Sometimes standard web application scanning techniques are too intrusive. The web application owner may not want to run a scan that tests for a vulnerability by uploading application data because that might have negative side effects for the application. It can be better to use an indirect method like web application fingerprinting which inspects static files in the web app to determine its version, and then reports the known vulnerabilities for that version.
Blind Elephant is a trustworthy open-source static-file web application fingerprinter. It attempts to discover the version of a (known) web application by comparing static files at known locations against pre-computed hashes for versions of those files in all available releases. This technique works well when the static files change with every release, allowing the fingerprinter to identify the application version based on the contents of the files. This technique is non-invasive and generic, and the use of pre-computed hashes means it is fast, low-bandwidth and highly automatable.
Over the five years since the open source Blind Elephant project was introduced, Qualys has maintained it, integrated it with the Qualys Cloud Suite, and added lots and lots of detections. That makes the Qualys integration a useful tool for web application security teams.
Qualys Integration & Detections
Qualys has been steadily adding detectable applications to the Qualys integration, which now detects over 200 web applications, plugins and extensions, and this number continues to grow every week. Qualys customers can look up QID 45114 in their scan reports and see a listing of the web applications found in their environment.
In order to add a detection, the Qualys team needs access to the source code and a few versions of the web application. With too few versions or files that remain unchanged across versions, it is not possible to create detections.
The Blind Elephant engine can be most effective in the following scenarios that are too intrusive into the customer’s application, and where it’s better to determine the existence of the vulnerability indirectly, i.e. via fingerprinting:
- Post-Authentication Vulnerabilities: For example, persistent cross-site scripting vulnerabilities which need a user with certain rights in order to be successfully exploited.
- File Upload Vulnerabilities: Vulnerabilities that require the upload of arbitrary data on a customer’s application to be successfully exploited.
- Remote Code Execution Vulnerabilities: Vulnerabilities that require execution of arbitrary code on a targeted system. For example, command injection vulnerabilities can be safely identified via Blind Elephant.
- SQL Injection: Because the number and names of tables may vary with the implementation of the application, so it’s not possible to automate table lookups.
I remember a particular case when Blind Elephant was really helpful: MediaWiki DjVu and PDF File Upload Remote Code Execution Vulnerability (QID 12832). This was a zero-day affecting the software that powers Wikipedia. The tricky part was that to execute arbitrary code on an affected installation, one needed to upload a legitimate file on the server and then pass shell meta-characters to the application which would execute arbitrary code. Making it more urgent, a PoC was available! Since Qualys has always treated customer data confidentially, a file upload was out of the question. It was with Blind Elephant that this detection was made possible.
Keep visiting the Blind Elephant Supported Detections to read about the support added for different web-applications and their extensions/plugins. If you want a detection added for a certain open source web application, please post your request to the Blind Elephant community.