Web security online service, desenmascarame, unmaskme

About desenmascara.me

"web service to raise web security awareness among web owners, webmasters, web designers or even people without security knowledge"

"The higher your website score is the better (scoring from 20 would be considered acceptable)."

"Web owners, like homeowners and businesses, should be the first line of protection for their own property".
The Underwhelming Threat of Cyberterrorism

"Web applications remain the proverbial punching bag of the Internet".
Verizon DBIR 2014

"I've seen estimates that over 99 percent of all Internet attacks could be prevented if the systems administrators would just use the most current versions of their system software."
Bruce Schneier on «Secrets & Lies»

"Webmasters need to ensure that their websites are running good code that isn't open to exploitation."
Ian Fette «Product Manager with Google's Security Team»

Desenmascara.me is a tool yet in it's early PoC stage but fully functional. The goal of this tool is to raise security awareness among web owners in order to help decrease the constant rise of compromised websites._[1]

Compromised websites are often used by attackers to deliver badware or to host phising pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little or no security background. Desenmascara.me will help the webmasters to highlight the importance of keep update, protect or do some hardening in their websites in order to avoid they become victims of badware.

Usually a no security aware webmaster will left a newly deployed website by default and normally will pass months or even years without any update on the website. As result cibercriminals will take advantage of this behaviour and the website will be part of the compromised website statistics. Web hosting providers -who play a key role in this scene- are not doing any effort to help with this problem._[2]

Desenmascara.me is a public resource which will extract metadata from any website (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata. Some features of the tool are:

Easy to use, only enter a website address to see what's behind the scenes
Available in English, Spanish and working in progress for the German version (based on the browser language)
Testing for web application fingerprinting
Brief summary about the website configuration
Different report colours to highlight web security awareness
Some special websites will show a message showing whether if they are official or fake (keep counterfait products from circulation)
Detection of copycat websites targeting to the main Luxury brands .i.e: Fake Fendi website detected (more than 100 luxury brands)
Detection of websites taken down due to Counterfeit infringements (i.e: Fake Cartier website taken down)
Detection of domains potentially being used for phishing (in Spanish)
Detection of sites being mirrored from anothers (usually found in Phishing, fake and scareware websites)
Detection of CMSs and versions (whatweb core)
Detection of domain registrar for .com & .net TLD (some are more security savvy than others)
Detection and warnings about the danger of hosting third party providers.
Warnings about old software being exploited in the wild like joomla-1.5, RoR CVE-2013-0156...
Warnings about domains (.com & .net) expiring in the coming days
Detection of properties file leak in Ruby on Rails. Ref: Fugas de informacion en aplicaciones ruby on rails
Warnings about OpenSSL version afected by heartbleed.
Warnings about Drupal Core - Highly Critical PSA-2014-003.
Warnings about TYPO3 - Highly Critical Authentication bypass.
Warnings about critical Magento RCE CVE-2015-1397, CVE-2015-1398, CVE-2015-1399.
Warnings about critical Stored XSS Wordpress 4.2 Stored XSS (official patch available in Wordpress 4.2.1).
Warnings about suspicious php redirects as might be related to cryptolocker or similar.
Warnings about suspicious redirects towards suspended pages as might be related to either phishing or c2 servers taken down.
Detection of hardening signs such as WAF, CDN, reverse proxy...
Warnings about software branchs considered dangerous due to unfixed vulnerabilities like Squid/2.6.
In case of CloudFlare protected websites, it will show the real server IP.
Detection of blacklisted websites by GoogleSafeBrowsing
Detection of suspicious iframes or hidden spam
Detection of misconfiguration on robots.txt files (i.e: exposing confidential information)
Detection of defacements, directory listings, private IP address in comments...
In the case of very known websites (Forbes, EA, .gov ...) will inform about known security incidents which they were victim of.
Stats about general web security awareness and some details of compromised websites (i.e: Forbes compromised)

The goal of this tool is: to raise web security awareness among web owners. Please don't confuss it with considering a website secure or insecure, the tool as is can't reach this conclussion. In order to can verify if a website is secure or insecure, it would be needed a web security audit performed by security professionals.

You can check out the next presentation for some background of the problem, some real examples, and that I would like to achieve with this tool.

Desenmascara.me background presentation from Emilio Casbas

[1]: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf

[2]: http://www.eurecom.fr/fr/publication/3954/download/rs-publi-3954_1.pdf