CAPEC-170

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: Low
Web Application Fingerprinting

Description

An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.

Prerequisites

Any web application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack.

Mitigations

Implementation: Obfuscate server fields of HTTP response.

Implementation: Hide inner ordering of HTTP response header.

Implementation: Customizing HTTP error codes such as 404 or 500.

Implementation: Hide URL file extension.

Implementation: Hide HTTP response header software information filed.

Implementation: Hide cookie's software information filed.

Implementation: Appropriately deal with error messages.

Implementation: Obfuscate database type in Database API's error message.

Skills Required

[Low] Attacker knows how to send HTTP request, SQL query to a web application.