[Owasp-testing] New article on Web Application Fingerprint

Matteo Meucci matteo.meucci at gmail.com
Thu Dec 7 09:27:31 EST 2006


I agree,
we can put this on line and add a link to this page from the Web
Application Fingerprint section.
Javier what do you think about that?

Mat


On 12/7/06, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
>
>
>
>
> Maybe we can get the data into an OWASP page as part of the Guide?
>
>
>
> http://www.owasp.org/index.php/Category:OWASP_Cookies_Database
>
>
>
>
> --Jeff
>
>
>
>  ________________________________
>
>
> From: owasp-testing-bounces at lists.owasp.org
> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of
> Eoin
>  Sent: Thursday, December 07, 2006 8:27 AM
>  To: Javier Fernandez-Sanguino
>  Cc: antonio parata; owasp-testing at lists.owasp.org
>  Subject: Re: [Owasp-testing] New article on Web Application Fingerprint
>
>
>
>
>
> Thanks for updating that document.
>
>
>
> I did it initially over the summer, now it is more exhaustive and complete.
>
>
> Good job!!, Thanks Javier,
>
>
> Eoin
>
>
>
>
>
>
>
> On 07/12/06, Javier Fernandez-Sanguino <jfernandez at germinus.com> wrote:
>
> Mauro Bregolin dijo:
>  > I would add looking at cookies as another viable technique to perform
>  > fingerprinting. Depending on cookies names and formats it is possible to
>  > infer what web server / application server is being used.
>
>  True. It can also be used to detect elements inline which need to
>  per-session tracking and avoid sending users to different backend
>  servers. Nortel's Application Switch (formerly Alteon), Arrowpoint, F5's
>  BIG-IPs and others do this.
>
>  >
>  > The idea is documented in a couple of posts (and maybe in other places I
> am
>  > not aware of)
>  >
> http://seclists.org/pen-test/2006/Jan/att-0210/cookie_fingerprinting_txt
>  > http://seclists.org/pen-test/2006/Jan/0249.html
>  >
>  > Don't know if Javier or others pursued further the idea or expanded the
>  > cookie db.
>
>  I did not pursue this much, attached is my latest version of the file.
>  If you do some Google research on this subject you can probably fill it
>  up more.
>
>  Regards
>
>  Javier
>
>
>
>  Cookie Fingerprinting
>  =====================
>
>
>
>
>
>  BEA WebLogic (www.bea.com)
>  ------------
>
>  Set-Cookie:
> WebLogicSession=PLLHV8No5ImB2wUo2mupD49Bdo2HxEXq7OjhAAEl1EP6tMr1KbtI|-2011799079004677001/-1062729195/6/7001/7001/7002/7002/7001/-1|-3433517045111774782/-1062729194/6/7001/7001/7002/7002/7001/-1;
> path=/
>
>
>  Sane NetTracker (www.sane.com)
>  ---------------
>
>  Set-Cookie: SaneID=213.63.123.42-1018349510644; path=/; expires=Tue,
> 09-Apr-07 06:51:50 GMT; domain=.sane.com
>
>
>  Vignette (www.vignette.com)
>  --------
>
>  Set-Cookie:  ssuid=Maxliw00vvM00001fbb6Oxn0wa; path= /;
> expires=Saturday, 06-Sep-2014 23:50:08 GMT
>  Set-Cookie:  vgnvisitor=Mawd0M00heY0000~fBiFkE0035; path=
> /; expires=Saturday, 06-Sep-2014 23:50:08 GMT
>
>
>  Microsoft IIS (www.microsoft.com)
>  -------------
>
>  Format:
>  Set-Cookie: ASPSESSIONIDXXXXXXXX=XXXXXXXXXXXXXXXXXXXXXXXX;
> path=/
>  where 'X' is a upper case letter
>
>  Sample:
>  Set-Cookie: ASPSESSIONIDGQQGQYDC=KDGFBFGBLPNCMIIELPAINNJH;
> path=/
>
>  Microsoft ASP.Net (www.microsoft.com)
>  -----------------
>
>  Set-Cookie: ASP.NET_SessionId=0hqed4qelkxvjj153tplacm0 ;
> path=/
>
>
>  IBM Net.Commerce (www.ibm.com)
>  ----------------
>
>  Set-cookie:
> SESSION_ID=203363,JdjXE+hB9ph06hBJ4NSD04uHsq/FktC/rNib7MJjNS3jk5fXEK9XBtkAx0zI7NkI;
> path=/;
>
>
>  Netscape Enterprise Server (www.sun.com)
>  --------------------------
>
>  Set-cookie:
> NSES40Session=2%253A3e57d375%253Adc59172283a7e72c;path=/;expires=Sat,
> 22-Feb-2003 20:15:57 GMT
>
>
>  iPlanet (www.sun.com)
>  -------
>
>  Set-Cookie: iPlanetUserId=213.23.123.42:29511018555049; EXPIRES=Friday,
> 31-Dec-2010 23:59:59 GMT; DOMAIN=.iplanet.com; PATH=/
>
>
>  RealMedia OpenAdStream ()
>  ----------------------
>
>  Set-Cookie: RMID=d442af2b3d1ccf30; expires=Fri, 31-Dec-2010 23:59:59 GMT;
> path=/; domain=.xxxx.net
>
>
>  Caucho Resin ()
>  ------------
>
>  Set-Cookie: JSESSIONID=afbx7QRlFZje; path=/
>
>
>  Jakarta Tomcat/JSERV (jakarta.apache.org/tomcat/)
>  --------------------
>
>  Set-Cookie: JSESSIONID=4ah34a8xo1;Path=/
>
>
>  Macromedia Jrun ( www.macromedia.com)
>  ---------------
>
>  Set-Cookie: JSESSIONID=80302068121025709931685;path=/
>
>
>  Roxen Web Server (www.roxen.com)
>  ----------------
>
>  Set-Cookie: RoxenUserID=07761bc31df67ae8c4441a89bc7ceed5
>
>
>  ApacheJServ (java.apache.org/jserv)
>  -----------
>
>  Set-Cookie: JServSessionIdroot=vvni7vxu8n; path=/
>
>
>  IBM Tivoli Policy Director WebSeal ( www.ibm.com)
>  ----------------------------------
>  Format:
>  Set-Cookie:
> PD-S-SESSION-ID=2_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
> Path=/; Secure
>  where 'x' is {[A-Z],[a-z],[0-9],+,-}
>
>  Example:
>  Set-Cookie:
> PD-S-SESSION-ID=2_L7kl8vzZ9b8LMEwpm0PgqqQRIh2ZZakRamBlgvMXqIIAABDZ;
> Path=/; Secure
>
>  When accessing a stateful sesion:
>  Set-Cookie:
> PD_STATEFUL_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx=/LOCATION;
> Path=/
>
>  WEBTRENDS ()
>  ---------
>
>  Set-Cookie: WEBTRENDS_ID=223.53.123.13-1091519275.658578; expires=Fri,
> 31-Dec-2010 00:00:00 GMT; path=/
>
>
>  IBM WebSphere Application Server ()
>  ---------------------------------
>
>  Set-Cookie: sesessionid=ZJ0DMWIAAA51VQFI50BD0VA;Path=/
>
>
>  Sun Java System Application Server (Netscape/iPlanet Applicaton Server)
> -----------------------------------------------------------------------
>
>  Set-Cookie: gx_session_id_=f42d0282513ff402; path=/
>
>
>  OpenMarket/FatWire Content Server (www.fatwire.com)
>  ---------------------------------
>
>  Set-Cookie:
> SS_X_CSINTERSESSIONID=0001P73k2FUEYEU4Ks5TtKxcs2K:vv0b9pej;
> path=/
>  Set-Cookie:
> CSINTERSESSIONID=0001xquPwAx2NFUFvi7yw-43f35:vv7sdeqs;Path=/
>
>
>  Siebel CRM
>  ----------
>
>  Set-Cookie:
> _sn=u3YBSdYfaf0oa5H1hz7Tc0ccApc0T1Iz60QWgeSiMEA_;
> Version=1; Path=/
>
>  BlueCoat Proxy ( www.bluecoat.com)
>  --------------------------
>
>  Set-Cookie: BCSI-CSC2B35314=1; Path=/
>
>  Coldfusion (www.macromedia.com
>  ----------
>
>  CFID, CFTOKEN, and CFGLOBALS
>
>  More info at
> http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17919
> http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_17915
>
>  Urchin Tracking Module
>  ----------------------
>
>  __utmz
>  __utma
>
>  More info at:
> http://www.google.com/support/urchin45/bin/answer.py?answer=28307&topic=7425
>
>  HAproxy
>  -------
>
>  SERVERID
>
>  More info at:
> http://haproxy.1wt.eu/download/1.2/doc/architecture.txt
>
>  TBD
>  ---
>
>  This need to be determined yet:
>
>  ASNINFO
>  CNBOOK
>  -- Are they IIS related?
>
>
> (http://z.iwethey.org/forums/render/content/show?contentid=273077
> )
>
>  PHPSESSION : session identifier for PHP.
>  ASP.NET_Sessionid : session identifier for ASP.NET
>  __utma, __utmb, __utmc, __utmv : Urchin Tracking Module (I see these a lot)
>  sc_id, s_sq, s_sess (probably others) : Omniture (I see these a lot, too) -
> they own 2o7.net, FWIW
>  BIGipServer* : BigIP load balancer from F5? (I thought they were a network
> like Akamai)
>  CP=null* : no idea, yet I see it a lot
>  he=lo : also no idea
>  bblastactivity, bblastvisit (probably others) : some sort of bulletin board
> software
>  T3CK : no idea. I see this one a fair bit, too.
>  MintUnique, Mint* : again, I dunno, but I see it from time to time.
>  WEBTRENDS_ID : I imagine this is probably WebTrends.
>
>  The MintUnique and Mint* stuff come from a (fairly nice, if you're just
> looking for personal use) stats package called Mint [*]. It's popular among
> the web-design crowd.
>
>
>  I know the __utm* and the s_* cookies are for tracking website usage. The
> basic way they work is to give you a uniqueID and then see what pages you
> load from that site with it. This data is used to see which pages are
> popular, which links are more often followed, how often people come back to
> the site, and so on. There's more to it than that, of course, but that's the
> purpose. Of course, there are a lot of people who don't understand that's
> what those cookies are for, or don't want to be individually tracked, or
> don't like cookies generally, so such statistics have high error margins. I
> see a lot of sites use several methods, perhaps for this reason.
>
>  Enabling application level persistence between a server and another
> resource over a network
>  Document Type and Number:       United States Patent 6970933
>  Link to this Page:
> http://www.freepatentsonline.com/6970933.html
>  Abstract:       A method and system for inserting and examining Cookies in
> the data streams of HTTP connections for the purpose of persistently
> directing HTTP connections to the same destination. The invention enables a
> network device to direct subsequent HTTP connections from the same client to
> the same server (destination) for accessing the requested resources. There
> are four modes for employing the Cookie to persistently direct HTTP
> connections. The associative mode inserts a Cookie that uniquely identifies
> the client into an HTTP response. The passive mode inserts Cookie
> information that uniquely identifies a previously selected destination into
> an HTTP response. In the rewrite mode, a network device manages the
> destination information that is rewritten over blank Cookie information
> generated by the destination producing the HTTP response. The insert mode
> inserts and removes Cookie information in the data packets for HTTP requests
> and responses prior to processing by the destination.
>
>
>  _______________________________________________
>  Owasp-testing mailing list
>  Owasp-testing at lists.owasp.org
>  http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
>
>
>  --
>  Eoin Keary OWASP - Ireland
>  http://www.owasp.org/local/ireland.html
>  http://www.owasp.org/index.php/OWASP_Testing_Project
>  http://www.owasp.org/index.php/OWASP_Code_Review_Project
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC lead
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide


More information about the Owasp-testing mailing list