OWASP Automated Threat (OAT- 004) Fingerprinting

Fingerprinting - Elicit information about the supporting software and framework types and versions.

What is Fingerprinting?

Specific requests are sent to the application eliciting information in order to profile the application. This probing typically examines HTTP header names and values, session identifier names and formats, contents of error page messages, URL path case sensitivity, URL path patterns, file extensions and whether software-specific files and directories exist.

Fingerprinting is often reliant on information leakage, and this profiling may also reveal some network architecture/topology. The fingerprinting may be undertaken without any direct usage of the application, e.g., by querying a store of exposed application properties such as held in a search engine's index.

Fingerprinting is also known by terms such as google dorking, google hacking, target acquisition, target scanning, finding potentially vulnerable applications, reconnaissance, URL harvesting and web application fingerprinting.

The Symptoms of Fingerprinting

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of fingerprinting. These include,

  1. Single HTTP requests (just one single request and no more from that browser/ session/ device/ fingerprint)

  2. Often none, but possibly requests for a wide range of missing resources

  3. Requests for resources that are rarely requested

Sectors Targeted by Fingerprinting

The major sectors targeted by fingerprinting security threat include education, entertainment, financial, government, health, retail, technology and social networking industries.

According to the Automated Threat Handbook for Web Applications published by OWASP, these attacks result in misuse of various types of data. That includes authentication credentials, payment cardholder data and other financial data; medical and other personal data; intellectual property and other business data; and public information.

Ways to Prevent Fingerprinting Security Threat

OWASP suggests several possible countermeasures to address the threat of fingerprinting. These include,

  1. Fully outsourcing all payment aspects to an appropriate payment service provider that has its countermeasures in place for fingerprinting, increasing the minimum checkout value, and removing payment by card completely if alternatives are available. But these security checks are only the start of a larger, more formidable protection against fraudsters hunting down valid credit card numbers.

  2. Organizations can consider randomizing the content and URL’s of payment submission pages and payment forms, linking these changes to the individual user’s session, verifying the changes at each payment step and restricting any identified automated usage.

  3. Organizations can consider monitoring and limit the rate of card authorization attempts per session, user, IP address, device, and fingerprint. Due to this, automation attempts and malicious users are blocked as soon as they have reached a set number of failed attempts while testing different card numbers.

  4. Identify and restrict automated usage by reputation methods. In particular, businesses can use geolocation and/or IP address block lists to prevent access to payment parts of the application. They can also use address and card reputation services and add delays in the checkout steps for new and rare customers.

  5. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

Online businesses can also opt for a bot mitigation solution that prevents fingerprinting and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

These are the primary security measures that your website must have in place to defend against the malicious security threats such as OWASP automated threats in real-time.