Threat intelligence analysis docs
Website analysis
Website's content analysis, relations to the other domains and host configuration issues.
Pages parsed
Website's content parsing statistics.
| Indicator | What it means? |
|---|---|
| Parser start URL | The page where TIP starts grabbing website's content for analysis. It could be domain's home page, or any internal page if a full URL was provided as the search term. |
| Parsing page limit | Maximum number of pages to be analysed. TIP can parse the whole website, but it takes time. It's currently limited to one page. |
| Maximum parsing depth | TIP recursively grabs pages from the target website, starting with the Parser start URL page, and builds the website's tree. This setting limits it's maximum depth. It's currently limited to one page. |
| Pages parsed | List of the analysed pages used to build the report. |
| Outgoing links found | Number of domains referenced from the target website, considering subdomains as separate domain names. These include links, external images, CSS, scripts or Iframe sources. Only unique occurrences are counted. |
3-rd party services integration
List of popular 3-rd party services we discovered on the target website. TIP constantly improves detection algorithms. If you didn't find a service, and you know that it's integrated, please let us know.
| Indicator | What it means? |
|---|---|
| The website is integrated with Facebook services. | |
| The website is integrated with Google services. |
Components
Parsing website's content, TIP analyses metatags, HTML directives, JavaScript source code, etc. - to discover which Content Management Systems (CMS), JavaScript frameworks or other technologies were used to build the website.
TIP constantly improves detection algorithms. If you didn't find a component you were looking for, please let us know.
| Indicator | What it means? |
|---|---|
| Angular | Angular JavaScript framework was used to build the website. |
| jQuery | jQuery JavaScript framework was used to build the website. |
| Wordpress | Wordpress CMS was used to build the website. |
| Joomla | Joomla CMS was used to build the website. |
| Drupal | Drupal CMS was used to build the website. |
Potentially dangerous content
TIP detects potentially dangerous content on the website: it's not necessary dangerous, but once detected it's a good starting point for further analysis.
| Indicator | What it means? |
|---|---|
| Links to .apk files |
Links to .apk files were detected on the website. Most likely the website proposes/tries to install Android applications not authorized by Google Play. You can end up with harmful files on your phone or device. |
| Links to .exe files |
Links to .exe files were detected on the website. Most likely the website proposes/tries to install Windows applications which are not authorized. You can end up with harmful files on your device. |
| Iframes | Iframes detected on the website. The IFRAME element allows to embed code from other domains to the target website. It allows injecting malicious scripts, which could be used for different kinds of attacks: XSS, Clickjacking, etc. Iframes can make JavaScript calls - to get access to users' data and show extra content on the website, like login boxes, etc. Iframes can redirect to other websites via location.href. Iframes could contain Flash/ActiveX/Java malware which could harm user's device, not only browser data. When iframe content is loaded, browser's address bar does not show that the content is loaded from the other place. End users won't notice the change, and this is dangerous. Nonetheless many popular services use iframes safely. For instance, YouTube videos could be embedded into the page using the IFRAME element. This technology was widely used a decade ago, and could be often found on old websites. |
| Scripts opening new windows | Scripts trying to open new browser windows detected. |
| Redirects | Redirects to other websites detected. It could be caused by specific HTTP response codes (301, 302, 303, 307 or 308) or JavaScript code (e.g. location.replace). |
Host configuration issues
Checks if the target host contains possible vulnerabilities or configuration issues, which could be used for different kinds of attacks.
| Indicator | What it means? |
|---|---|
| Opened .git directory in the document root | Website's production is connected to the GIT version control system, and the service files needed are publicly available. It allows any visitor to download full source code of the website, including branches and changes history. Access to the /.git directory should be restricted. |
| Directory listing is allowed | Any visitor is allowed to view the list of files in the document root. It could be used for different types of attacks. Restricting access to the directory listing is a good practice. |
Open ports and services
TIP connects to the target host via common TCP/UDP ports, and verifies whether those are open. It's a good practice to restrict remote connections, unless it's required by the product's infrastructure. "Connection refused" or "Connection timeout" are good answers. If TIP managed to connect to the port, connection details are provided.
| Service | Port |
|---|---|
| Microsoft SQL Server (server) | 1433 |
| Microsoft SQL Server (monitor) | 1434 |
| MySQL (3306) | 3306 |
| Firebird & Interbase | 3050 |
| PostgreSQL | 5432 |
| Pervasive SQL (TCP) 1 | 3351 |
| Pervasive SQL (TCP) 2 | 1583 |
| HSQLDB | 9001 |
Have questions?
We work hard to improve our services for you. As part of that, we welcome your feedback, questions and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can improve our product.
For a quick response, please select the request type that best suits your needs.
Threat Intelligence Platform uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.