Document Details

Table of Contents

1. Executive Summary
2. Scope and Methodology
3. Findings Summary
4. Detailed Findings by Vector
   1. Subdomain Discovery
   2. Subdomain Takeover Detection
   3. DNS Security
   4. Email Security (SPF, DKIM, DMARC, MTA-STS)
   5. Open Ports and Exposed Services
   6. TLS and SSL Configuration
   7. SSH Configuration Audit
   8. Known Vulnerability Detection
   9. Web Probing and URL Discovery
   10. Web Crawling
   11. Web Vulnerability Scanning
   12. HTTP Security Headers, Cookies, and CORS
5. Founder Review Note
6. Recommendations and Prioritisation
7. Tools and References
8. Limitations and Disclaimer

1. Executive Summary

Cybersecify ran an External Attack Surface Discovery scan against scan.acmesaas.io across 12 attack vectors using OpenEASD v2.4 (18 underlying tools). The scan completed in 2 days with 34 findings identified. A founder reviewed every finding, removed 4 false positives that scanner output included, and added prioritisation context before delivering this report.

Overall posture: Acme SaaS's external attack surface is in average shape for a Series A SaaS startup. The two Critical findings (subdomain takeover risk on a deprovisioned staging environment, and an internet-exposed Redis instance on a development subdomain) need immediate action. The five High findings are concentrated in DNS and email security and should be addressed within 30 days.

Top 3 themes from the scan:

1. Shadow infrastructure. 14 of 47 discovered subdomains appear to be unmaintained staging or developer environments. Two have services exposed that should not be reachable from the public internet.
2. Email spoofing risk. SPF policy is set to "neutral" instead of "fail", DMARC policy is "none" instead of "quarantine" or "reject", and DKIM signing is not enforced. An attacker can reliably spoof email from your domain today.
3. Certificate hygiene. Two subdomains are using TLS 1.0, and one production certificate expires in 11 days. Browsers will throw warnings; some payment processors will reject API calls.

Recommended priority for next 30 days: Fix Critical (Section 4.2 Subdomain Takeover and Section 4.5 Exposed Redis). Harden email policy (Section 4.4). Rotate expiring certificate (Section 4.6). The Medium and Low findings can be addressed across the next quarter without urgency.

2. Scope and Methodology

2.1 Scope

The scan covered the apex domain scan.acmesaas.io and every subdomain discovered through passive enumeration, active enumeration, and DNS resolution. External-only, non-intrusive reconnaissance. No authentication attempted. No exploitation. No traffic to internal-only resources.

2.2 Methodology

OpenEASD scans across 12 attack vectors using 18 underlying tools. The scan flow:

1. Domain intelligence. RDAP query for domain registration and lock status. DNSSEC, CAA, and zone transfer checks.
2. Subdomain discovery. Passive enumeration (Subfinder against certificate transparency logs, search engine indexes, and public DNS databases) plus active enumeration (Amass DNS brute-forcing) plus permutation generation (Alterx variants of discovered names).
3. DNS resolution and filtering. DNSx resolves discovered hostnames to live IPs. Filters out wildcard responses and CDN noise.
4. Subdomain takeover. Subzy checks CNAME targets for deprovisioned cloud resources (S3 buckets, Heroku apps, Azure deployments, etc.) that an attacker could claim.
5. Port scanning. Naabu against resolved IPs across common service ports. Top 1000 TCP ports.
6. Service classification. Nmap version detection on identified open ports. Distinguishes web from non-web services.
7. Network CVE detection. Nmap NSE vulners scripts for non-web ports.
8. TLS and certificate analysis. Certificate expiry, weak or export ciphers, deprecated protocol versions (TLS 1.0 and 1.1), HSTS preload status.
9. SSH configuration audit. Algorithm negotiation, weak key exchange or MAC, protocol version.
10. Network protocol vulnerabilities. Nuclei network templates for non-HTTP protocol vulnerabilities.
11. Web layer discovery. httpx live probing on discovered hosts to identify web services. Status codes, technologies, redirects.
12. Historical URL recovery. Gau and waybackurls for archived URL paths. Often surfaces forgotten endpoints not in current site map.
13. Web crawling. Katana traversal of discovered web hosts to enumerate the live URL surface.
14. Web vulnerability scanning. Nuclei community templates against discovered web URLs.
15. HTTP security inspection. CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, cookie flags (Secure, HttpOnly, SameSite), CORS configuration, server version disclosure.

2.3 Severity Rating

3. Findings Summary

3.1 Findings by Severity

3.2 Findings by Attack Vector

4. Detailed Findings by Vector

4.1 Subdomain Discovery

Vector intent: Identify every hostname an attacker could find. Forgotten staging environments, dev tooling, and shadow IT are typically where breaches start.

Method used: Subfinder (passive) plus Amass (active brute-force) plus Alterx (permutation). DNSx for resolution.

Result: 47 unique subdomains identified. 33 actively resolving. 14 listed in DNS but not resolving (CNAME stale or NXDOMAIN).

• F-001 (Medium): 6 subdomains contain "staging", "dev", or "test" tokens and respond on common web ports. None require authentication on the landing page. Recommendation: add VPN or IP allowlist requirement before HTTP layer, or shut down environments not actively used.
• F-002 (Medium): old-admin.scan.acmesaas.io serves a legacy login form on TLS 1.0. Likely a deprecated panel. Verify ownership and decommission or harden.
• F-003 (Low): 4 subdomains point to GitHub Pages with default domain (`*.github.io`). Acceptable for marketing landing pages, but verify the corresponding repos are still under your organisation control.
• F-004 (Informational): 8 subdomains use Cloudflare. Recommended; consider Cloudflare WAF rules for the staging subdomains in F-001.

4.2 Subdomain Takeover Detection

Vector intent: Identify CNAME records pointing at deprovisioned cloud resources. An attacker who claims the dangling resource hosts content under your subdomain and phishes your users with a legitimate-looking URL.

Method used: Subzy against discovered CNAME chains.

• F-005 (Critical): old-marketing.scan.acmesaas.io CNAME points to acmesaas-old-bucket.s3.amazonaws.com which returns NoSuchBucket. An attacker can register a new S3 bucket with this exact name and host arbitrary content (including phishing pages with valid TLS) at the scan.acmesaas.io subdomain. Recommendation: remove the CNAME from your DNS provider this week. If the subdomain was ever used in marketing links, audit referrers for in-flight phishing.

4.3 DNS Security

Vector intent: Identify DNS-layer weaknesses that enable cache poisoning, subdomain enumeration, or zone information disclosure.

Method used: dig and dnsx against discovered authoritative nameservers. RDAP for domain registration.

• F-006 (Medium): DNSSEC is not enabled. Cache poisoning resistance is limited and DNSSEC adoption is an expectation in regulated industries.
• F-007 (Medium): CAA record is missing. Any certificate authority can issue a certificate for scan.acmesaas.io. CAA constrains issuance to specific CAs (Let's Encrypt and DigiCert in your current usage).
• F-008 (Low): Zone transfer (AXFR) is correctly refused on all 4 authoritative nameservers. Good.

4.4 Email Security (SPF, DKIM, DMARC, MTA-STS)

Vector intent: Identify email policy weaknesses that allow attackers to spoof email from your domain.

Method used: dig TXT and DNS queries against published SPF, DKIM, DMARC, MTA-STS, and BIMI records. checkdmarc parsing.

• F-009 (High): SPF policy ends in ~all (softfail) instead of -all (hardfail). Receivers may quarantine spoofed mail instead of rejecting. Hardening to -all after confirming SPF includes all legitimate senders.
• F-010 (High): DMARC policy is p=none. No enforcement. Spoofing is allowed. Move to p=quarantine; pct=50 first, then p=reject after a monitoring period via the aggregate reports.
• F-011 (Medium): DKIM selector observed for google (Workspace). No selector for mailgun despite SPF including Mailgun. Either remove Mailgun from SPF or publish a DKIM selector.
• F-012 (Low): MTA-STS not published. Inbound mail TLS can be downgraded by an in-path attacker. Publish _mta-sts.scan.acmesaas.io TXT record and mta-sts.scan.acmesaas.io/.well-known/mta-sts.txt policy.

4.5 Open Ports and Exposed Services

Vector intent: Identify publicly reachable services that should not be internet-exposed.

Method used: Naabu top 1000 TCP port scan against resolved IPs. Nmap version detection for fingerprinting.

• F-013 (Critical): Port 6379 (Redis) reachable from the public internet on dev.scan.acmesaas.io. Redis responds without authentication. An attacker can execute CONFIG SET commands to write SSH authorized_keys or shell payloads. Recommendation: bind Redis to localhost (or your private network), enable requirepass, and rotate any data this Redis has touched. Shut down this exposure today.
• F-014 (High): Port 22 (SSH) reachable from the public internet on 3 production hosts. Recommendation: IP-restrict to bastion or VPN, or migrate to SSH-via-SSM (AWS) or equivalent.
• F-015 (Low): Port 25 (SMTP) reachable on a marketing host. Expected for inbound mail receiving. Verify the host is hardened and not an open relay (tested: it is not).

4.6 TLS and SSL Configuration

Vector intent: Identify weak protocol versions, expired or expiring certificates, and downgrade risks.

Method used: testssl.sh equivalent inside OpenEASD. Custom checks for expiry windows.

• F-016 (High): Production certificate for scan.acmesaas.io expires in 11 days. Auto-renewal via Let's Encrypt configured but last renewal attempt logged failure. Investigate and renew this week.
• F-017 (High): legacy.scan.acmesaas.io negotiates TLS 1.0. Modern browsers warn or refuse. Payment processors and many security questionnaires require TLS 1.2+ minimum.
• F-018 (Medium): HSTS not present on apex or www. Add Strict-Transport-Security header with at least 6-month max-age, then submit to the HSTS preload list.
• F-019 (Low): 3DES cipher suite still negotiable on 2 subdomains. Disable.
• F-020 (Informational): All production hosts using ECDSA certificates (P-256). Good.

4.7 SSH Configuration Audit

Vector intent: Identify SSH services with weak algorithm negotiation.

Method used: ssh-audit equivalent. Algorithm negotiation captured without auth attempt.

• F-021 (Medium): SHA-1 HMAC algorithms still accepted on 2 hosts. Disable hmac-sha1, hmac-sha1-96.
• F-022 (Low): SSH banner reveals OpenSSH version 8.4p1 (2 minor versions behind current LTS).

4.8 Known Vulnerability Detection

Vector intent: Identify hosts running software versions with publicly known CVEs.

Method used: Nmap NSE vulners scripts and Nuclei network templates.

• F-023 (High): Nginx version banner reveals 1.18.0 on production proxy. CVE-2021-23017 (DNS resolver vulnerability) and CVE-2022-41741 (mp4 module memory disclosure) apply. Upgrade to 1.24.x.
• F-024 (Medium): Tomcat 9.0.45 server header on a Java microservice. 3 documented CVEs since this version. Upgrade to current 9.0.x.

4.9 Web Probing and URL Discovery

Vector intent: Identify the live web URL surface and any reachable endpoints.

Method used: httpx active probing. Captures HTTP status, technologies, redirects, and reachable URLs.

• F-025 (Low): /admin on old-marketing.scan.acmesaas.io returns a Wordpress login page. Decommission or move behind VPN.
• F-026 (Low): 2 staging subdomains return server-side default pages (Apache default, Nginx welcome). Customise or remove.
• F-027 (Informational): Production application is a Next.js SSR app reverse-proxied via Cloudflare. Fingerprintable but no direct risk.

4.10 Web Crawling

Vector intent: Walk the live URL surface to enumerate accessible endpoints beyond the public sitemap.

Method used: Katana deep crawl with depth 5 against discovered web hosts.

• F-028 (Informational): Crawled 1,247 URLs. No directory listing exposed. No sensitive files (.env, .git, backup archives) in document root. Good.

4.11 Web Vulnerability Scanning

Vector intent: Detect known web vulnerabilities, misconfigurations, and exposed admin or panel endpoints.

Method used: Nuclei community templates against discovered web URLs.

• F-029 (Medium): /.well-known/security.txt not published. Add for responsible disclosure flow.
• F-030 (Low): API endpoint /api/health returns build version and commit SHA. Minor information disclosure. Acceptable for some use cases (status dashboards) but flag if not intended.

4.12 HTTP Security Headers, Cookies, and CORS

Vector intent: Identify missing or misconfigured browser security policies.

Method used: httpx header capture. Manual review by founder of relevant configs.

• F-031 (Medium): Content-Security-Policy header missing on the marketing site. Adopt at least a baseline policy.
• F-032 (Medium): Access-Control-Allow-Origin: * on api.scan.acmesaas.io while Access-Control-Allow-Credentials is set to true. This combination is rejected by browsers but indicates a configuration error. Replace wildcard with explicit allowlist.
• F-033 (Low): Session cookies missing Secure attribute on 1 staging subdomain. Add.
• F-034 (Low): Server: Apache/2.4.41 header reveals exact version. Strip server banner.

5. Founder Review Note

This is the section you do not get from a raw scanner dump. A founder reviewed every finding before the report shipped. Three observations specific to Acme SaaS:

• The Critical Redis exposure (F-013) is the single thing to fix this week. Everything else can wait if you prioritise correctly. Unauthenticated Redis is a known attacker target; bot scanners hit it within hours of new exposure. If this has been up for more than a day, audit the data and assume potential compromise.
• The subdomain takeover risk (F-005) ties to your past marketing infrastructure. If old-marketing.scan.acmesaas.io was ever in an email campaign or a customer-facing link, audit referrer logs. An attacker who takes the dangling S3 bucket and serves phishing content can ride your domain authority.
• The email security findings (F-009 to F-012) compound. Each one alone is recoverable. Together, they make spoofing your domain trivially possible. Recommend tackling SPF + DMARC together as one change, monitoring DMARC aggregate reports for 2 weeks, then tightening.

4 false-positive findings from raw scanner output were removed before this report shipped: a deprecated CVE for a Nginx version we verified is actually patched (debian backport), a CORS misconfiguration on a marketing iframe that is intentional, an "open" port that is filtered, and a TLS cipher suite warning that does not apply to your TLS 1.3 negotiation.

6. Recommendations and Prioritisation

6.1 This Week

1. F-013: Take Redis off the public internet. Bind to localhost or private network. Rotate any keys this Redis has held.
2. F-005: Remove the dangling CNAME for old-marketing.scan.acmesaas.io. Audit referrers for in-flight campaigns.
3. F-016: Renew the expiring production certificate. Investigate the failed Let's Encrypt auto-renewal.

6.2 Within 30 Days

1. F-014: IP-restrict SSH access on 3 production hosts.
2. F-009, F-010: Harden SPF (-all) and DMARC (p=quarantine then p=reject).
3. F-011: Either remove Mailgun from SPF or publish DKIM selector.
4. F-017: Disable TLS 1.0 on legacy.scan.acmesaas.io.
5. F-023: Upgrade Nginx to 1.24.x.

6.3 Next Quarter

1. Mediums and Lows. Address as part of normal hardening sprints.
2. Enable DNSSEC if your registrar supports it (F-006).
3. Publish CAA record (F-007).
4. Publish MTA-STS policy (F-012).
5. Add Content-Security-Policy (F-031).
6. Decommission unused staging environments (F-001).

6.4 Beyond OpenEASD

OpenEASD covers external attack surface. It does not cover:

• Authenticated application testing. Business logic flaws, authorisation gaps between user roles, IDOR, payment race conditions. Covered by a founder-led pentest.
• Brand abuse monitoring. Typosquatting, fake apps, leaked credentials on the dark web, phishing infrastructure targeting your brand. Covered by Brand Protection.
• Internal network testing. Lateral movement, internal service exposure, Active Directory hardening. Out of scope.

7. Tools and References

OpenEASD is open source. Source available on GitHub: github.com/cybersecify/OpenEASD. Underlying tools used in this scan:

• Subdomain discovery: Subfinder, Amass, Alterx
• DNS: dnsx, dig, RDAP
• Subdomain takeover: Subzy
• Port scanning: Naabu, Nmap
• Network CVEs: Nmap NSE vulners, Nuclei network templates
• TLS: testssl.sh-equivalent inside OpenEASD
• SSH: ssh-audit-equivalent
• Web probing: httpx
• URL recovery: Gau, waybackurls
• Web crawling: Katana
• Web vulnerabilities: Nuclei community templates

References for severity definitions: OWASP Web Security Testing Guide v5.0, OWASP API Security Top 10 2023, NIST SP 800-115. CVSS v3.1 used for individual vulnerability scoring where applicable.

8. Limitations and Disclaimer

This is a sample report. All findings, the client name (Acme SaaS), the domain (scan.acmesaas.io), and all enumerated subdomains and IPs are fictional. Any resemblance to real systems is coincidental. Use this sample to evaluate format and depth. It is not a benchmark for the volume or severity of findings in any real engagement.

External-only scanning. OpenEASD performs external, non-intrusive reconnaissance against publicly observable infrastructure. The scan does not authenticate, exploit, or perform any intrusive action. It does not access private systems or non-public data.

Point-in-time. The scan reflects external posture during the scan window. Changes to systems, code, configuration, or the threat landscape after the engagement window are not covered.

Not a substitute for a full security assessment. OpenEASD covers external attack surface only. Internal application authorisation, business logic, payment flows, and audit-evidence quality require a founder-led pentest.

Founder review caveat. The founder review removes false positives where verifiable and prioritises findings. It is not a substitute for the client's own context. We do not have access to your customer data, internal architecture decisions, or threat model. Apply judgement when prioritising fixes.