Qualys Releases BlindElephant as an Open Source Tool for Web Application Fingerprinting
New Engine Improves Speed and Accuracy of Web Application Fingerprinting
Black Hat, Las Vegas, NV - July 28, 2010 - Qualys®, Inc., the leading provider of on demand IT security risk and compliance management solutions, today released BlindElephant, a fast, accurate open source web application fingerprinting engine that identifies application and plugin versions via static files. In conjunction with this release, research is scheduled to be unveiled at Black Hat USA 2010 that describes results from large-scale tests of the tool and shows that many well-known web applications are running dangerously out of date software.
There are many common web applications used for many purposes, such as blogging, forums, e-commerce, database management, email and myriad others. By their nature, these applications present special security challenges, and as vulnerabilities are increasingly discovered, it is important to have a reliable way to detect which applications and plugins are present at a site, and if they are running outdated versions. Unlike other web application tools, BlindElephant utilizes a new approach that relies on hashes of static resource files within the application to infer a version number.
“Standard web applications are commonly targeted by attackers and then subverted for malware distribution,” said Wolfgang Kandek, CTO of Qualys. “We are releasing the BlindElephant tool as an open source project in order to allow users to protect themselves and monitor their web applications. It is also an initial stepping stone to work with the community to increase the number of fingerprinted web applications.”
“BlindElephant is a tool that helps security professionals and systems administrators identify everything running on their servers, including any web applications users may have downloaded,” said Patrick Thomas, a vulnerability researcher at Qualys and creator of BlindElephant. "It doesn't check for vulnerabilities or vulnerability to a particular exploit, but rather what version of applications are running on their site."
BlindElephant was designed for:
- Minimal human effort to support new versions/apps
- Resistance to hardening (banner removal)
- Accuracy and precision to reduce false positives and false negative rates
- Very generic to reuse the same code for all supported applications
- Speed and scalability for use on large number of applications
- Low resource usage
For each application that the tool will support, BlindElephant consumes a number of version directories. All files and directories are processed, and a hash is computed for each file. This hash is stored in a temporary table, along with the path and version of the application it came from. Accuracy of the tool was demonstrated by a large-scale survey on Internet-visible hosts. The results of the survey include information on which currently supported web applications are most commonly used and the distribution of versions. The survey focused on some of the most popular open-source applications including:
- Drupal (Content Management System)
- Joomla! (Content Management System)
- Mediawiki (Wiki Software)
- Moodle (Virtual Classroom System)
- MovableType (Blogging Software)
- phpBB (Forum Software)
- phpMyAdmin (Database Management Software)
- SPIP (Content Management System)
- Wordpress (Blogging Software)
“The goal of the tool is provide ‘situational awareness,’ rather than specific vulnerabilities in an application,” added Thomas.
Patrick Thomas will introduce Blind Elephant and the research results in a session at Black Hat USA 2010 on July 28 at 3:15 pm PDT.
BlindElephant is an open source tool available now for download from: http://blindelephant.sourceforge.net/.
To download the BlindElephant research paper or get more details, please visit the Qualys Community at: http://community.qualys.com/community/blindelephant.
The fingerprinting technology is currently available in QualysGuard Vulnerability Management.
Qualys, Inc. is the leading provider of on demand IT security risk andcompliance management solutions – delivered as a service. Qualys’Software-as-a-Service solutions are deployed in a matter of hours anywhere inthe world, providing customers an immediate and continuous view of theirsecurity and compliance postures.
The QualysGuard® service is used today by more than 4,000 organizations in 85countries, including 42 of the Fortune Global 100 and performs more than 500million IP audits per year. Qualys has the largest vulnerability managementdeployment in the world at a Fortune Global 50 company.
Qualys has established strategic agreements with leading managed serviceproviders and consulting organizations including BT, Etisalat, Fujitsu, IBM,I(TS)2, LAC, NTT, SecureWorks, Symantec, Tata Communications and TELUS.
For more information, please visit www.qualys.com.
Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.
For all other matters