Jump to: navigation, search


25 May 2012 13:00 - 14:30


ANZ, 833 Collins St, Docklands, Melbourne VIC 3008

Room Location: Core C

Please ask about OWASP at reception and they will direct you to the room (room: Core C).

The easiest way to get there is to hop on the tram number 48 or 11, on Collins St and go right to the end of Collins. Alternatively, walk down Collins St this is a walking distance . This will be the last stop.


Eldar Marcussen


The next generation of HTTP Fingerprinting

The next generation of HTTP Fingerprinting - builds on existing web server fingerprinting research to accurately detect and identify load balancers, web application firewalls, reverse proxies and web servers. Through in-depth analysis of HTTP traffic it is possible to detect and identify intermediate agents. Some of these techniques can also be used to identify server configuration such as loaded modules.

Today’s tools for identifying web technologies don’t do an adequate job of identifying the sub-components comprising the architecture. Most HTTP based fingerprinting tools only focus on fingerprinting the web server(s) on the target or behind the load balancer. While there are some tools that identify load balancing, namely halberd and lbd, these tools focus on enumerating the actual back ends without any fingerprinting.

By taking HTTP fingerprinting to the next level we can detect and identify both the intermediate agents and the web server. There are some tools aimed at detecting web application firewalls, for example waffit/wafW00f, which uses strings commonly used in malicious payloads to detect requests being blocked by the web application firewall. Through fault injection and fuzzing of vaguely defined (RFC 2616) request properties I was able to identify distinct responses in intermediary HTTP agents without relying on default/common WAF rules to be enabled.

These tools and techniques will enable target identification to be more effective, and speed up the process of detecting potentially vulnerable systems that are normally transparent.

Two tools will be released along with the presentation:

  • lbmap – Identifies and fingerprints load balancers, WAFs, reverse proxies and web servers.
  • aprof – Profiles apache configuration, including determining which modules are loaded.

About the speaker

Eldar Marcussen
Company: Stratsec

Eldar is a principal consultant and researcher at Stratsec, where he helps organisations test their security and protect intellectual property. He is a Perl advocate and in his spare time works on several open source projects aimed at secure web application development and testing. Eldar has presented at AISA and Ruxcon and worked with some of Australia’s leading hosting, search engine optimisation and domain parking service providers providing design and security guidance.

Hope to see you all there.

OWASP Melbourne :)