Attack Surface Rules for Websites - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide
Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-04-17
Category
User Guide
Solution
Cloud
Abstract

Cortex Xpanse has attack surface rules that detect potential security risks on your websites.

Cortex Xpanse offers two categories of attack surface rules to create alerts on websites:

  • Web Security Assessments—Includes three attack surface rules (described in the Table 1, “Attack Surface Rules for Websites table below) that detect website security best practice failures. These are the best practices that are assessed in the Security Best Practices Analysis section of website details pages in the Asset Inventory.

  • Web Technology CVE Inferences—Includes four attack surface rules (described in the Table 1, “Attack Surface Rules for Websites table below) that flag web technologies that have inferred CVEs that are both high-confidence matches and high-severity CVEs.

    Tip

    An important benefit of these attack surface rules is that when they are enabled, Xpanse creates an alert on any new CVE that matches on these criteria. This means you will be notified immediately about zero-day vulnerabilities that are an exact version match.

Table 1. Attack Surface Rules for Websites

Attack Surface Rule Category

Attack Surface Rule

Description

Web Security Assessments

Insecure Communication Protocol

Triggers an alert when HTTPS is configured and Protocol Downgrade or HTTP Strict-Transport-Security assessments fail.

Insecure Content Security

Detects if elements on a webpage are not configured correctly. Examples of content security issues include:

  • Mixed content (an HTTPS page that loads content via HTTP)

  • Insecure forms (a form hosted on a secure page that sends information over HTTP)

  • Misconfigured Referrer-Policy header

Misconfigured Cross-Site Protections

Cross-site scripting (XSS) is one of the most common attacks against websites, enabling attackers to manipulate data on a webpage or exfiltrate data from users. In response, websites can be equipped with various HTTP headers to mitigate certain attacks. This policy detects the absence or misconfiguration of these security settings, including:

  • Misconfigured X-Frame-Options Header

  • Misconfigured X-Content-Type-Options Header

Web Technology CVE Inferences

Insecure Security and Infrastructure Technologies

Flags security and infrastructure technologies with a CPE that correlates to a high severity CVE, for example: a Gitlab instance or Bitbucket server with a CVE.

Insecure Web Applications

Flags web applications with a CPE that correlates to a high severity CVE, typically server-side software such as a CVE in Wordpress.

Insecure Web Frameworks and Libraries

Flags web frameworks and libraries with a CPE that correlates to a high severity CVE. Examples of a web framework include ThinkPHP or Ruby on Rails. Examples of a library include React or jQuery or others.

Insecure Web Server Technologies

Flags web server technologies with a CPE that correlates to a high severity CVE, for example: JBoss Application Server, IIS, Apache, or nginx.