This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OAT-004 Fingerprinting

Jump to: navigation, search

This is an automated threat. To view all automated threats, please see the Automated Threat Category page. The OWASP Automated Threat Handbook - Wed Applications (pdf, print), an output of the OWASP Automated Threats to Web Applications Project, provides a fuller guide to each threat, detection methods and countermeasures. The threat identification chart helps to correctly identify the automated threat.


OWASP Automated Threat (OAT) Identity Number


Threat Event Name


Summary Defining Characteristics

Elicit information about the supporting so ware and framework types and versions.

Indicative Diagram

OAT-004 Fingerprinting.png


Specific requests are sent to the application eliciting information in order to profile the application. This probing typically examines HTTP header names and values, session identifier names and formats, contents of error page messages, URL path case sensitivity, URL path patterns, file extensions, and whether software-specific files and directories exist. Fingerprinting is often reliant on information leakage and this profiling may also reveal some network architecture/topology. The fingerprinting may be undertaken without any direct usage of the application, e.g. by querying a store of exposed application properties such as held in a search engine's index.

Fingerprinting seeks to identity application components, whereas OAT-018 Footprinting is a more detailed analysis of how the application works.

Other Names and Examples

Google dorking; Google hacking; Shodaning; Target acquisition; Target scanning; Finding potentially vulnerable applications; Reconnaissance; URL harvesting; Web application fingerprinting

See Also


CAPEC Category / Attack Pattern IDs

  • 541 Application Fingerprinting
  • 170 Web Application Fingerprinting

CWE Base / Class / Variant IDs

  • 200 Information Exposure

WASC Threat IDs

  • 45 Fingerprinting

OWASP Attack Category / Attack IDs

  • -