Black Hat 2010: Open source tool finds web applications

Security firm Qualys has launched an open source, web-application fingerprinting engine to identify application and plug-in versions.

Security firm Qualys has launched an open source, web-application fingerprinting engine to identify application and plug-in versions.

The launch coincides with the release of related research at the Black Hat USA 2010 security conference in Las Vegas.

The research describes results of large-scale tests of the tool, called BlindElephant, and shows many well-known web applications are running dangerously out of date software.

"BlindElephant is a tool that helps security professionals and systems administrators identify everything running on their servers, including any web applications users may have downloaded," said Patrick Thomas, a vulnerability researcher at Qualys and creator of BlindElephant.

"It doesn't check for vulnerabilities or vulnerability to a particular exploit, but rather what version of applications are running on their site," he said.

As vulnerabilities are increasingly discovered, it is important to have a reliable way to detect which applications and plug-ins are present at a site, and if they are running outdated versions, said Thomas.

Unlike other web application tools, BlindElephant uses a new approach that relies on hashes of static resource files within the application to identify the application's version number.

"Standard web applications are commonly targeted by attackers and then subverted for malware distribution," said Wolfgang Kandek, chief technology officer at Qualys.

The BlindElephant tool will enable users to protect themselves and monitor their web applications, he said.

The open source project is also intended to be an initial stepping stone to work with the community to increase the number of fingerprinted web applications, said Kandek.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.




  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...