Improved software detection

The new port scanner module has been released to production this week. It’s better at port scanning and preventing trigger happy firewalls from messing up the scan results. Besides this it also has options to determine the actual software running on some common ports. Often the new scanner is able to detect which version is running too.

Most of you will be familiar with the software report showing you what software you expose to the internet and if any CVEs are known for that software. Up until now these results were based on websites scans only. With this update software found on other ports is added and you’ll have a more complete view of your attack surface.

To support searching software better we’ve also introduced the search options asset.software and host.software as addition too website.software. Clicking through from the software report page automatically uses assets.software to make sure you find all relevant results.

So, if you have new critical or high vulnerabilities in your weekly report, you now know where they come from.

Search software through the API

The reports section has an overview of the software our nodes have found on your assets. It contains a categorized list with tally of how often we found something. If the software version we found matches any CVEs you will see that too. It’s a handy overview of where you need to concentrate your patching and update efforts.

Last week a client had the idea of using that overview to create a dashboard, but there was no API endpoint for it yet. We fixed that, see the details here in the API documentation. To make this overview more useful the websites endpoint now also accepts a software parameter. This way you can get a list of al the websites running specific software.

Website redirect grading change

Last weeks saw lots of small improvements and bug fixes. Some are noticeable, like search results paging in the GUI. Others concern edge cases or events that do not apply to everyone, like better detection for Drupal, F5 BigIP and Fortinet.

The most noticeable is probably the grade change on redirected websites. When you fully redirect a website with a 301 or 302, there is no content served. Technically, you can set security headers to prevent things like an XSRF attack. But as there is no content served, you can’t perform an actual XSRF attack. You might be able to do so on the redirect destination, but that is a different website with its own content and its own grade.

One client had a lot of these redirects and they all showed up with a big red F in the reports. While it would be fixable by setting the security headers anyway, this is not what the color red is supposed to mean in ShadowTrackr. Red is a problem, and means that you need to fix it as soon as possible. Red is dangerous, unlike orange which is a warning and means that you should fix it when you have the time.

So, security headers related to content on fully redirected websites are no longer counted in your website grades.