الأحد، 14 فبراير 2016

Fingerping: A Security Tool For Fingerprint PNG Files Of Web Applications



Fingerping: A Security Tool For Fingerprint PNG Files Of Web Applications


When we audit web applications Fingerprinting is the most important step. The tool which is able to fingerprint the PNG files of web applications is Fingerping.



Purpose:

By using this tool we can easily determine about the framework, PNG image library, which a web application used. Fingerping tools are mostly used for forensic investigation, bu they can also be used during security audits.


Technique:

The techniques are based on analysis of cookies, static files, header files and mainly it relies on various PNG coders/decoders by which we can easily differentiate between the treatment of invalid or ambiguous PNG images. Some crafted images are accepted by the libraries but not all images. Fingerping tool already contains more than 50 specially crafted PNG images.

Requirements:

The basic requirements of Fingerping tool are:

Python 2.x versions
Web applications must accept uploads PNG files to fingerperint the web application.
Web application should return a re-encoded version of the image. 

Usage:

For the usage purpose firstly you have to upload all the PNG images files from the directory "images" to the target website. The name of the input and output image should be same. For those images that are failed to decode we can't do anything for that. If the output files are JPG files then convert them first into PNG files. After that run the fingerping tool with the folder that contains all your output images.

$ python fingerping.py ../site.com/

After then, tool (fingerping) will count the fingerprint matches between the folder of image and in database library. The line at the bottom is the most likely match.

$ python fingerping.py ../site.com/
Dart                            30/ 60
Ruby chunky_png       32/ 60
.Net 4.5                       33/ 60
Erlang erl_img           34/ 60
Nodejs pngjs               34/ 60
Haskell JuicyPixels    38/ 60
Python PIL                 38/ 60
Python png.py            39/ 60
OpenJDK 7                40/ 60
Go 1.0.2                     41/ 60
LodePNG                   42/ 60
ImageMagick             49/ 60
Mono                         50/ 60
PHP5                         60/ 60


Adding new fingerprints:

For adding new fingerprints to fingerping's database we have to follow some steps:

Firstly, generate the image folder for target.
Run the fingerping tool with "-gen".
Tool will then output the library's fingerprint as a Python dictionary.

$ python fingerping.py -gen ../newPNG/
{'black_white': 4, 'control_8bit_i': 4, 'Compression': 13, 'ihdr_too_long': 0, 'ihdr_height_0': 0, ...}

After then you can simply add a variable for the library to the fingerprints.py file, like below, replacing {fingerprint} with the aformentioned dictionary. And after that rest is on Python reflection.

newPNG = Fingerprint("newPNG","newPNG v1.0 64bit",{fingerprint})


Listing the fingerprint database:

When you Runn fingerping tool with the "-csv" option, it will give output of a tab delimited table containing all the fingerprints in fingerping's database.

Download Link: Click Here

ليست هناك تعليقات:

إرسال تعليق