Websites - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide
Product
Cortex XPANSE
Version
2
Creation date
2024-12-02
Last date published
2025-02-02
Category
User Guide
Solution
Cloud
Abstract

Cortex Xpanse scans your public-facing websites, identifying insecure websites, web components, and technologies running on your web assets.

Cortex Xpanse websites data extends Attack Surface Management (ASM) protection by identifying insecure websites, web components, and technologies running on your managed and unmanaged web assets. Cortex Xpanse scans your public-facing websites, creating a continuously updated inventory of your web assets, including the server software and other technologies powering your web applications.

Websites data in Cortex Xpanse enables you to accomplish the following:

  • Develop a single source of truth for all of your organization's web inventory

  • Track and monitor your risk due to third-party libraries

  • Continuously discover and monitor external web application inventory and third-party technologies

  • Identify insecure and misconfigured websites, vulnerable technologies, and dependencies

  • Improve security ratings by identifying sites failing security best practices

The difference between websites and services

In Cortex Xpanse, services are public-facing network services; for example, an RDP server or an HTTP server. Websites represent the content and the software stack that was used to generate the website.

An HTTP service represents a single HTTP server (on-prem) or a cohesive group of HTTP servers (cloud). A website can be served by a single HTTP server or by multiple HTTP servers. Some of these HTTP servers could be hosted in a cloud provider, others on-prem. Generally, the relationship between HTTP services and websites can be described as follows:

  • A website is supported by one or more HTTP services.

  • A cloud HTTP service serves a single website.

  • An on-prem HTTP service serves multiple websites, potentially hundreds.

The difference between websites and domains

A domain is simply the registration of a domain (for example, your organization might own www.example.com). You can have a domain without a website behind it. You can also have a domain that does not resolve to an IP address (which means it does not have a website behind it). Cortex Xpanse includes websites with a domain name or an IP address.

How to view websites in your inventory

  1. Navigate to InventoryWebsites.

  2. Click on a row in the table to view details about the website.

Websites field descriptions
Abstract

The Websites page lists your websites in a table format that can be sorted, filtered, and downloaded.

The Websites page lists your websites in a table format that can be sorted, filtered, and downloaded. Some of the key fields are described in the table below.

Field

Description

Authentication

Detected authentication method. Results could be none, form based authentication (e.g. user ID and password), or a single-sign on method.

Business Units

Business unit this website is associated with.

Externally Detected Providers

Hosting provider.

Failed Security Assessments

Which of the security best practices the website failed.

First Observed

When the website was first observed.

Host

Domain or IP of the website host.

  • A closed lock indicates HTTPS.

  • An open lock indicates HTTP.

HTTP Type

HTTPS, HTTP redirecting to HTTPS, or HTTP.

IP Addresses

IP addresses associated with this website.

Is Active

Yes — Indicates the website is active, which means it has been observed recently.

No — Indicates the website is inactive, which means Cortex Xpanse no longer sees it on the internet or it is no longer attributed to your organization.

Last Observed

When the website was most recently observed in a Cortex Xpanse scan.

Port

Port for the website.

Site Category

The inferred business purpose of the website based on the technologies used on that website. Full list of site categories is Ecommerce, Advertising, Affiliate Programs, Appointment scheduling, Blogs, CMS, CRM, Development, Documentation, Issue Tracker, LMS, Reservations & Delivery, Recruitment & Staffing.

If a technology doesn't fit into one of the listed categories, this field will be blank.

Technologies

Any technologies detected on the website.

Third Party Script Domains

Third-party domains that serve the scripts (not the scripts themselves).

Website ID

Unique ID associated with the website.

Website details
Abstract

Click a row in the Websites table to view details about that website.

Click a row in the Websites table to open the details page for that website. The following sections describe the information on the website details page.

Site Details, Site Categories, Site Deployment Details

Summarizes key information about the security of the website.

Most Recent Screenshot

A screenshot and link to the website to make it easier to investigate issues. If you don't see a screen shot, the website may have been down when we scanned the page or that access was blocked for our scanner (in which case you probably won't see any technologies listed under Technologies Used either). If the screenshot is incomplete (a blank or invalid layout), the page may have loaded too slowly—we take the screenshot six seconds after we request the page.

Security Best Practices Analysis

Provides an at-a-glance look at whether the website is following broadly accepted security best practices.

We perform only the relevant security best practice assessments on each website. For example, if a website redirects somewhere else, many of the security assessments are performed on the website the user is redirected to; only the Has HTTPS Enabled and Protocol Downgrade assessments are performed on the original website. And some security assessments don’t make sense on non-HTTPS websites (e.g. mixed content and HSTS header), so those assessments are not performed.

Some security best practice assessments are performed only on webpages without "transient errors". We consider a page to have a transient error if the HTTP status code is 405, 407, 408, 409 or greater than 411. In this case, we assume this is not a normal condition of the website and visiting the page later or in different conditions would yield a different result.

If we have no matching observation for an assessment, the assessment will not be displayed. For example, if https://acme.com has a single page with a 404 status code, the Mixed Content assessment would be performed (404 is not a transient error) but the X-Frame-Options assessment would not be.

The table below lists each of the security best practices, which websites and webpages the analysis is performed on, and the criteria we use to determine whether the website Passes or Fails the assessment.

Website Security Best Practice

Performed on these websites

Performed on these pages

Pass/Fail Criteria

Has HTTPS Enabled

All websites

All

Passes if the website is accessed over TLS or redirects to an HTTPS website.

Secure Forms

HTTPS websites that do not always redirect

Pages without transient errors

Fails if we find an HTML form with an action to an insecure website. This applies only to static forms and will not detect dynamically rendered forms.

No Mixed Content

HTTPS websites that do not always redirect

Pages without transient errors

Fails if we find a page that is using a resource (image, stylesheet, script but not just a <a> link) loaded over HTTP.

Protocol Downgrade

All websites

All

Fails if we find a transition from HTTPS to HTTP in the redirect chain.

Sets Valid X-Frame-Options Header

Websites that do not always redirect

Pages with 2xx status code

Fails if:

  • X-Frame-Options header is not empty and is neither DENY or SAMEORIGIN

  • Content-Security-Policy header is not set or  syntactically invalid

Sets Valid X-Content-Type-Options Header

Websites that do not always redirect

Pages with 2xx status code

Fails if X-Content-Type-Options is not set or not “nosniff”

Sets valid Content-Type Header

Websites that do not always redirect

Pages with 2xx status code

Fails if Content-Type is not set or set to an invalid value.

Sets HTTP Strict Transport-Security-Header

HTTPS websites that do not always redirect

Pages without transient errors

Fails if there is no “Strict-Transport-Security” header.

Sets valid Referrer-Policy Header

Websites that do not always redirect

Pages without transient errors

Fails if Referrer-Policy header not set or set to an invalid value.

Technologies Used

List of the technologies used on your website.

HTML Form Analysis

List of login forms. Login forms are only detected in a static environment, so if the form is created by JavaScript, it will not be detected. Only login forms are displayed in analysis.

Domain Details

Information about the website domain, including a link to the domain in the Inventory.

Third Party Resources

List of the scripts and CSS loaded from domains that are not owned by your organization.

Other Websites Hosted with This Website

List of other websites owned by your organization and hosted on the same IP addresses.

Services Hosting This Website

List of services hosting the website in the last 30 days.

GeoMap

Map indicating the IP region of the website.

Externally Inferred CVEs

Externally inferred CVEs associated with the technologies used on your website.

Websites dashboard
Abstract

The Websites dashboard provides an overview of the security of your web attack surface.

The Websites dashboard provides an overview of the security of your entire web attack surface. It enables you to continuously monitor your web resources at a high level and drill down into the details as needed. Some of the key data displayed on the Websites dashboard includes the following:

  • Website security misconfigurations and best practice failures

  • Websites using HTTP and HTTPS

  • Authentication providers, server software, technologies detected

  • A breakdown of your websites by category

  • Third-party technologies used on your websites

  • Privacy-impacting packages your websites are using

    Privacy-impacting packages are technologies that track users. The "privacy-impacting" designation is based on the purpose of the technology and is not an evaluation of whether the technology itself has privacy problems. Any technology in the following categories is considered “privacy impacting”:

    • Analytics

    • Geolocation

    • Browser fingerprinting

    • Loyalty and rewards

    • Marketing automation

    • Referral marketing

    • Retargeting

Navigate to DashboardsWebsites to view the dashboard.

Like the other Cortex Xpansedashboards, you can download the the Websites dashboard as a report.

Attack Surface Rules for Websites
Abstract

Cortex Xpanse has attack surface rules that detect potential security risks on your websites.

Cortex Xpanse offers two categories of attack surface rules to create alerts on websites:

  • Web Security Assessments—Includes three attack surface rules (described in the Table 1, “Attack Surface Rules for Websites table below) that detect website security best practice failures. These are the best practices that are assessed in the Security Best Practices Analysis section of website details pages in the Asset Inventory.

  • Web Technology CVE Inferences—Includes four attack surface rules (described in the Table 1, “Attack Surface Rules for Websites table below) that flag web technologies that have inferred CVEs that are both high-confidence matches and high-severity CVEs.

    Tip

    An important benefit of these attack surface rules is that when they are enabled, Xpanse creates an alert on any new CVE that matches on these criteria. This means you will be notified immediately about zero-day vulnerabilities that are an exact version match.

Table 1. Attack Surface Rules for Websites

Attack Surface Rule Category

Attack Surface Rule

Description

Web Security Assessments

Insecure Communication Protocol

Triggers an alert when HTTPS is configured and Protocol Downgrade or HTTP Strict-Transport-Security assessments fail.

Insecure Content Security

Detects if elements on a webpage are not configured correctly. Examples of content security issues include:

  • Mixed content (an HTTPS page that loads content via HTTP)

  • Insecure forms (a form hosted on a secure page that sends information over HTTP)

  • Misconfigured Referrer-Policy header

Misconfigured Cross-Site Protections

Cross-site scripting (XSS) is one of the most common attacks against websites, enabling attackers to manipulate data on a webpage or exfiltrate data from users. In response, websites can be equipped with various HTTP headers to mitigate certain attacks. This policy detects the absence or misconfiguration of these security settings, including:

  • Misconfigured X-Frame-Options Header

  • Misconfigured X-Content-Type-Options Header

Web Technology CVE Inferences

Insecure Security and Infrastructure Technologies

Flags security and infrastructure technologies with a CPE that correlates to a high severity CVE, for example: a Gitlab instance or Bitbucket server with a CVE.

Insecure Web Applications

Flags web applications with a CPE that correlates to a high severity CVE, typically server-side software such as a CVE in Wordpress.

Insecure Web Frameworks and Libraries

Flags web frameworks and libraries with a CPE that correlates to a high severity CVE. Examples of a web framework include ThinkPHP or Ruby on Rails. Examples of a library include React or jQuery or others.

Insecure Web Server Technologies

Flags web server technologies with a CPE that correlates to a high severity CVE, for example: JBoss Application Server, IIS, Apache, or nginx.


Enable Alerts for Websites
Abstract

Enable Cortex Xpanse to create alerts when potential risks are observed on your websites.

The attack surface rules for websites are disabled by default. Enable these attack surface rules to enable Xpanse to start creating alerts for websites.

  1. Navigate to Policies and RulesAttack Surface Rules.

  2. Use the filter to find the attack surface rules for websites.

    1. Click the filter icon in the upper right corner to open the filter bar.

    2. In the Select Field dropdown menu, select Attack Surface Rule.

    3. In the Value field dropdown menu, select the two attack surface rule categories for websites: Web Security Assessments and Web Technology CVE Inferences.

    4. Click outside of the filter area into the results table to see the full list of attack surface rules for websites.

  3. For each attack surface rule you want to enable, right click in the appropriate row and select Enable.

  4. Optionally, you can change the default severity that will be assigned to alerts that match the attack surface rule by right-clicking on the rule and choosing from the Change Severity options.