Qualys has announced the launch of an open source web application fingerprinting engine that identifies application and plug-in versions via static files.
Introduced at the Black Hat conference in Las Vegas, Nevada, Qualys said that unlike other web application tools, BlindElephant utilises a new approach that relies on hashes of static resource files within the application to infer a version number.
Utilising fingerprinting technology, which is currently available in the QualysGuard Vulnerability Management solutions, BlindElephant is an open source tool available now for download.
Its creator Patrick Thomas, also a vulnerability researcher at Qualys, described BlindElephant as a ' tool that helps security professionals and systems administrators identify everything running on their servers, including any web applications users may have downloaded'.
He said: “It doesn't check for vulnerabilities or a vulnerability to a particular exploit, but rather what version of applications are running on their site. The goal of the tool is to provide ‘situational awareness,' rather than specific vulnerabilities in an application.”
For each application that the tool will support, BlindElephant consumes a number of version directories. All files and directories are processed and a hash is computed for each file. This hash is stored in a temporary table, along with the path and version of the application it came from.
Wolfgang Kandek, CTO of Qualys, said: “Standard web applications are commonly targeted by attackers and then subverted for malware distribution. We are releasing the BlindElephant tool as an open source project in order to allow users to protect themselves and monitor their web applications. It is also an initial stepping stone to work with the community to increase the number of fingerprinted web applications.”