
Show HN: Enter your URL and view CVEs affecting your stack over last 6 months - GiulioS
https://secalerts.co/security-audit
======
ComputerGuru
It’s a pretty poor implementation that is basically matching on the lowest
common denominator, by platform rather than by library or framework. An
ASP.NET website is fully independent of a WCF vulnerability. They _can_
coexist but definitely don’t have to.

Additional suggestion: many times the home page is a link to many different
technologies. Crawl all first-level directory indices to see different techs.
E.g. we have a xenforo-powered forum at /forums, a WordPress blog at /blog, a
custom ASP.NET CMS at /store, a .NET Core web app at /foo, etc.

The domain index for most companies past a certain age/size not dedicated
solely to a single app effectively turns into a static html page.

------
wilsonthewhale
My static site running on OpenBSD 6.5 httpd gets identified as Apache
¯\\_(ツ)_/¯

~~~
AndyMcConachie
Same here. It also thinks I'm running PGP 7.1.31 when in fact I'm running
7.1.32.

------
GiulioS
Creator here. We built this using Wappalyzer to detect the software given a
URL and match it against our database of CVEs and thought it might be a fun
little tool.

~~~
fnigi
Is this released open-source ?

------
swiley
I pointed it at my lighttpd server and all I got was "cannot detect software"
or so.

~~~
rubbingalcohol
yep that's what I got. Tried on a couple of my web apps.

------
mellosouls
This is a nice addendum to the "Let Us Identify Your Stack" style web services
tho I guess some of them might already provide this.

It does have the somewhat negative effect of making potentially vulnerable
websites more visible to lower order hackers (I'm assuming more proficient
ones have automated discovery tools like this anyway).

~~~
dahfizz
There are browser extensions that do this same thing. It's pretty trivial to
do.

~~~
oriettaxx
[https://www.whatruns.com/](https://www.whatruns.com/) not so precise must say

------
babuskov
I tried entering a bunch of major websites. Looks like ibm.com is full of
holes that need patching.

------
r1ch
Looks like it's overloaded - HTTP/502 on the API here.

~~~
louisstow
Thanks. Increased the thread size so hopefully that should save it from all
these hugs.

------
not_a_cop75
Finally, a place that can gather IP addresses and associate them to specific
security products to have them hacked later. Just what I've been waiting for.

~~~
saagarjha
Alternatively, secure your stack and _don’t_ have it hacked later.

~~~
jamessteel
Those self-managing their machines and sites could doubt if a break change or
update would cause downtime, LXD/Docker could simplify on that and reduce the
risk to only containers.

------
mrlucax
Is there an open source alternative that could be self-hosted and configured
to run automated and periodical checks?

~~~
dahfizz
Metasploit? You don't even need to host it (why are we so obsessed with making
everything a website?)

~~~
Godel_unicode
Metasploit isn't the best choice for webapps, you probably want nikto or
similar. Here's the owasp list:
[https://www.owasp.org/index.php/Category:Vulnerability_Scann...](https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools)

------
jamessteel
Wasn’t able to detect what software my site use, my server name was disabled.

------
meesterdude
i don't need to provide my (potentially vulnerable) production URL to whoever-
you-might-be in order to identify the last 6 months of vulnerabilities - I can
just google for that.

Submitting your site to this is just asking for trouble.

~~~
bogwog
This just seems like a mailing list for CVE alerts for popular software. If
you put in HN, it'll say that it failed to detect the stack, and then ask you
to choose your software and then enter your email to receive alerts.

It's kind of clever marketing, giving people a sense that they're going to get
a security audit in exchange for an email address.

~~~
paulfurley
The first URL I entered (coop.co.uk) was actually pretty awesome, it detected
Varnish and showed a critical CVE from last week. That’s cool.

I hope that if you subscribe, the site regularly rescans your stack and
realised if it’s changed. Otherwise it’s just a mailing list subscription that
becomes out of date and therefore not useful.

