news

SecurityTrails Blog · Feb 18 · by Esteban Borges

February Product Updates: New HTTP Header Data in SQL Explorer and Improved Tagging

Reading time: 3 minutes

We are excited to announce new features for SurfaceBrowser™. Now you can perform a new range of HTTP header-based queries to get information from our port 443 crawled data, and gain quick access to improved tagging for faster asset discovery.

Query HTTP header data

With this latest release we’ve empowered security researchers and IT managers to get critical information present in any HTTP header from SSL-based websites. This is done by running a simple SQL-based query.

These are some of the main attributes supported by the table hosts (the complete list of supported attributes is found in SQL Explorer):

  • http.headers.content_type: The content type header pulled out of the index page
  • http.headers.location_host: The location header of the index page
  • http.headers.server: Shows the contents of the ServerName HTTP header from port 443
  • http.headers.raw: Shows the contents of the raw crawl data for the HTTP headers

Let’s dive into a few practical examples:

Sites using GWS web server and self-signed certificates

Let’s see who’s using the famous GWS web server from Google, and at the same time using self-signed certificates in production.

For this first example, we ran the following query:

select
  domain.hostname
from
  hosts
where
  http.headers.raw = "server:gws"
  and ssl.is_self_signed = true


Searching for phpMyAdmin instances of the U.S. government

With our powerful SQL Explorer interface, you can also pipe this header data with certain domain TLD filters.

http.headers.raw like "set-cookie:phpMyAdmin=%" and domain.tld = "gov"


Searching for Cisco VPN services of the U.S. government

In this example, we’ll explore cookie information searching for this type of VPN. Just modify the previous query, and change the http.headers.raw line to be:

http.headers.raw like "set-cookie:webvpn=%"and domain.tld = "gov"


Finding vulnerable Windows-based web servers

Old web servers are still around us, in many websites. One of these is Microsoft IIS, and in the following example we’ll query for the vulnerable IIS 7.5 version:

http.headers.server like "Microsoft-IIS/7.5."


Searching for outdated PHP versions

PHP-based websites still rule a big part of the internet. Here we’ll focus on discovering PHP 4.x versions for sites using SSL certificates issued in the state of NY:

http.headers.raw like "x-powered-by:PHP/4.%"and ssl.subject.state = "NY"

Improved tagging

Tags are an easy way to gain access to a bunch of technologies and services. In this February update we’ve also improved the way we handle these tags, and we have over 1,000 active tags at the time of this writing.

These tags let you discover digital assets from any IT platform, as you can see in the following example for Cloudflare:

Improved tagging

The same can be done with Amazon, Akamai and a thousand other tech-related tags from our database. And for further analysis you can even download any of this data to your local network:

Improved tagging download

The possibilities are endless—and just one SQL query away.


ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.