Security Scans for Domains
Website Security
- HTTP Strict Transport Security (HSTS) not enforced: Without HSTS enforced, people browsing this site are more susceptible to man-in-the-middle attacks. The server should be configured to support HSTS
- X-Frame-Options is not deny or sameorigin: Browsers may display this website’s content in frames. This can lead to clickjacking attacks.
- CSP is not implemented: No valid Content Security Policy is implemented. This increases the risk of XSS and clickjacking attacks.
- X-Content-Type-Options is not nosniff: Browsers may interpret files as a different MIME type than what is specified in the Content-Type HTTP header. This can lead to MIME confusion attacks.
- CAA not enabled: The domain does not contain a valid Certification Authority Authorization (CAA) record. A CAA record indicates which Certificate Authorities (CAs) are authorized to issue certificates for a domain.
- Weak cipher suites supported in TLS 1.2: Weak cipher suites can potentially be broken by a well resourced attacker, and should not be supported by the server unless very old devices or browsers must be supported.
- Certificate not found on our revoked certificate list: The site’s certificate chain was checked against our list of revoked certificates.
- SSL available: SSL is supported for this site.
- HTTP requests are redirected to HTTPS: All HTTP requests are redirected to HTTPS.
- Does the Hostname match the SSL certificate? The site’s hostname matches the SSL certificate.
- SSL has not expired: SSL certificate has not expired.
- Trusted SSL certificate: The certificate presented by this domain was issued by a trusted certificate authority.
- No insecure SSL/TLS versions available: No insecure SSL/TLS versions are available for this site.
- SSL certificate chain present in server response: A complete SSL certificate chain was presented by the server for this domain.
- SSL chain certificates do not expire within 20 days: SSL intermediate and root certificates do not expire within 20 days.
- SSL expiration period shorter than 398 days: The SSL certificate presented by the server has an expiration period shorter than 398 days.
- SSL does not expire within 20 days: SSL certificate does not expire within 20 days.
- Strong SSL algorithm: Industry standard SHA-256 encryption in use.
- Not vulnerable to CVE-2014-0160 (Heartbleed): A bug in OpenSSL’s implementation of the TLS heartbeat extension allows access to portions of memory on the targeted host e.g. cryptographic keys and passwords.
- Not vulnerable to CVE-2014-3566 (POODLE): The server does not support SSLv3, and is not vulnerable to the POODLE attack.
- Not vulnerable to CVE-2015-0204 (FREAK): The server does not offer RSA_EXPORT cipher suites, so clients are not vulnerable to the FREAK attack.
- Not vulnerable to CVE-2015-4000 (Logjam): The server is using strong Diffie-Hellman parameters and is not vulnerable to the Logjam attack.
- Server information header not exposed: Ensuring the server information header is not exposed reduces the ability of attackers to exploit certain vulnerabilities.
- X-Powered-By header not exposed: Information about specific technology used on the server is obscured.
- Strong Diffie-Hellman prime used in key exchange: TLS connections to the site use a strong Diffie-Hellman prime during key exchange.
- Strong public certificate key length: The site’s public certificate provides at least 112 bits of security strength.
- Referrer Policy is not unsafe-url: The website’s Referrer Policy is not configured to allow unsafe information to be sent in the referrer header.
- ASP.NET version header not exposing specific ASP.net version: Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.
- ASP.NET version header not exposed: Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.
- No open cloud storage service detected: No cloud storage service configured to allow anonymous file listing was detected.
- Domain index is not a listable directory: The domain index is not a listable directory.
- No unmaintained page detected: The page appears to be maintained
Email Security
- DMARC policy not found: DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.
- SPF policy uses ~all: Sender Policy Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain’s behalf. This record should preferably not use the ~all mechanism, as this does not instruct the mail receiver to reject messages from unauthorised sources. When DMARC is not being enforced, -all should be used on the SPF record.
- No unregistered MX records detected: No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.
- SPF enabled: Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses.
- SPF syntax correct: Sender Policy Framework (SPF) record passes basic syntax checks.
- SPF ptr mechanism not used: Sender Policy Framework (SPF) record does not include the ptr mechanism.
Brand Protection
- Domain has not expired: Domain has not expired.
- No subdomain takeover vulnerability detected: No dangling DNS records that could lead to subdomain takeover were detected.
- Domain does not expire soon: Domain does not expire within 30 days.
- Domain not flagged as inactive: Domain is not flagged as inactive.
- Domain not pending deletion: Domain is not pending deletion with the registrar.
- Domain not pending restoration: Domain is not pending restoration with the registrar.
- Domain registrar or registry deletion protection enabled: Domain is protected from unsolicited deletion requests with the registrar or registry.
- Domain registrar or registry transfer protection enabled: Domain is protected from unsolicited transfer requests.
- Domain registrar or registry update protection enabled: Domain is protected from unsolicited update requests with the registrar or registry.
- Domain free of registrar DNS resolution hold: Domain is not under a DNS resolution hold with the registrar.
- Domain free of registry DNS resolution hold: Domain is not under a DNS resolution hold with the registry itself.
- Domain renewal not prohibited by registry: Domain is not prohibited from renewal at the registry itself.
Network Security
- DNSSEC not enabled: DNSSEC records prevent third parties from forging the records that guarantee a domain’s identity. DNSSEC should be configured for this domain.
- No ports are open: No open ports were detected.
Phishing & Malware
- No reports of botnet activity in the last 30 days: This IP/domain has not been reported as a source of botnet activity in the last 30 days.
- No reports of brute force login attempts in the last 30 days: This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.
- No reports of malware distribution in the last 30 days: This IP/domain has been reported for distributing malware in the last 30 days.
- No reports of unsolicited scanning in the last 30 days: This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.
- No reports of phishing activity in the last 30 days: This IP/domain has not been reported as a phishing site in the last 30 days.
- No reports of botnet activity in the last 90 days: This IP/domain has not been reported as a source of botnet activity in the last 90 days.
- No reports of brute force login attempts in the last 90 days: This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.
- No reports of malware distribution in the last 90 days: This IP/domain has been reported for distributing malware in the last 90 days.
- No reports of unsolicited scanning in the last 90 days: This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.
- No reports of phishing activity in the last 90 days: This IP/domain has not been reported as a phishing site in the last 90 days.
This post is licensed under CC BY 4.0 by the author.