Client Fingerprinting via Analysis of Browser Scripting Environment
getElementById d.getElementsByClassName !n.savePreferences
XMLHttpRequest w.globalStorage w.postMessage
Figure 5.11-1: Maemo Browser on Nokia N900 with Maemo 5
The Maemo Browser (MicroB) is similar to the desktop version of the Mozilla Firefox Browser except that it is designed for mobile platforms. Although the Maemo Browser is very similar to the Firefox browser, there are a small number of notable exceptions. The version that is listed in the navigator.vendor and navigator.userAgent are different from the values that are used on the desktop version. The navigator.vendor contains information about the device such as the model (e.g. ‘RX-51 N900’) and browser version (e.g. Maemo Browser 126.96.36.199). The navigator.oscpu and navigator.platform properties return values which are characteristics of an ARM processor (e.g. these properties return the value of ‘Linux armv71’). Similar to the navigator.buildID of the desktop version of Mozilla Firefox, the value returned by navigator.buildID contains enough resolution to uniquely identify the browser as compared to other Mozilla Firefox browsers.
The ability to accurately fingerprint a browser and/or determine the underlying O/S of a system can be integrated into the tools of a Web Application Penetration Tester. Two Free and Open Source Software (FOSS) projects that can benefit from the ability to accurately identify browsers are the Browser Exploitation Framework (BeEF) (Alcorn, 2010) and the Metasploit Framework. BeEF currently relies upon the navigator.userAgent property to determine the O/S of the Browser Zombie. The Metasploit Framework’s Browser Autopwn component has been expanded to include a number of the items previously referenced for Microsoft Internet Explorer and ASA