Fingerprinting is an important preliminary step when auditing web applications. But the usual techniques based on the analysis of cookies, headers, and static files are easy to fool. Fingerprinting digital images is a technique commonly used for forensic investigations but rarely for security audits. Moreover, it is mostly based on the analysis of JPEG images only. In this talk we study the implementation differences between a number of PNG decoders/encoders, either build-in or commonly used with the main web application development platforms. As a result, we give a set of tests that can discriminate between various PNG libraries. As a consequence, it is often possible to identify the platform behind a website even when an effort has been made to prevent fingerprinting, as long as said website allows the upload of PNG images.
Dominique Bongard is the founder of 0xcite, a Swiss company focusing on security for mobile and embedded devices. His previous position, which lasted eight years, consisted of leading the Threat Intelligence team for Kudelski Nagravision. Dominique is an experienced reverse engineer and he regularly competes in Capture The Flag events.