Kingdom: Environment

This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

Insecure Deployment: Known Application Fingerprint

Universal

Abstract

Deploying unpatched versions of applications can enable attackers to exploit known vulnerabilities and compromise the target system.

Explanation

Reconnaissance is a necessary precursor to any successful attack against an application. Attackers can successfully identify applications installed by:
1. Matching against client-side code patterns e.g. JavaScript function definitions or variable declarations
2. Probing for resources and interfaces specific to the application being fingerprinted
3. Matching against textual content on web pages that might identify the application underlying the target
4. Locating references to logo image files with identifiable names
This information can aid the attacker in constructing exploits to target known vulnerabilities against the application.

References

[1] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security

[2] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[3] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[4] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

[5] Standards Mapping - Web Application Security Consortium Version 2.00 Fingerprinting (WASC-45)

desc.dynamic.xtended_preview.insecure_deployment_known_application_fingerprint