Black Hat 2010: Qualys releases BlindElephant application analysis security tool

According to the IT security vendor, BlindElephant is an open-source generic web application 'fingerprinter' that produces results by examining a small set of static files on a company's IT systems.

Presenting the utility software at the Black Hat conference in Las Vegas this week, Patrick Thomas, an IT security expert working with Qualys – and the creator of BlindElephant – announced his firm had been conducting research into the efficacy of the software.

To test the accuracy of the tool, he and his team ran tests across more than a million internet-visible hosts, which showed that many organisations are running out-of-date versions of their software, creating a security risk in the process.

Results of the research reveal that 70% of users running Drupal, a content management system, are affected by critical vulnerabilities, whilst 92% of users of Joomla, a second content management system, are affected by a high vulnerability.

The research also showed that 95% of MediWiki software users systems were affected by a major vulnerability, and all users (100%) of the phbBB forum software were potentially impacted by a severe vulnerability.

The reason for the security vulnerabilities, says Qualys, is that there are many common web applications used for many purposes, such as blogging, forums, and database management.

By their nature, says the company, these applications present special security challenges, and as vulnerabilities are increasingly discovered, it is important to have a reliable way to detect which applications and plugins are present at a site.

Thomas says that BlindElephant is a tool that helps security professionals and systems administrators identify everything running on their servers, including any web applications users may have downloaded.

"It doesn't check for vulnerabilities or vulnerability to a particular exploit, but rather what version of applications are running on their site", he said.

The primary goal of BlindElephant, he added, is to locate specific vulnerabilities in an application.

What’s hot on Infosecurity Magazine?