What is it?
Detectify’s Surface Monitoring service (SM) allows you to monitor your domains and be notified as soon as they are at risk for vulnerabilities related to domain configuration. We will uninterruptedly monitor the configuration of your domains, e.g. track misconfigured CNAME pointers to cloud providers.
How does it differ from the Application Scanning?
Surface Monitoring runs continual checks on the domain level, instead of the web application. It will help you discover assets you may not be aware of and provide you with an overview of them. SM does not have the crawler functionality - it’s main goal is to look for configurational changes within your subdomains, any new links or patches. Once the asset landscape scan is done, you may want to add particular assets as separate scan profiles for the complete scan.
During the Application Scanning you will scan a specific asset (subdomain, domain or an IP address) that you already know that it exists. Once you start a scan, we will go through these six steps and generate a results report in your Findings view.
How does Surface Monitoring work?
Step 1: We will use a combination of:
analysing public DNS records
as means of gathering potentially vulnerable subdomains.
You can complement this by uploading a Zone file including all subdomains on a selected apex domain or using a Zone Transfer. This can be done in your Domain Settings:
Remember that the origin name needs to be complete (FQDN).
Example apex domain: detectify-demo.com
Result: login.detectify-demo.com, shop.detectify-demo.com + 200 other subdomains
Step 2: Analysis of your subdomains
We check for misconfigurations in the assets, looking at CNAME Records, non-resolving pages, and subdomain takeovers.
We have patterns and tests to detect misconfigurations at more than 150 cloud providers that do not verify subdomain ownership, including Heroku and Amazon.
Step 3: Fingerprint the assets found to determine the technologies
Understanding what technology is running on the tech stack allows us to send more specific requests to the assets.
Why is this needed?
We can find vulnerabilities that are specific to an asset path by sending a language specific request to the asset. This also reduces the number of requests required.
Step 4: HTTP Requests sent to discovered assets
We check the asset links by sending simple HTTP requests to discover such vulnerabilities as potential subdomain takeovers and source code exposure. The results that we generate are based on what response we get when sending the requests.
Step 5: Continuous monitoring
All of the subdomains that are found are continually being monitored to see if the issues have been fixed, or if new assets have been exposed.
As soon as we spot a change that makes your subdomains vulnerable, you will receive an alert via email, integrations, or the Detectify dashboard.
The SM reports show you which domains and at what point in time they were vulnerable. The vulnerabilities are categorized by different severity levels based on CVSS.
A more detailed information on how we score the SM findings is available here.
Who is it for?
• Companies with a larger scope of subdomains and distributed governance.
• Companies that use a cloud or mixed hosting environment with both internal applications (e.g running on AWS), PaaS applications like Heroku or WP engine, and SaaS providers like Shopify.
How to get up and running
Your point of contact will help you enable your M account in the Detectify interface. If you don't have a point of contact, reach out to firstname.lastname@example.org.