'[FD] [Tool/API] desenmascara.me - Fingerprinting and assessing the web security awareness of website'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [Tool/API] desenmascara.me - Fingerprinting and assessing the web security awareness of website
From:       Emilio Casbas <ecasbasj () yahoo ! es>
Date:       2015-04-15 7:24:21
Message-ID: 414932309.3698790.1429082661344.JavaMail.yahoo () mail ! yahoo ! com
[Download RAW message or body]

desenmascara.me (in English can be translated as: Unmask me) is an online \
PoC tool whose goal is: to raise web security awareness among web owners in \
order to help decrease the constant rise of compromised websites.

The desenmascara.me PoC calculate a score also known as 'security awareness \
value' of any website (neither resources nor crawling) based on all the \
metadata available. Basically the score is based on a simple calculation of \
the more weak metadata you show the worst and in the other way around. It \
is explained as follows:

-Score < 0: a website is considered as prone to be compromised. (because it \
is based on known and buggy software such as old Joomla, highly critical \
                Drupal or Typo3 versions...)
-Score between 0 and 20: a website is not considered as security aware \
                (their owners have room to improvement, they should take \
                care)
-Score between 20 and 59: a website is considered somehow as security \
aware. (their owners have done some tweaking to the site). Usually this is \
                the normal status.
-Scoring 60 or higher: a website is considered as security aware (their \
owners have done some hardening either on the platform or in the web \
architecture)

Additionally as desenmascara.me will collect all the metadata possible from \
any website it can serve at the same time to two audiences:

-Auditors/pentesters: as 1 click method to Fingerprint a web server.
-Web owners without security background: trying to explain in a brief \
summary the web security awareness status based on all the info collected.

The metadata extraction will be totally passive just like browsing the \
website, otherwise the tool could not be online for public use. Some \
additional features of the tool by leveraging all the info collected are:

-Easy to use, only enter a website address to see what's behind the scenes
-Available in English and Spanish (based on the browser language)
-Detection of domains potentially being used for phishing (kind of: \
                mail-google.com.ve, applesupport.com.mx..)
-Detection of sites being mirrored from anothers (usually founds in \
                Phishing, fake and scareware websites)
-Detection of CMSs and versions (whatweb core)
 -Brief summary about the website configuration
 -Different report colours to highlight web security awareness
-Detection of domain registrar for .com & .net TLD (some are more security \
                savvy than others)
-Detection and warnings about the danger of hosting third party providers.
-Warnings about old software being exploited in the wild like joomla-1.5, \
                RoR CVE-2013-0156...
-Warnings about domains (.com & .net) expiring in the coming days
-Detection of properties file leak in Ruby on Rails. 
-Warnings about OpenSSL version afected by heartbleed.
-Warnings about Drupal Core - Highly Critical PSA-2014-003.
-Warnings about TYPO3 - Highly Critical Authentication bypass.
-Detection of hardening signs such as WAF, CDN, reverse proxy...
-In case of CloudFlare protected websites, it will try to show the real \
                server IP.
-Detection of blacklisted websites by GoogleSafeBrowsing
-Detection of suspicious iframes or hidden spam
-Detection of misconfiguration on robots.txt files (i.e: exposing \
                confidential information)
-Detection of defacements, directory listings, private IP address in \
                comments...
-In the case of very known websites (Forbes, EA, .gov ...) will inform \
                about known security incidents which they were victim of.
-Stats about general web security awareness and some details of compromised \
websites

The goal of this tool is NOT to consider a website either secure or \
insecure, but to consider the website owners security aware in different \
levels as explained.

In my observations during the last years I could spot a common pattern \
among the vast majority of compromised websites being used in all kind of \
malware campaigns: they are all poor maintained.

With this PoC the goal is to highlight the importance to keep updates the \
websites. The lowest the score the more vulnerable a website is and \
therefore prone to be compromised. Bear in mind that this analysis is valid \
for most of the current attacks on the web nowadays; compromised websites \
to serve as redirectors, to store phishings, as proxys for exploit kits and \
any malicious purposes of malware campaigns. All the above activity within \
the compromised websites is taking place without their owner´s knowledge, \
in web servers which can be online during years without updates. All the \
malicious activity is happening behind the scenes. Later the owner of the \
website will get complains either from their users or the hosting company. \
The problem is that these owners are not security aware (nor the hosting \
companies). But if you have deployed a website you should take some \
precautions, you can not rely on the sofware vendors, community or the \
hostings. It is like driving a car, you need formation and a license and \
then you need to keep you car in good status, doing the yearly checks and \
so on, in order to not be a danger in the road. By not taking precautions \
you would be considered as an irresponsible and you will end up with fines \
at best. The same in Internet, if you do not take precautions with your \
website then you are feeding the malware ecosystem in the Internet.

Having done some tests [1] with the desenmascara.me scoring towards tens of \
websites from the same malware campaign. And by observing the results \
during the last years of using this scoring I can see the accuracy to \
evaluate the relation between poor maintained websites and how they become \
compromised is around 80%.

Therefore I have decided to publish an API [2] to this service with an \
interesting use intended for an initial fulldisclosure and as a wake up \
call for their web owners: querying URLs prone to be compromised: \
http://desenmascara.me/api/howto#pronetld

You can play with http requests such as:
http://desenmascara.me/api/lessscorebytld/gov
http://desenmascara.me/api/lessscorebytld/br
http://desenmascara.me/api/lessscorebytld/com

There is nothing illegal nor unethical on providing this information. All \
the info is public, the desenmascara.me service just collect it and \
interpret it.

http://desenmascara.me

REFERENCES

[1] http://pwnedwebsites.com/how-to-spot-website-easy-target.html[2] \
http://desenmascara.me/api/howto

Thanks
Emilio

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 