Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-layer web fingerprint #1505

Open
Mzack9999 opened this issue Dec 27, 2023 · 0 comments
Open

Multi-layer web fingerprint #1505

Mzack9999 opened this issue Dec 27, 2023 · 0 comments
Labels
Type: Enhancement Most issues will probably ask for additions or changes.

Comments

@Mzack9999
Copy link
Member

Mzack9999 commented Dec 27, 2023
edited
Loading

Please describe your feature request:

Modern web applications are generally composed of multiple layers of different software and technologies, and current tools (httpx included) fingerprints based on pattern matching (keywords, regexes, specific headers presence, etc) leading to ignore all the layers between the client and the final server, for example an app with a configuration like:

client => cloudflare/akamai => haproxy => nginx => http server

will lead to perform analysis only on the final layer and on response specific headers added by intermediate layers.

The purpose of this task is to introduce a new recon method based on triggering tech-specific parsing errors in intermediate layers, that will cause the request to be rejected and will provide a specific fingerprint for the specific technology. Intermediate layers implies correct parsing of the request (passthrough).
Errors can be detected heuristically from a baseline response of various frameworks via some metric distance like jaccard keeping into considerations features such as status code, meaninful headers/body parts.

Proposed approach

Given a generic RFC compliant http request in the canonical form:

Method URI Protocol/VersionMajor.VersionMinor
HeaderName: HeaderValue
\n
Body

it should be converted to a generic Bachus-Naur form with one level nesting where symbols are divided in terminal and non-terminal, as follows:

<request> := <method><uri><Version> # non-terminal
<uri> := / # terminal
<method>:=GET|POST|... # terminal

The symbols can follow two type of expansion:

  • Literal: only terminal symbols by picking a random value among the available ones and applying potential string mutators
  • Node: non-terminal symbols are expanded into other symbols (for example <method> => <uri>

Differently from classical fuzzing this approach might help to unveil parsing errors and identify specific technology errors that different from the baseline of the original request. In particular, when the expansion is applied to headers like content-length or chunking, it can unveil potential desync attacks that fit particularly well with identifying various layers.
@Mzack9999 Mzack9999 added the Type: Enhancement Most issues will probably ask for additions or changes. label Dec 27, 2023
@Mzack9999 Mzack9999 changed the title Multi-layer web backend fingerprint Multi-layer web fingerprint Dec 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Mzack9999