Standard known web applications such as blogging, forum and e-commerce software make up over half of the active web applications on the Internet. Vulnerabilities in these applications (and their plugins) are discovered at an accelerated rate and abused for site defacement and increasingly to serve malware.
Website administrators need to keep track of the versions of these web applications installed and update them to a non-vulnerable release. Remote web application fingerprinting is a technique to identify the version of a known web application through only its publicly available files and to use the data to report on vulnerabilities of the application.
The presentation will detail the steps in this fingerprinting process, including full automation from database seeding to remote probing. It will then illustrate use of the detection technique on a number of well known websites to show what applications and plugins are installed and what vulnerabilities are resident on these sites. The presentation will discuss how our techniques are able to produce order of magnitude improvements over existing implementations.
In conjunction with this talk, I will also release a free community tool implementing the described techniques with more examples.
Qualys Patrick Thomas is an information security researcher at Qualys. In addition to work in web-app and host-based vulnerability detection he spends time searching for 0-days and trying to help non-technologists understand the implications of information (in)security. Patrick holds a BS in Computer Science from Cal Poly, San Luis Obispo.