Responding Hosts Tab: Active Infrastructure Overview Print

Domain Details Page

Overview

The Domain Details page in TRaViS EASM provides an in-depth analysis of a specific domain, in this case, example.com. Accessible from the main dashboard by selecting a domain, this page offers a comprehensive view of the domain’s attack surface, including subdomains, infrastructure, vulnerabilities, and more. Designed for Security Operations Center (SOC) teams, this page enables users to investigate specific risks, track remediation progress, and optimize security for individual domains.

Page Layout

The Domain Details page is structured to deliver both high-level insights and granular data, ensuring users can quickly assess risks and dive into technical details as needed. The layout includes:

• Header Metrics Panel: Summarizes key statistics for the domain.
• Security Score Gauge: Displays the domain’s overall security score.
• Deduction Table: Lists specific vulnerabilities and their impact on the security score.
• Status Tabs: Provides additional views for infrastructure and vulnerability details.
• Domain JavaScript SAST Scan: Highlights JavaScript-related findings.
• Navigation and Export Tools: Offers options for data management and reporting.

Key Features and Capabilities

Header Metrics Panel: Domain Overview

The header section provides a snapshot of critical metrics for the domain, enabling users to assess its security posture at a glance.

• Discovered Subdomains:
  • Displays the total number of subdomains identified for the domain (e.g., 979 for example.com).
  • Benefit: Helps users understand the scope of the domain’s attack surface, ensuring all subdomains are accounted for and monitored.
• Total Responding Hosts:
  • Shows the number of hosts responding to scans (e.g., 945 for example.com).
  • Benefit: Identifies active infrastructure, allowing users to focus on operational assets that may be vulnerable.
• Total JavaScripts:
  • Indicates the number of JavaScript files detected (e.g., 157 for example.com).
  • Benefit: Highlights potential vulnerabilities in JavaScript assets, a common target for client-side attacks.
• URLs Discovered:
  • Lists the total number of URLs found (e.g., 6727 for example.com).
  • Benefit: Provides insight into the domain’s web presence, helping users identify exposed endpoints.
• Exposed RDP Servers:
  • Tracks Remote Desktop Protocol (RDP) servers accessible externally (e.g., 0 for example.com).
  • Benefit: Flags potential remote access vulnerabilities, enabling proactive mitigation.
• Exposed SSH Servers:
  • Identifies exposed Secure Shell (SSH) servers (e.g., 2 for example.com).
  • Benefit: Alerts users to critical risks, as exposed SSH servers are targets for unauthorized access.
• WordPress Assets:
  • Counts WordPress installations (e.g., 0 for example.com).
  • Benefit: Helps identify CMS-related risks, such as outdated plugins or themes.
• Exposed VPNs:
  • Detects exposed VPN services (e.g., 0 for example.com).
  • Benefit: Ensures VPN configurations are secure, preventing unauthorized access to internal networks.
• Open MySQL Server:
  • Identifies MySQL servers (e.g., 0 for example.com).
  • Benefit: Monitors database exposure, reducing the risk of data leaks.
• Open MSSQL Server:
  • Tracks Microsoft SQL Server instances (e.g., 0 for example.com).
  • Benefit: Ensures secure configurations for database services.
• SMTP Servers:
  • Counts SMTP servers (e.g., 4 for example.com).
  • Benefit: Identifies email infrastructure that may be vulnerable to spoofing or phishing attacks.
• IIS Servers:
  • Detects Internet Information Services (IIS) servers (e.g., 11 for example.com).
  • Benefit: Highlights Windows-based web servers that may require additional security measures.

User Value: This panel provides a high-level overview of the domain’s attack surface, enabling users to prioritize areas of concern (e.g., exposed SSH servers or SMTP servers) and allocate resources effectively.

Security Score Gauge: Risk Assessment

The central gauge displays the domain’s overall security score (e.g., 500 out of 1000 for example.com).

• Visual Indicator:
  • Uses a color-coded gauge (red, yellow, green) to reflect the score’s severity.
  • Benefit: Offers an immediate visual cue of the domain’s security health, facilitating quick decision-making.
• Score Interpretation:
  • A score of 500 indicates a higher risk level, signaling significant areas for improvement.
  • Benefit: Provides a clear benchmark for tracking security progress over time.

User Value: The security score simplifies risk assessment, helping users prioritize remediation efforts and communicate security status to stakeholders.

Deduction Table: Vulnerability Breakdown

The Deduction Table lists specific vulnerabilities or misconfigurations, their impact on the security score, and recommended actions.

• Columns:
  • Deduction Reason: Describes the issue (e.g., "Outdated certificate for host https://appstore.example.com").
  • Points Deducted: Shows the points deducted from the security score (e.g., -15 points).
  • Description: Provides a detailed explanation (e.g., "The SSL/TLS certificate for your host is outdated, posing significant security risks").
  • Action: Offers remediation steps (e.g., "Action REQUIRED: The SSL/TLS certificate for your host is outdated, posing significant security risks").
• Examples of Deductions:
  • Outdated certificates on various hosts (e.g., appstore.example.com, enterpriseenrollment.example.com).
  • Each deduction consistently subtracts 15 points, indicating a standardized scoring methodology.
  • Descriptions and actions are uniform, focusing on SSL/TLS certificate updates.
• Features:
  • Pagination: Supports navigation through multiple pages of deductions (e.g., Previous/Next buttons).
  • Export Options (CSV, Excel, PDF, Print, JSON): Allows users to generate reports of deductions for documentation or remediation tracking.

User Value: This table provides actionable insights into specific vulnerabilities, enabling users to address issues systematically and improve the domain’s security score.

Responding Hosts Tab: Active Infrastructure Overview

The "Responding Hosts" tab within the Domain Details page focuses on identifying and analyzing hosts associated with example.com that are actively responding to scans. This tab provides insights into the domain’s operational infrastructure, helping users assess potential vulnerabilities and ensure proper configuration.

• Table Columns:
  • Status: Indicates the status of each host (e.g., 200, representing a successful HTTP response).
    • Benefit: Confirms which hosts are operational and accessible, highlighting potential entry points.
  • URL: Lists the URLs of responding hosts (e.g., https://connect.example.com, https://appstore.example.com).
    • Benefit: Identifies specific hosts that are active, allowing for targeted security analysis.
  • CDN: Specifies the Content Delivery Network (CDN) provider (e.g., "CloudFront" for several hosts).
    • Benefit: Helps users verify CDN usage, ensuring content delivery is optimized and secure.
  • SSL: Displays SSL/TLS configuration status (e.g., yellow or purple indicators).
    • Benefit: Flags SSL/TLS issues (e.g., outdated certificates) for immediate attention.
  • Length: Shows the content length of the response (e.g., varying lengths for each host).
    • Benefit: Provides insight into the size of responses, which can help identify unusual activity.
  • Environment: Indicates the hosting environment (e.g., "AWS" for most hosts).
    • Benefit: Correlates infrastructure with cloud providers, aiding in cloud security policy enforcement.
• Data Examples:
  • Hosts like https://connect.example.com and https://appstore.example.com show a status of 200, use CloudFront as the CDN, are hosted on AWS, and have SSL issues (indicated by yellow/purple markers).
  • Benefit: Highlights active infrastructure with potential SSL vulnerabilities, prompting users to address certificate issues.
• Features:
  • Clickable URLs: Allows users to drill down into a specific host for more details (e.g., clicking https://connect.example.com leads to the Host Drill-Down view).
    • Benefit: Enables deeper investigation of individual hosts.
  • Pagination: Supports navigation through multiple pages of responding hosts (e.g., Previous/Next buttons).
    • Benefit: Ensures scalability for domains with numerous active hosts.
  • Export Options (CSV, Excel, PDF, Print, JSON): Located above the table.
    • Benefit: Enables users to export responding host data for detailed reporting or third-party analysis.
  • Tab Navigation: Allows switching to other tabs (e.g., "Content Discovery," "CDN & WAF") for a holistic view.
    • Benefit: Provides flexibility to explore related infrastructure and content details.

User Value: The Responding Hosts tab offers a clear view of active infrastructure, helping users identify operational hosts, assess their configurations, and prioritize security improvements.

Host Drill-Down View: Detailed Host Analysis

The Host Drill-Down view is accessed by clicking a URL in the Responding Hosts tab (e.g., https://connect.example.com). This view provides a detailed analysis of a specific host, focusing on its configuration, security, and infrastructure details.

• Screenshot of Host:
  • Displays a screenshot of the host’s webpage (e.g., a login page for connect.example.com).
  • Benefit: Offers a visual representation of the host, helping users verify its purpose and identify potential phishing or spoofing risks.
• Certificate Details:
  • Subject: Shows the certificate subject (e.g., "US, Georgia, Atlanta, Delta Air Lines, Inc., connect.example.com").
  • Issuer: Lists the certificate issuer (e.g., "US, DigiCert Inc, www.digicert.com, DigiCert Global G2 TLS RSA SHA256 2020 CA1").
  • Valid From: Indicates the start of the certificate’s validity period (e.g., 2020-03-29).
  • Valid To: Indicates the end of the certificate’s validity period (e.g., 2022-06-29).
  • Signature Type: Displays the signature algorithm (e.g., RSA-SHA256).
  • Benefit: Provides detailed certificate information, allowing users to verify authenticity and address outdated certificates.
• Certificate Information:
  • Subject: Repeats the certificate subject for clarity.
  • Issuer: Repeats the issuer details.
  • Valid From: Repeats the validity start date.
  • Valid To: Repeats the validity end date.
  • Signature Type: Repeats the signature algorithm.
  • Benefit: Reinforces certificate details, ensuring users have all necessary information for validation.
• IP Intelligence:
  • Currently shows "No data for IP Intelligence."
  • Benefit: Provides a placeholder for IP-related insights, which could include geolocation, reputation, or threat intelligence in future scans.
• Blacklisted Status:
  • Indicates the blacklisting status (e.g., N/A).
  • Benefit: Allows users to check if the host is flagged on threat intelligence blacklists, though no data is populated here.
• Open Ports:
  • Lists open ports (e.g., 80, 443).
  • Benefit: Identifies potential entry points for attackers, enabling users to secure or monitor these ports.
• Cloud Provider:
  • Specifies the hosting provider (e.g., "Amazon, CloudFront").
  • Benefit: Confirms the cloud infrastructure, aiding in cloud security policy enforcement.

User Value: The Host Drill-Down view provides a detailed analysis of a specific host, enabling users to verify its configuration, address certificate issues, and secure open ports.

Domain JavaScript SAST Scan: Code Security

The Domain JavaScript SAST (Static Application Security Testing) Scan section highlights JavaScript-related findings.

• Domain Wide SAST Scan on Exposed JavaScripts:
  • Indicates a focus on static analysis of exposed JavaScript files.
  • Benefit: Identifies vulnerabilities in client-side code, such as cross-site scripting (XSS) risks.
• View Detailed Report:
  • Provides a button to access a detailed report of JavaScript SAST findings.
  • Benefit: Enables users to dive deeper into specific code-level risks and remediation steps.
• AI / OSINT Attack Path Mapping Tool:
  • Suggests an AI-driven or OSINT-enhanced tool for attack path analysis.
  • Benefit: Leverages artificial intelligence and open-source intelligence to identify sophisticated attack scenarios.
  • View Detailed Analysis:
    • Offers a button to access detailed attack path analysis.
    • Benefit: Enhances threat modeling by mapping potential attack vectors.

User Value: This section strengthens application security by focusing on JavaScript vulnerabilities and provides advanced tools for threat modeling and analysis.

Navigation and Export Tools

The page includes robust tools for managing and sharing data:

• Export Options (CSV, Excel, PDF, Print, JSON):
  • Located above the Deduction Table and Status Tabs.
  • Benefit: Allows users to generate reports for audits, compliance, or team collaboration.
• Pagination:
  • Supports navigation through multiple pages of data (e.g., Previous/Next buttons).
  • Benefit: Ensures scalability for domains with extensive findings.
• Left Navigation Menu:
  • Includes links to other TRaViS features (e.g., Dashboard, CVE Intelligence, Domain Scanner).
  • Benefit: Provides seamless access to additional tools and views within the TRaViS platform.

User Value: These tools enhance usability by enabling data export, efficient navigation, and integration with other TRaViS features.

Benefits for Security Teams

The Domain Details page for example.com, including the Responding Hosts tab and Host Drill-Down view, offers several key benefits:

• Granular Visibility: Provides a detailed breakdown of the domain’s attack surface, from responding hosts to specific host configurations.
• Actionable Insights: Identifies active infrastructure, SSL issues, and open ports with clear remediation steps.
• Risk Prioritization: Uses the TRaViS Score and deduction details to focus efforts on high-impact issues.
• Infrastructure Analysis: Assesses responding hosts and their configurations, ensuring secure setups.
• Code Security: Highlights JavaScript vulnerabilities, ensuring comprehensive application security.
• Efficient Workflows: Supports data export, pagination, and drill-down capabilities, streamlining analysis and reporting.

Conclusion

The Domain Details page in TRaViS EASM, including the Responding Hosts tab and Host Drill-Down view, is a powerful tool for investigating and securing individual domains. By providing a comprehensive overview, detailed vulnerability breakdowns, and infrastructure analysis, it empowers security teams to proactively address risks and improve their organization’s security posture. This documentation will continue to expand as additional pages and tabs are explored.