Web Application fingerprinting before 2010 has been a hodge-podge of different techniques, usually relying on meta tags or other clues helpfully added by well meaning (but security challenged) developers. Current hardening approaches hamper standard web application fingerprinting, but new static file techniques provide extremely high accuracy and require new hardening approaches. We will discuss implementation details of static file fingerprinting, demonstrate the effectiveness, and release both a fingerprinting tool and a hardening tool to help administrators harden their machines against this approach.
Patrick Thomas is a graduate of Cal Poly and a Vulnerability Detection Engineer with Qualys. He works on automated vulnerability detection tools, malware analysis, pragmatic security, and dabbles in the security implications of public policy and vice versa. He percolates and occasionally dispenses ideas on the above at CoffeeToCode.net.