A Roadmap for More Effective Web Vulnerability Notification | WhoisXML API
Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Premium API Services
Premium API Services

Enjoy priority data access with our premium API services topped with extra perks including dedicated team support, enterprise-grade infrastructure, and SLAs for full scalability and high performance.

×
Contact Us

Success Stories

See other success stories

A Roadmap for More Effective Web Vulnerability Notification

A Roadmap for More Effective Web Vulnerability Notification

Building on their initial research on large-scale web vulnerability notification, B. Stock et al. [1], researchers at CISPA, Saarland University, sought to lay the groundwork for a more effective web vulnerability notification system.

Background

Owing to the development of scanning tools, large-scale detection of web vulnerabilities has generally become more straightforward. In a nutshell, the process involves getting a list of domains and scanning them for security issues. However, such ease in vulnerability discovery is a two-edged sword—both researchers and cyber attackers can take advantage of it, albeit with contrasting purposes.

Addressing the discovered vulnerabilities promptly is crucial, and at the heart of this goal is effective web vulnerability notification. Previous studies [2], [3] established a relatively high association between the receipt of the notifications and the subsequent remediation of reported issues. Still, large-scale web vulnerability notification has a low fix rate.

The Problem: Why Is There a Disconnect?

The roadblock lies in the successful delivery of vulnerability notifications. In one study [2], only 5.8% of 35,832 vulnerability reports were actually received by concerned parties, leaving thousands of issues unpatched and vulnerable to attackers.

While there are several factors that affect the effectiveness of vulnerability reports to the concerned parties, they can be categorized into two:

  • Technical: The bounce rate observed in the study [1] was attributed to the recipients’ email provider’s spam filtering.
  • Nontechnical: The human factor also played a role in failing to address reported security issues. For instance, some parties expressed that among the reasons for ignoring the notifications is the fact that they didn’t trust them.

Aside from identifying the barriers toward more successful notification campaigns, B. Stock et al. also explored alternative communication platforms, such as social media, snail mail, and phone conversations.

Methodology

The researchers analyzed more than 24,000 domains, which were scanned for the following security issues:

  • Cross-site scripting (XSS) vulnerabilities in WordPress
  • CVE-2016-4566 and CVE-2016-4567
  • Publicly accessible Git repositories

A key step in the research is gathering notification contacts, which involved obtaining domain WHOIS information. To hasten the process, the researchers extracted already parsed contact emails from WhoisXML API’s WHOIS database. Generic email addresses were also selected. Among them are those that contain security@, abuse@, webmaster@, and info@.

Three types of notification messages were sent out—automated plaintext emails, automated HTML-based emails, and a variant with a more friendly and non-technical tone.

Findings: Laying the Groundwork for More Effective Vulnerability Notification

B. Stock et al. effectively laid out the road map for future studies to make vulnerability notification more successful.

Automated Emails Are a Good Option

Automated emails still emerged as the most cost-effective medium. More Git reports were accessed when postal mail and phone calls were used as communication channels, but these were also the most expensive. Friendly communication received the highest number of views but did not result in a high fix rate since the messages didn’t contain the report details.

Correct Point of Contact: WHOIS Technical Email Address

Furthermore, the research highlighted the need for obtaining the correct point of contact for the website. Based on the respondents’ inputs, the WHOIS technical email contact, and the address listed on the website are particularly common.

Conclusion

While WHOIS technical email contact email addresses can easily be extracted from the WhoisXML API WHOIS database, the email content can be subjected to more experiments.

What level of technicality should the report use to inspire action? How should the message be constructed so as to establish trust, both with the recipient and email service provider?

When these questions are answered, web vulnerability notification could become more effective, thus helping organizations reduce their attack surface.

References

[1] B. Stock, G. Pellegrino, F. Li, M. Backes, and C. Rossow. Didn't You Hear Me? Towards More Successful Web Vulnerability Notifications. In NDSS Network and Distributed System Security Symposium. San Diego, California. 18–21 February 2018. Retrieved from https://publications.cispa.saarland/1190/1/stock2018notification.pdf.

[2] F. Li, Z. Durumeric, J. Czyz, M. Karami, D. McCoy, S. Savage, M. Bailey, and V. Paxson. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications. In USENIX Security Symposium. Austin, Texas. 10–12 August 2016. Retrieved from https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_stock.pdf.

[3] B. Stock, G. Pellegrino, C. Rossow, M. Johns, and M. Backes. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In USENIX Security Symposium. Austin, Texas. 10–12 August 2016. Retrieved from https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_li.pdf.

See other success stories
Try our WhoisXML API for free
Get started