Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Manipulation

    Complexity: Medium (3.0)

    Default Response: n/a

    Cause: The client fingerprint processor is designed to obtain a semi-unique identifier from the clients rendering engine. The fingerprint is a hash of data obtained through JavaScript such as the plugin list, time zone, and screen resolution. This incident is triggered when the user attempts to submit an invalid fingerprint.

    Behavior: Normally, the fingerprinting code will be allowed to execute on the client without any problems. However if an attacker discovers the fingerprinting code, they might try to spoof fingerprints of other users, or simply try to exploit the fingerprint service. To do this, they can create a fake fingerprint value and submit it to the server in the same way that legitimate fingerprints are submitted. It likely would not be clear to the attacker as to what the value is used for, or how the value is consumed by the server, so this type of activity would be purely exploratory. Once the attacker identifies a valid fingerprint that was not generated from their rendering engine, they will likely continue to statically submit that same fingerprint on all transactions. Once that happens, it will not be possible to identify the manipulated fingerprint. So this incident should come early in the attack, but will stop once the attacker has reached their goal. In such a case, the attacker is simply trying to disguise their true identity. If the modified fingerprint is not alpha numeric and contains special characters, then the attacker is probably attempting to launch a targeted attack against the way the service consumes the data, such as a "SQL Injection", "XSS", or "Buffer Overflow" attack.

    Published: 2014-06-27