Java Fingerprinting

We gave BeanStack a huge update, to make sure you can still reliably fingerprint Java stack traces. In pentests against Java web-applications, stack traces are found quite often and reveal that an error happened in the web-application. Sometimes these traces help you to identify a security bug directly, sometimes they provide a nice information leak about the application. BeanStack helps you to identify the software stack in use and to look for known vulnerabilities in that application stack. If there are none, it’s still a good starting point for a security source code audit of the identified components.

We updated the X41 BeanStack database to contain more up-to-date versions of various libraries and finally implemented some cron-jobs that will pull new versions weekly.

In case you want to submit traces that are private or partly private, the Burp Suite plugin allows you to create a blacklist for classes that should not be submitted to us. If you have an API key, you can also submit the data BLAKE2b hashed, which might give you some privacy for internal code that is not in our database. Be aware that we could theoretically brute-force the BLAKE2b hashes and if we have a match for your submission we would know it anyhow, even if the search space is quite big. So for data that is really sensitive, put it on the blacklist.

You can simply start to use the website or Burp plugin! For more features, request the API key at beanstack.io. The API key will give you a higher rate limit for submissions, CVE data and allows you to submit traces in a hashed format.

This project is currently in a beta phase, so we will be excited about your feedback and if you have additional use cases we should support. Write us about them to info@x41-dsec.de. We already have some more features on our roadmap, so stay tuned!