Java Fingerprinting

During penetration tests against Java web-applications we commonly encounter stack traces. This tells us that an error happened somewhere in the code - finding and triggering errors plays a big part in finding new vulnerabilities after all. We at X41 want to be able to gain most out of that information and created a database to match the stack traces to software products and versions. We deduct the software stack in use, which helps us to look for vulnerabilities in exactly the same software as our target uses. For those of you with an API key, we will also tell you the CVE IDs for the products detected and give you a nice overview of vulnerabilities.

The X41 BeanStack database is now available as public BETA to the community along with a Burp plugin to make access even easier.

Burp Plugin

In case you want to submit stuff that is private or partly private, the Burp plugin allows you to create a blacklist for classes that should not be submitted to us. If you have an API key, you can also submit the data BLAKE2b hashed, which might give you some additional privacy. Be aware that we could brute-force the BLAKE2b hashes and if we have a match for your submission we would know it anyhow, so if your data really is sensitive, put it on the blacklist.

You can simply start to use the website or burp plugin! For more features, request the API key at beanstack.io . The API key will give you a higher rate limit for submissions, CVE data and allows to submit traces in a hashed format.

This project is currently in a beta phase, so we will be excited about your feedback and if you have additional use cases we should support. Write us about them to info@x41-dsec.de. We already have some more features on our roadmap, so stay tuned!

About X41 D-Sec GmbH

X41 D-Sec GmbH is an expert provider of application security services. Having extensive industry experience and expertise in information security enables X41’s strong core team of world-class experts to perform premium security services.

Fields of expertise in application security are security-centric code reviews, binary reverse engineering, and vulnerability discovery. Custom research and IT-security consulting and support services are core competencies of X41.

Author: Eric Sesterhenn
Date: April 24, 2019