Cenzic 232 Patent
Paid Advertising
web application security lab

Judging Value of a Target by Environmental Variables

On and off I dump a lot of environmental information from people who visit my various websites.  Sometimes I wonder if there is more than just the usual noise of request methods, user agents, and what have you.  What if there were a way to assess the value of a target solely by using these environmental variables?  What would that mean for the web application security community?  How would something like that work?

Well, let’s look at what I have access to for a moment.  At the layer 2-3, I have access to TCP signatures, giving me operating systems, router hops, IP addresses (which can be converted into hostnames), and maybe some network configuration information. That right there is nearly enough to judge what a good target is compared to a bad target.  I know who is touching my machine and from where.  Next in the HTTP/HTTPs protocols, I get operating systems, browser types, service packs, software that may be installed on the host (including some spyware), if they are using a proxy, what language they speak, blah blah.  That may be interesting in assessing the vulnerability of the host, but probably not as useful in knowing the value of it.

Then you get to the application/presentation layer.  Here you get all sorts of information, like if they are capable of running dynamic applications (JavaScript, Flash, ActiveX, Java, VBScript) operating system (again), color density of the monitor, screen resolution, local time, default charset, etc…  (Check out my log.cgi file to get a dump of all your environmental variables, including HTTP and JavaScript.)

If you combine this information you should get a pretty good feel for the type of user you are dealing with and the relative type of computing system you are talking to over your raw socket.  With this information can you assess the user on the other end of the wire for relative value?  Perhaps something as simple as knowing the reverse lookup of the IP address is a .gov or .mil is enough for the bad guy.  Perhaps targeting anyone at supermassivecompany.com is more desireable for industrial espionage.  Maybe they are looking for specific machines to run specific exploits against, like the DCOM exploit against an old windows 2000 machine.  How about a machine with lots of horsepower so you want something with a huge monitor resolution AND running a beta version of Vista.  There are tons of options, completely depending on the target the bad guy is going after.

The result is, you end up with a larger attack surface by doing this mostly passive recon to identify and classify the target, without ever sending a single packet to them, that they didn’t request.

Comments are closed.