Today at Black Hat USA 2010 in Las Vegas, Qualys will unveil an open source web application fingerprinting engine that identifies application and plugin versions via static files.
The tool, dubbed “BlindElephant,” is designed to detect which applications and plugins are in use at a site, and if the versions are outdated. BlindElephant relies on hashes of static resource files within the application to identify a version number, an approach different than other web application tools.
Many common Web applications, such as blogging software, online forums, e-commerce, databases, email and many others can present security challenges, and as vulnerabilities are discovered, it’s important to identify and update software with the latest and most secure versions.
“Standard web applications are commonly targeted by attackers and then subverted for malware distribution,” said Wolfgang Kandek, CTO of Qualys. “We are releasing the BlindElephant tool as an open source project in order to allow users to protect themselves and monitor their web applications. It is also an initial stepping stone to work with the community to increase the number of fingerprinted web applications.”
It’s important to note that BlindElephant does NOT check for vulnerabilities or vulnerability to a particular exploit, but shows what version of applications are running on a particular Web site which can identify outdated versions, which in many cases, tend to be less secure.
“The goal of the tool is provide ‘situational awareness,’ rather than specific vulnerabilities in an application,” said Patrick Thomas, a vulnerability researcher at Qualys and creator of BlindElephant.
On the technical side, for each application that BlindElepant supports, it consumes a number of version directories. All files and directories are processed, and a hash is computed for each file. This hash is stored in a temporary table, along with the path and version of the application it came from.
The tool was tested by a large-scale survey on Internet-visible hosts with common applications such as WordPress, Drupal, Joomla!, MediaWiki, MovableType, phpBB, phpMyAdmin, and more. Patrick Thomas will introduce BlindElephant and the research results in a session at Black Hat USA 2010 on July 28 at 3:15 p.m. PDT.
As an opensource tool, BlindElephant is free and available now for download from: http://blindelephant.sourceforge.net/