Qualys, a provider of IT security risk and compliance management offerings, has released open source web application fingerprinting engine BlindElephant, which identifies application and plugin versions via static files.
The company said that its new tool helps security professionals and systems administrators identify everything running on their servers, including any web applications users may have downloaded. It utilises a new approach that relies on hashes of static resource files within the application to infer a version number.
For each application that the tool will support, BlindElephant consumes a number of version directories. All files and directories are processed, and a hash is computed for each file. This hash is stored in a temporary table, along with the path and version of the application it came from.
Qualys said that its BlindElephant was designed for: minimal human effort to support new versions/apps; resistance to hardening; accuracy to reduce false positives and false negative rates; and generic to reuse the same code for all supported applications.
Wolfgang Kandek, CTO of Qualys, said: "We are releasing the BlindElephant tool as an open source project in order to allow users to protect themselves and monitor their web applications. It is also an initial stepping stone to work with the community to increase the number of fingerprinted web applications."
Content from our partners
