We are excited to announce new features for SurfaceBrowser™. Now you can perform a new range of HTTP header-based queries to get information from our port 443 crawled data, and gain quick access to improved tagging for faster asset discovery.
Query HTTP header data
With this latest release we’ve empowered security researchers and IT managers to get critical information present in any HTTP header from SSL-based websites. This is done by running a simple SQL-based query.
These are some of the main attributes supported by the table hosts (the complete list of supported attributes is found in SQL Explorer):
- http.headers.content_type: The content type header pulled out of the index page
- http.headers.location_host: The location header of the index page
- http.headers.server: Shows the contents of the ServerName HTTP header from port 443
- http.headers.raw: Shows the contents of the raw crawl data for the HTTP headers
Let’s dive into a few practical examples:
Sites using GWS web server and self-signed certificates
Let’s see who’s using the famous GWS web server from Google, and at the same time using self-signed certificates in production.
For this first example, we ran the following query:
select domain.hostname from hosts where http.headers.raw = "server:gws" and ssl.is_self_signed = true
Searching for phpMyAdmin instances of the U.S. government
With our powerful SQL Explorer interface, you can also pipe this header data with certain domain TLD filters.
http.headers.raw like "set-cookie:phpMyAdmin=%" and domain.tld = "gov"
Searching for Cisco VPN services of the U.S. government
In this example, we’ll explore cookie information searching for this type of VPN. Just modify the previous query, and change the http.headers.raw line to be:
http.headers.raw like "set-cookie:webvpn=%"and domain.tld = "gov"
Finding vulnerable Windows-based web servers
Old web servers are still around us, in many websites. One of these is Microsoft IIS, and in the following example we’ll query for the vulnerable IIS 7.5 version:
http.headers.server like "Microsoft-IIS/7.5."
Searching for outdated PHP versions
PHP-based websites still rule a big part of the internet. Here we’ll focus on discovering PHP 4.x versions for sites using SSL certificates issued in the state of NY:
http.headers.raw like "x-powered-by:PHP/4.%"and ssl.subject.state = "NY"
Tags are an easy way to gain access to a bunch of technologies and services. In this February update we’ve also improved the way we handle these tags, and we have over 1,000 active tags at the time of this writing.
These tags let you discover digital assets from any IT platform, as you can see in the following example for Cloudflare:
The same can be done with Amazon, Akamai and a thousand other tech-related tags from our database. And for further analysis you can even download any of this data to your local network: