White shape | Hexiosec Logo

New ASM Features and Improvements | August 2024

Tim Cowell
3 September 2024
|
4 min Read
|
Tim Cowell

Introduction

There is lots to share this month - read on to hear about some great features we’ve rolled out in the last month:

  • Handling for Apache backporting and associated risks
  • Using the public API to generate and download reports
  • Showing client-side redirects in the Web Presence page
  • Highlighting certificates with an validity period of over 90 days

Apache backport handling

We pride ourselves with FractalScan that the attack surface results we produce are accurate and, despite the fact we operate in a passive manner, represents discovered infrastructure and risks very well. There will always be some challenging scenarios when determining risks, and Apache backports is one of those scenarios, but we now help you manage this.

List of components and marked apache components

Apache backports are software updates that apply the latest security patches to previous versions of the Apache web server, but don’t result in updating the version. Although attack surface monitoring tools can correctly detect the installed version of Apache from a web request header, any applied backported security patches can’t be detected.

Our new feature helps you by highlighting this scenario in your scans, and allows you to choose how to handle it.

Read our dedicated blog for more details and discussion, or our user guide.

Generate reports via the public API

This feature is only available if your tier provides access to the public API

From our users we commonly hear of the benefits of our reporting capability, especially for sharing results of scans in a concise format. Up until now you will have only been able to access reports when using our app in a browser.

We now provide report capability via our public API. This enables a number of benefits, including routine generation of reports for your own auditing purposes or integration with other apps.

Using the public API you can perform the following report functions:

  • Create a report
  • Get the details of a report, including a download link
  • Delete a report
  • Get all reports and counts for a scan
  • Get all reports and counts for an organisation
The available API report endpoints

If you have dual branding capability, the creation of summary reports using the API includes the optional use of any of your own branding.

All reports generated via the API are also available in the in browser app, and vice versa.

The full details can be found on our API docs page.

Show client-side redirects

The web presence page is certainly one of our most popular features with users, offering a literal view of your attack surface through web screenshots. Included in the web presence page are any server-side redirects (also know as HTTP redirects), where a browser is redirected from one web URL to another before any client-side code is loaded. Server-side redirects are typically used to redirect from insecure HTTP pages to secure and encrypted HTTPS pages.

Client-side redirects can also redirect from one web page to another, but are handled by client-side code after a page has loaded. FractalScan raises a risk if a client-side redirect is observed on an insecure HTTP web page, and generally we recommend the use of server-side redirects as these are less prone to security issues.

In our web presence page, we now show client-side redirects for pages that are on either end of a client-side redirect. For web pages with client-side redirects, you will now see an image for the web page containing the redirect code, and a smaller image for the web page is redirects to. This update to web presence helps you to understand why the image you see in FractalScan may not match the page you see when browsing to the same website.

For the page redirected from, an image of the destination page is shown.

Client side redirect source

For the page redirected to, the redirects list includes the source page.

Client side redirect destination

90 day certificate validity

Finally, we have included a new risk in FractalScan, which can be used to help you prepare for pending changes to how web browsers will handle certificates with a lifespan of more than 90 days.

Currently, the industry standard for web browsers is to enforce a validity period of 398 days for TLS certificates. If certificates fail the validity period check, it means that someone browsing to a web site using this certificate would be presented with a security warning.

Google are in the process of implementing a change to reduce this down to 90 days. The aim of this proposal is to improve online security by encouraging more frequent certificate renewals. This change has not yet been implemented but is expected to happen towards the end of 2024.

To help prepare for this change, FractalScan now raises a medium severity risk if a certificate is identified with a validity period of over 90 days.

The explore page for a certificate risk

This makes it is easy to identify these certificates and take action to reduce their validity period. The best approach for this is to use an automated certificate lifecycle management tool, which automatically create and deploy new certificates on a regular basis.

Coming soon

  • A new public API endpoint for risk data, allowing you to extract all risks data for your own processing.
About Tim Cowell
Tim is an experienced software engineer, who has worked across the Defence, Government and Commercial sectors for the past 21 years. After leading a diverse range of projects Tim has a strong background in Cyber Security, software engineering, research and development practices.
Tim Cowell