do this.

>
> The idea is documented in a couple of posts (and maybe in other places
I am
> not aware of)
>
http://seclists.org/pen-test/2006/Jan/att-0210/cookie_fingerprinting_txt
> http://seclists.org/pen-test/2006/Jan/0249.html
>
> Don't know if Javier or others pursued further the idea or expanded
the 
> cookie db.

I did not pursue this much, attached is my latest version of the file.
If you do some Google research on this subject you can probably fill it
up more.

Regards

Javier



Cookie Fingerprinting
=====================





BEA WebLogic (www.bea.com)
------------

Set-Cookie:
WebLogicSession=PLLHV8No5ImB2wUo2mupD49Bdo2HxEXq7OjhAAEl1EP6tMr1KbtI|-20
11799079004677001/-1062729195/6/7001/7001/7002/7002/7001/-1|-34335170451
11774782/-1062729194/6/7001/7001/7002/7002/7001/-1; path=/ 


Sane NetTracker (www.sane.com)
---------------

Set-Cookie: SaneID=213.63.123.42-1018349510644; path=/; expires=Tue,
09-Apr-07 06:51:50 GMT; domain=.sane.com


Vignette (www.vignette.com)
--------

Set-Cookie:  ssuid=Maxliw00vvM00001fbb6Oxn0wa; path= /;
expires=Saturday, 06-Sep-2014 23:50:08 GMT
Set-Cookie:  vgnvisitor=Mawd0M00heY0000~fBiFkE0035; path= /;
expires=Saturday, 06-Sep-2014 23:50:08 GMT 


Microsoft IIS (www.microsoft.com)
-------------

Format:
Set-Cookie: ASPSESSIONIDXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX; path=/
where 'X' is a upper case letter 

Sample:
Set-Cookie: ASPSESSIONIDGQQGQYDC=KDGFBFGBLPNCMIIELPAINNJH; path=/

Microsoft ASP.Net (www.microsoft.com)
-----------------

Set-Cookie: ASP.NET_SessionId=0hqed4qelkxvjj153tplacm0 ; path=/


IBM Net.Commerce (www.ibm.com)
----------------

Set-cookie:
SESSION_ID=203363,JdjXE+hB9ph06hBJ4NSD04uHsq/FktC/rNib7MJjNS3jk5fXEK9XBt
kAx0zI7NkI; path=/;


Netscape Enterprise Server (www.sun.com)
--------------------------

Set-cookie:
NSES40Session=2%253A3e57d375%253Adc59172283a7e72c;path=/;expires=Sat,
22-Feb-2003 20:15:57 GMT 


iPlanet (www.sun.com)
-------

Set-Cookie: iPlanetUserId=213.23.123.42:29511018555049; EXPIRES=Friday,
31-Dec-2010 23:59:59 GMT; DOMAIN=.iplanet.com; PATH=/ 


RealMedia OpenAdStream ()
----------------------

Set-Cookie: RMID=d442af2b3d1ccf30; expires=Fri, 31-Dec-2010 23:59:59
GMT; path=/; domain=.xxxx.net


Caucho Resin ()
------------

Set-Cookie: JSESSIONID=afbx7QRlFZje; path=/ 


Jakarta Tomcat/JSERV (jakarta.apache.org/tomcat/)
--------------------

Set-Cookie: JSESSIONID=4ah34a8xo1;Path=/


Macromedia Jrun ( www.macromedia.com <http://www.macromedia.com> )
---------------

Set-Cookie: JSESSIONID=80302068121025709931685;path=/


Roxen Web Server (www.roxen.com)
----------------

Set-Cookie: RoxenUserID=07761bc31df67ae8c4441a89bc7ceed5 


ApacheJServ (java.apache.org/jserv)
-----------

Set-Cookie: JServSessionIdroot=vvni7vxu8n; path=/


IBM Tivoli Policy Director WebSeal ( www.ibm.com <http://www.ibm.com> )
----------------------------------
Format:
Set-Cookie:
PD-S-SESSION-ID=2_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
Path=/; Secure
where 'x' is {[A-Z],[a-z],[0-9],+,-}

Example:
Set-Cookie:
PD-S-SESSION-ID=2_L7kl8vzZ9b8LMEwpm0PgqqQRIh2ZZakRamBlgvMXqIIAABDZ;
Path=/; Secure

When accessing a stateful sesion:
Set-Cookie: PD_STATEFUL_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx=/LOCATION;
Path=/

WEBTRENDS ()
---------

Set-Cookie: WEBTRENDS_ID=223.53.123.13-1091519275.658578; expires=Fri,
31-Dec-2010 00:00:00 GMT; path=/


IBM WebSphere Application Server ()
--------------------------------- 

Set-Cookie: sesessionid=ZJ0DMWIAAA51VQFI50BD0VA;Path=/


Sun Java System Application Server (Netscape/iPlanet Applicaton Server)
-----------------------------------------------------------------------

Set-Cookie: gx_session_id_=f42d0282513ff402; path=/


OpenMarket/FatWire Content Server (www.fatwire.com)
---------------------------------

Set-Cookie: SS_X_CSINTERSESSIONID=0001P73k2FUEYEU4Ks5TtKxcs2K:vv0b9pej;
path=/ 
Set-Cookie: CSINTERSESSIONID=0001xquPwAx2NFUFvi7yw-43f35:vv7sdeqs;Path=/


Siebel CRM
----------

Set-Cookie: _sn=u3YBSdYfaf0oa5H1hz7Tc0ccApc0T1Iz60QWgeSiMEA_; Version=1;
Path=/

BlueCoat Proxy ( www.bluecoat.com)
--------------------------

Set-Cookie: BCSI-CSC2B35314=1; Path=/

Coldfusion (www.macromedia.com
---------- 

CFID, CFTOKEN, and CFGLOBALS

More info at
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17919
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17915

Urchin Tracking Module
----------------------

__utmz
__utma

More info at:
http://www.google.com/support/urchin45/bin/answer.py?answer=28307&topic=
7425

HAproxy
-------

SERVERID

More info at: http://haproxy.1wt.eu/download/1.2/doc/architecture.txt 

TBD
---

This need to be determined yet:

ASNINFO
CNBOOK
-- Are they IIS related?


(http://z.iwethey.org/forums/render/content/show?contentid=273077 )

PHPSESSION : session identifier for PHP.
ASP.NET_Sessionid : session identifier for ASP.NET
__utma, __utmb, __utmc, __utmv : Urchin Tracking Module (I see these a
lot)
sc_id, s_sq, s_sess (probably others) : Omniture (I see these a lot,
too) - they own 2o7.net, FWIW
BIGipServer* : BigIP load balancer from F5? (I thought they were a
network like Akamai)
CP=null* : no idea, yet I see it a lot
he=lo : also no idea
bblastactivity, bblastvisit (probably others) : some sort of bulletin
board software 
T3CK : no idea. I see this one a fair bit, too.
MintUnique, Mint* : again, I dunno, but I see it from time to time.
WEBTRENDS_ID : I imagine this is probably WebTrends.

The MintUnique and Mint* stuff come from a (fairly nice, if you're just
looking for personal use) stats package called Mint [*]. It's popular
among the web-design crowd. 


I know the __utm* and the s_* cookies are for tracking website usage.
The basic way they work is to give you a uniqueID and then see what
pages you load from that site with it. This data is used to see which
pages are popular, which links are more often followed, how often people
come back to the site, and so on. There's more to it than that, of
course, but that's the purpose. Of course, there are a lot of people who
don't understand that's what those cookies are for, or don't want to be
individually tracked, or don't like cookies generally, so such
statistics have high error margins. I see a lot of sites use several
methods, perhaps for this reason. 

Enabling application level persistence between a server and another
resource over a network
Document Type and Number:       United States Patent 6970933
Link to this Page:       http://www.freepatentsonline.com/6970933.html
<http://www.freepatentsonline.com/6970933.html> 
Abstract:       A method and system for inserting and examining Cookies
in the data streams of HTTP connections for the purpose of persistently
directing HTTP connections to the same destination. The invention
enables a network device to direct subsequent HTTP connections from the
same client to the same server (destination) for accessing the requested
resources. There are four modes for employing the Cookie to persistently
direct HTTP connections. The associative mode inserts a Cookie that
uniquely identifies the client into an HTTP response. The passive mode
inserts Cookie information that uniquely identifies a previously
selected destination into an HTTP response. In the rewrite mode, a
network device manages the destination information that is rewritten
over blank Cookie information generated by the destination producing the
HTTP response. The insert mode inserts and removes Cookie information in
the data packets for HTTP requests and responses prior to processing by
the destination. 


_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing






-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html 
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061207/062597b0/attachment.html 


More information about the Owasp-testing mailing list