Ajax Fingerprinting for Web 2.0 Applications
by Shreeraj Shah - net square - Tuesday, 30 January 2007.
Fingerprinting is an age old concept and one that adds great value to assessment methodologies. There are several tools available for fingerprinting operating systems (nmap), Web servers (httprint), devices, etc. Each one of these tools uses a different method inspecting the TCP stack, ICMP responses, HTTP responses. With this evolution of Web 2.0 applications that use Ajax extensively, it is important to fingerprint Ajax tools, framework or library used by a particular web site or a page. This paper describes the method of doing Ajax fingerprinting with a simple prototype serving as an example.

Ajax fingerprinting can help in deriving the following benefits:
  • Vulnerability detection Knowledge of the framework on which a web application is running, allows the mapping of publicly known vulnerabilities found for that particular framework. Example DWR client side vulnerability.
  • Architecture enumeration On the basis of derived information from fingerprinting it is possible to guess application architecture and inner working of a system. Example Atlas (.NET application framework), DWR (Servelet/JavaScript combo).
  • Assessment methodology Derived information from the fingerprinting phase can help in defining future assessment path and vulnerability detection methods. Example Deciding on JavaScript-scanning.
Download the paper in PDF format here.

Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //