Home > CAPEC List > CAPEC-472: Browser Fingerprinting (Version 2.4)  

CAPEC-472: Browser Fingerprinting

 
Browser Fingerprinting
Definition in a New Window Definition in a New Window
Attack Pattern ID: 472
Abstraction: Detailed
Status: Draft
Completeness: Stub
+ Description

Summary

An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.

+ Attack Prerequisites
  • Victim's browser visits a website that contains attacker's Java Script

    Java Script is not disabled in the victim's browser

+ Typical Severity

Low

+ Examples-Instances

Description

The following code snippets can be used to detect various browsers:

Example Language: Javascript 

Firefox 2/3

FF=/a/[-1]=='a'

Firefox 3

FF3=(function x(){})[-5]=='x'

Firefox 2

FF2=(function x(){})[-6]=='x'

IE

IE='\v'=='v'

Safari

Saf=/a/.__proto__=='//'

Chrome

Chr=/source/.test((/a/.toString+''))

Opera

Op=/^function \(/.test([].sort)
+ Solutions and Mitigations

Configuration: Disable Java Script in the browser

+ References
[R.472.1] Gareth Heyes. "Detecting browsers javascript hacks". The Spanner. January 29, 2009. <http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/>.
+ Content History
Submissions
SubmitterOrganizationDate
Evgeny LebanidzeCigital Federal, Inc2011-05-31
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2013-06-21Updated Code_Example_Language and SummaryInternal
CAPEC Content TeamThe MITRE Corporation2013-12-18Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2014-04-10Updated Attack_Prerequisites, Description, Description Summary, Examples-Instances, Related_Attack_PatternsInternal

Page Last Updated: April 10, 2014