X hits on this document

104 views

0 shares

1 downloads

0 comments

2 / 40

Client Fingerprinting via Analysis of Browser Scripting Environment

GIAC (GWAPT) Gold Certification

Author: Mark Fioravanti, mark.fioravanti.ii@gmail.com Advisor: Aman Hardikar

Accepted: N/A, DRAFT

Abstract An essential part of any Web Application Penetration Test that includes the exploitation of clients is the ability to accurately fingerprint the end point. There exists the ability to determine potentially unique characteristics of the client through the innate scripting functions provided within each major browser. These characteristics range from identifying the browser to the operating system (O/S). The level of detail that can be obtained based on identified characteristics can range from simply identifying the browser family to identifying the specific browser version, O/S version and in some cases the processor architecture. With the use of JavaScript, VBScript and Jscript, a fairly accurate fingerprint can be constructed of the client system. Despite various browsers including the ability to spoof User Agents and some plug-­‐ins providing the ability to spoof various components of the Document Object Model (DOM), there are still a number of ways that a web application penetration tester can fingerprint the system. This paper details which fingerprints can be collected and analyzed, as well as using specific fingerprints to aid in the identification of specific clients.

Document info
Document views104
Page views104
Page last viewedTue Dec 06 14:32:04 UTC 2016
Pages40
Paragraphs975
Words10494

Comments