Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Directory Probing

Complexity: Low (2.0)

Default Response: n/a

Cause: The client fingerprint processor is designed to obtain a semi-unique identifier from the clients rendering engine. The fingerprint is a hash of data obtained through JavaScript such as the plugin list, time zone, and screen resolution. In order to calculate a fingerprint, some binary resources such as flash objects might be required. These resources will be served from a known fake directory. This incident is triggered if the user attempts to request a file in the fake directory that does not exist. In other words, they are looking for a specific file that does not exist within a fake directory.

Behavior: If an attacker discovers the script being used to collect and submit the fingerprint data, they might be interested to know what else is in the directory where fingerprint resources are served from. As such, they can request specific files they think they be inside the fake directory. Because the directory is fake, there are no actual files available, but the simply action of attempting to get a resource that does not exist in a fake directory is indicative of abusive behavior. This type of attack is generally targeted at "Predictable Resource Location" vulnerabilities.