Introduction to Web Application Fingerprinting
2010-10-30 ~ Brendan Coles <bcoles at gmail dot com>
The process of discovering web applications and their current version on a target domain is known as web application fingerprinting. Effective fingerprinting enables a penetration tester to perform targeted exploit delivery as knowing the version is good enough to infer vulnerabilities.
Open Source Tools
BlindElephant Web Application Fingerprinter
The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
plecost - Wordpress fingerprinting tool
Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there.
Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.
WAFP - Web Application Finger Printer
WAFP fetches the files given by the Finger Prints from a webserver and checks if the checksums of those files are matching to the given checksums from the Finger Prints. This way it is able to detect the detailed version and even the build number of a Web Application.
WhatWeb identifies content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. When you visit a website in your browser the transaction includes many unseen hints about how the webserver is set up and what software is delivering the webpage. Some of these hints are obvious, eg. "Powered by XYZ" and others are more subtle. WhatWeb recognises these hints and reports what it finds.
Online Tools
ShodanHQ - Computer Search Engine
ShodanHQ returns the HTTP header, country and fingerprints some hardware devices. Full results requires registration.
Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. No registration required.
Sucuri's Online web application fingerprinter for JavaScript libraries, MediaWiki, WordPress and Joomla. It also returns results for DNS, blacklisting status and whois. Full results requires registration.
WhatWeb.net - web interface for WhatWeb
Web interface for the latest stable build of WhatWeb. No registration required.
HackerTarget.com : WhatWeb Scan
Web interface for the latest stable build of WhatWeb. Registration required and the results are delivered by email.
Lots of info about HTTP server names. No registration required.
Comparison
Here is a rather simplistic comparison between the Open Source Web Application fingerprinting tools available as at 2010-10-30 and nikto.
![Comparison of Open Source Web Application Fingerprinting Tools [2010-10-30]](http://whatweb.net/fingerprint-stats.png "Comparison of Open Source Web Application Fingerprinting Tools [2010-10-30]")
Resources
ITSecurityPortal.org - Footprinting
Penetration Testing for Web Applications (Part One)
sucuri.net - Fingerprinting web applications
Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing