[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [Tool/API] desenmascara.me - Fingerprinting and assessing the web security awareness of website
From: Emilio Casbas <ecasbasj () yahoo ! es>
Date: 2015-04-15 7:24:21
Message-ID: 414932309.3698790.1429082661344.JavaMail.yahoo () mail ! yahoo ! com
[Download RAW message or body]
desenmascara.me (in English can be translated as: Unmask me) is an online PoC tool \
whose goal is: to raise web security awareness among web owners in order to help \
decrease the constant rise of compromised websites.
The desenmascara.me PoC calculate a score also known as 'security awareness value' of \
any website (neither resources nor crawling) based on all the metadata available. \
Basically the score is based on a simple calculation of the more weak metadata you \
show the worst and in the other way around. It is explained as follows:
-Score < 0: a website is considered as prone to be compromised. (because it is based \
on known and buggy software such as old Joomla, highly critical Drupal or Typo3 \
versions...)
-Score between 0 and 20: a website is not considered as security aware (their owners \
have room to improvement, they should take care)
-Score between 20 and 59: a website is considered somehow as security aware. (their \
owners have done some tweaking to the site). Usually this is the \
normal status.
-Scoring 60 or higher: a website is considered as security aware (their owners have \
done some hardening either on the platform or in the web architecture)
Additionally as desenmascara.me will collect all the metadata possible from any \
website it can serve at the same time to two audiences:
-Auditors/pentesters: as 1 click method to Fingerprint a web server.
-Web owners without security background: trying to explain in a brief summary the web \
security awareness status based on all the info collected.
The metadata extraction will be totally passive just like browsing the website, \
otherwise the tool could not be online for public use. Some additional features of \
the tool by leveraging all the info collected are:
-Easy to use, only enter a website address to see what's behind the scenes
-Available in English and Spanish (based on the browser language)
-Detection of domains potentially being used for phishing (kind of: \
mail-google.com.ve, applesupport.com.mx..)
-Detection of sites being mirrored from anothers (usually founds in Phishing, fake \
and scareware websites)
-Detection of CMSs and versions (whatweb core)
-Brief summary about the website configuration
-Different report colours to highlight web security awareness
-Detection of domain registrar for .com & .net TLD (some are more security savvy than \
others)
-Detection and warnings about the danger of hosting third party providers.
-Warnings about old software being exploited in the wild like joomla-1.5, RoR \
CVE-2013-0156...
-Warnings about domains (.com & .net) expiring in the coming days
-Detection of properties file leak in Ruby on Rails.
-Warnings about OpenSSL version afected by heartbleed.
-Warnings about Drupal Core - Highly Critical PSA-2014-003.
-Warnings about TYPO3 - Highly Critical Authentication bypass.
-Detection of hardening signs such as WAF, CDN, reverse proxy...
-In case of CloudFlare protected websites, it will try to show the real server IP.
-Detection of blacklisted websites by GoogleSafeBrowsing
-Detection of suspicious iframes or hidden spam
-Detection of misconfiguration on robots.txt files (i.e: exposing confidential \
information)
-Detection of defacements, directory listings, private IP address in comments...
-In the case of very known websites (Forbes, EA, .gov ...) will inform about known \
security incidents which they were victim of.
-Stats about general web security awareness and some details of compromised websites
The goal of this tool is NOT to consider a website either secure or insecure, but to \
consider the website owners security aware in different levels as explained.
In my observations during the last years I could spot a common pattern among the vast \
majority of compromised websites being used in all kind of malware campaigns: they \
are all poor maintained.
With this PoC the goal is to highlight the importance to keep updates the websites. \
The lowest the score the more vulnerable a website is and therefore prone to be \
compromised. Bear in mind that this analysis is valid for most of the current attacks \
on the web nowadays; compromised websites to serve as redirectors, to store \
phishings, as proxys for exploit kits and any malicious purposes of malware \
campaigns. All the above activity within the compromised websites is taking place \
without their owner´s knowledge, in web servers which can be online during years \
without updates. All the malicious activity is happening behind the scenes. Later the \
owner of the website will get complains either from their users or the hosting \
company. The problem is that these owners are not security aware (nor the hosting \
companies). But if you have deployed a website you should take some precautions, you \
can not rely on the sofware vendors, community or the hostings. It is like driving a \
car, you need formation and a license and then you need to keep you car in good \
status, doing the yearly checks and so on, in order to not be a danger in the road. \
By not taking precautions you would be considered as an irresponsible and you will \
end up with fines at best. The same in Internet, if you do not take precautions with \
your website then you are feeding the malware ecosystem in the Internet.
Having done some tests [1] with the desenmascara.me scoring towards tens of websites \
from the same malware campaign. And by observing the results during the last years of \
using this scoring I can see the accuracy to evaluate the relation between poor \
maintained websites and how they become compromised is around 80%.
Therefore I have decided to publish an API [2] to this service with an interesting \
use intended for an initial fulldisclosure and as a wake up call for their web \
owners: querying URLs prone to be compromised: \
http://desenmascara.me/api/howto#pronetld
You can play with http requests such as:
http://desenmascara.me/api/lessscorebytld/gov
http://desenmascara.me/api/lessscorebytld/br
http://desenmascara.me/api/lessscorebytld/com
There is nothing illegal nor unethical on providing this information. All the info is \
public, the desenmascara.me service just collect it and interpret it.
http://desenmascara.me
REFERENCES
[1] http://pwnedwebsites.com/how-to-spot-website-easy-target.html[2] \
http://desenmascara.me/api/howto
Thanks
Emilio
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic