FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS

Black Hat USA 2014

Presented by: Dominique Bongard (Roady)
Date: Thursday August 07, 2014
Time: 15:30 - 16:00
Location: South Seas GH

Fingerprinting is an important preliminary step when auditing web applications. But the usual techniques based on the analysis of cookies, headers, and static files are easy to fool. Fingerprinting digital images is a technique commonly used for forensic investigations but rarely for security audits. Moreover, it is mostly based on the analysis of JPEG images only. In this talk we study the implementation differences between a number of PNG decoders/encoders, either build-in or commonly used with the main web application development platforms. As a result, we give a set of tests that can discriminate between various PNG libraries. As a consequence, it is often possible to identify the platform behind a website even when an effort has been made to prevent fingerprinting, as long as said website allows the upload of PNG images.

Dominique Bongard

Dominique Bongard is the founder of 0xcite, a Swiss company focusing on security for mobile and embedded devices. His previous position, which lasted eight years, consisted of leading the Threat Intelligence team for Kudelski Nagravision. Dominique is an experienced reverse engineer and he regularly competes in Capture The Flag events.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats