HTTP Fingerprinting

Printable View

April 25th, 2003, 02:03 PM
slarty

HTTP Fingerprinting

Just giving you a link to this article I wrote a while ago, thought it may interest people. I'll paste the abstract

Quote:

HTTP Fingerprinting

HTTP servers often provide a signature with their responses which informs the client of the version. However recently many servers have begun to remove this signature, or even to lie. This article explains how we can fingerprint servers, thus identifying them independently of the signature. I also provide an implementation.

The full article may be found here

http://projectz.org/?id=142

Dunno if this is the right forum, it seemed as good as any.
April 25th, 2003, 03:09 PM
SirDice

Why do you use GET instead of HEAD to get the headers? Interesting idea though.
Did you notice any difference in response to a HTTP/1.0 and HTTP/1.1 request?
April 25th, 2003, 03:14 PM
nebulus200

SirDice, one reason I would use the actual GET versus the HEAD is that it might set off alarms of a site or might be filtered out entirely...

/nebulus
April 25th, 2003, 04:00 PM
SirDice

Quote:

Originally posted here by nebulus200
SirDice, one reason I would use the actual GET versus the HEAD is that it might set off alarms of a site or might be filtered out entirely...

/nebulus

Probably not or they will break alot of ppl's browsers. IE uses HEAD alot to find out if the page is newer then the one in the cache. Newer versions of IE also tend to send a PROPFIND before a HEAD and GET.
April 25th, 2003, 06:57 PM
slarty

Quote:

Why do you use GET instead of HEAD to get the headers?

Hmm, not sure. I guess that's just how I made it. I haven't tested whether it would work with HEAD.

Initially I tried some other methods too, but didn't get enough useful stuff back to care. I tried using OPTIONS and also a nonexistent method, but didn't get any particularly unique responses.

Quote:

Did you notice any difference in response to a HTTP/1.0 and HTTP/1.1 request?

Some web servers don't support HTTP/1.1, I did think of that. Just they are not the main ones I'm interested in.

Some web servers or caches send a 1.0 response to a 1.1 request, but certainly in the case of Apache, that is configureable on a per-user-agent basis (as a work around for broken clients)

I haven't tried exotic stuff like chunked responses, or partial content requests. That might be of use, but would require more effort to understand.