Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Identity Systems

Identity Systems

Section titled “Identity Systems”

5 automated security scanners

Federation Security

Section titled “Federation Security”

Purpose: The purpose of the Federation Security Scanner is to analyze identity federation security by detecting federated SSO implementations, testing for SAML/OAuth federation exposure, checking for identity provider integration, identifying federation protocol vulnerabilities, and detecting weaknesses in federated authentication that could enable token theft or authentication bypass.

What It Detects:

  • Federation Protocol Detection: Identifies SAML federation endpoints, detects OAuth/OIDC federation, checks for WS-Federation implementation, tests for federation metadata exposure, and flags any federation protocol indicators.
  • Identity Provider Integration: Checks for enterprise IdP integration, detects social identity provider usage, verifies multi-IdP support, tests for IdP discovery endpoints, and identifies supported IdP list.
  • Federation Metadata Exposure: Checks for SAML metadata endpoints, detects federation configuration disclosure, verifies trust relationship exposure, tests for certificate disclosure, and identifies federation entity IDs.
  • Federation Technology Stack: Identifies federation platforms (Okta, Auth0, Ping), detects ADFS deployment, checks for Shibboleth usage, tests for custom federation implementation, and verifies federation vendor fingerprints.
  • Federation Security Indicators: Tests for assertion encryption claims, checks for signature validation references, verifies relay state protection, detect federation security controls, and identify federation best practices.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., ekkatha.com)

Business Impact: Identifying and assessing the risks associated with federated SSO can help organizations secure their authentication mechanisms against potential threats such as token theft, unauthorized access, and targeted attacks. This is crucial for maintaining a robust security posture in an increasingly interconnected digital environment.

Risk Levels:

  • Critical: Public federation metadata revealing IdP configuration, exposed SAML assertions enabling token manipulation, OAuth federation weaknesses allowing token theft, and IdP trust relationships disclosure aiding targeted attacks are considered critical risks.
  • High: Exposure of federation endpoints and significant vulnerabilities in federated authentication protocols pose high risk levels.
  • Medium: Some limitations in federation security controls and the potential for enumeration attacks can be identified as medium risk factors.
  • Low: Informational findings related to assertion encryption claims, signature validation references, and relay state protection are considered low severity issues.
  • Info: Identifying supported IdP list and verifying trust relationship exposure falls under informational category.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings: The scanner might flag that a public SAML metadata endpoint is exposed, allowing for configuration details to be accessed by unauthorized parties, or it could detect an OAuth implementation where token theft vulnerabilities exist.

Identity Governance

Section titled “Identity Governance”

Purpose: The Identity Governance Scanner is a tool designed to analyze and assess the identity governance practices of an organization. It aims to identify various aspects such as IGA platform deployment, access certification processes, role-based access control (RBAC) implementation, identity lifecycle management, and weaknesses in access controls that could indicate poor governance practices.

What It Detects:

  • IGA Platform Detection: Identifies the presence of identity governance platforms and detects the specific vendors deployed.
  • Access Certification Indicators: Checks for processes related to reviewing and certifying access, including detection of certification campaigns and schedules.
  • RBAC Implementation: Evaluates the use of RBAC within the organization, identifying role assignments, mining claims, and hierarchy exposure.
  • Identity Lifecycle Management: Assesses the effectiveness of automated provisioning and deprovisioning workflows to prevent orphaned accounts.

Inputs Required:

  • domain (string): The fully qualified domain name (e.g., ekkatha.com) which is essential for scanning various endpoints and analyzing web content related to identity governance practices.

Business Impact: Identifying weak points in an organization’s identity governance can significantly impact its security posture, potentially leading to unauthorized access, compliance issues, and loss of sensitive information. Properly managing these aspects is crucial for maintaining a secure and compliant environment.

Risk Levels:

  • Critical: Exposure of public IGA platforms reveals significant maturity gaps in access control practices.
  • High: Exposed certification processes indicate inadequate review frequency and potential vulnerabilities that could be exploited.
  • Medium: RBAC implementation details, such as role hierarchy exposure, may lead to privilege escalation risks.
  • Low: Minor issues related to identity lifecycle management might not directly affect security but are indicative of broader governance practices that could improve over time.
  • Info: Informational findings regarding IGA vendors and access governance platforms highlight the technology stack used but do not pose immediate risk.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  1. The organization has an unencrypted public Identity Governance platform that exposes detailed access control information.
  2. Access certification processes are manual and lack automated attestation mechanisms, increasing review fatigue and potential policy evasion risks.

IMPORTANT: Be comprehensive, don’t summarize; include ALL inputs from the README; use professional security terminology; no code snippets or implementation details.

Privileged Access Management

Section titled “Privileged Access Management”

Purpose: The Privileged Access Management Scanner is designed to assess the security posture of an organization by evaluating its privileged access management practices. It aims to identify and analyze various aspects of PAM (Privileged Access Management) including platform deployment, credential exposure, session management controls, just-in-time access mechanisms, and weaknesses in privileged access controls that could lead to unauthorized access or theft of credentials.

What It Detects:

  • PAM Platform Detection: Identifies the presence of privileged access management platforms used by an organization. This includes detecting specific vendors such as CyberArk, BeyondTrust, Delinea, HashiCorp Vault, and Wallix.
  • Privileged Credential Management: Checks for references to credential vaults, password rotation policies, and other mechanisms that manage sensitive information.
  • Privileged Session Management: Evaluates session monitoring, recording, and isolation features to prevent unauthorized access through compromised sessions.
  • Just-in-Time Access: Assesses the effectiveness of just-in-time (JIT) access controls and ephemeral credentials used for temporary elevated privileges.
  • PAM Technology Stack: Identifies specific vendors and technologies deployed for privileged access management, such as PAM vaults and bastion/jump servers.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target organization’s network. This input is essential for directing the scanner to the correct endpoint for analysis.

Business Impact: The exposure of privileged access management practices can lead to significant security risks, including unauthorized access to sensitive information, potential credential theft, and enhanced lateral movement within an organization’s network. Properly managing PAM practices is crucial for maintaining a secure environment against both internal and external threats.

Risk Levels:

  • Critical: Public disclosure of privileged credentials or session management weaknesses that allow persistent access without explicit permission.
  • High: Exposure of specific vendors’ technologies used for privileged access, which can be exploited by adversaries to gain unauthorized access.
  • Medium: Weaknesses in credential management systems that may lead to the compromise of sensitive information over time.
  • Low: Minimal impact findings such as references to bastion hosts or jump servers without explicit evidence of deployment.
  • Info: General exposure to privileged access platforms, which could be indicative of a broader lack of security controls.

Example Findings:

  1. The organization uses CyberArk for privileged access management, indicating a potential risk if the platform is publicly accessible and exposes sensitive information.
  2. Weak session management practices allow unauthorized users to maintain persistent access even after their initial privileges have been revoked.

This documentation provides a clear overview of what the Privileged Access Management Scanner aims to detect and assess, along with details on its inputs and potential impacts. It also outlines the various risk levels that can be associated with findings from this scanner.

Directory Service Security

Section titled “Directory Service Security”

Purpose: The Directory Service Security Scanner is designed to assess and report on the security posture of directory services within an organization. It aims to identify potential vulnerabilities and risks associated with LDAP/Active Directory exposure, such as public endpoints enabling user enumeration, unprotected LDAP allowing credential harvesting, and exposed directory structures revealing organizational hierarchy.

What It Detects:

  • LDAP Service Detection: Identifies the presence of LDAP endpoints, detects Active Directory references, checks for directory service ports, tests for LDAP protocol indicators, and flags directory service accessibility.
  • Directory Enumeration Risk: Checks for anonymous LDAP bind, detects user enumeration endpoints, verifies directory query interfaces, tests for group enumeration exposure, and identifies organizational unit disclosure.
  • Directory Technology Stack: Identifies Active Directory deployment, detects OpenLDAP usage, checks for Azure AD integration, tests for FreeIPA deployment, and verifies directory vendor fingerprints.
  • Authentication Integration: Checks for LDAP authentication endpoints, detects Kerberos service indicators, verifies NTLM authentication exposure, tests for SASL mechanism disclosure, and identifies bind authentication methods.
  • Directory Information Leakage: Tests for schema disclosure, checks for naming context exposure, verifies root DSE accessibility, detects directory metadata leakage, and identifies directory service configuration.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., ekkatha.com)

Business Impact: Directory service exposure poses significant security risks as it can lead to unauthorized access, credential harvesting, reconnaissance, and the revelation of organizational hierarchy. This can severely impact an organization’s privacy and integrity.

Risk Levels:

  • Critical: Exposure of public LDAP endpoints enabling user enumeration or unprotected LDAP allowing credential harvesting.
  • High: Exposed directory structures revealing organizational hierarchy or anonymous bind vulnerabilities enabling reconnaissance.
  • Medium: Directory service fingerprints aiding targeted attacks or authentication integration weaknesses that could lead to unauthorized access.
  • Low: Informational findings such as schema disclosure, naming context exposure, or minor configuration issues in the directory service.

Example Findings:

  1. A publicly disclosed LDAP endpoint allows for user enumeration and potential harvesting of credentials.
  2. Unprotected LDAP interfaces enable anonymous bind, facilitating reconnaissance activities against the organization.

IMPORTANT:

  • Be comprehensive, don’t summarize
  • Include ALL inputs from the README
  • Use professional security terminology
  • No code snippets or implementation details

Password Management

Section titled “Password Management”

Purpose: The Password Management Scanner is designed to assess the security of password management practices on a given domain. It aims to identify and analyze various aspects such as platform detection, policy exposure, self-service password reset vulnerabilities, technology used for vault deployment, and weaknesses in overall password security that could lead to credential compromise.

What It Detects:

  • Password Management Platform Detection: Identifies the presence of various password management platforms including CyberArk, Thycotic, HashiCorp Vault, Keeper, and LastPass Enterprise.
  • Password Policy Exposure: Checks for details about password complexity, length, expiration policies, and history rules that might be disclosed publicly.
  • Self-Service Password Reset: Detects the presence of self-service password reset (SSPR) portals and evaluates their security features such as authentication methods and account recovery processes.
  • Password Vault Technology: Verifies the specific vendors used for vault deployment and tests claims about password rotation and access methods.
  • Password Security Controls: Assesses the implementation of multi-factor authentication during password resets, monitors compromised passwords, checks for strength meters, and identifies any security features in place to protect password integrity.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., ekkatha.com) that represents the target organization’s website or service.

Business Impact: Password management exposure can significantly impact an organization’s security posture by facilitating brute force attacks, unauthorized access to accounts, and potential compromise of sensitive user credentials. Publicly disclosed password policies can guide attackers in launching more effective attacks, while SSPR vulnerabilities can lead to account takeover scenarios.

Risk Levels:

  • Critical: Password policy requirements are publicly disclosed, which aids attackers in planning brute force or other types of attacks.
  • High: Exposed reset mechanisms allow for potential account takeover through unauthorized access points.
  • Medium: Weaknesses in password security controls might not effectively prevent credential compromise even if the primary authentication is strong.
  • Low: Some password management platforms and policies may be adequately secured, but continuous monitoring is recommended to ensure ongoing compliance with best practices.
  • Info: Informational findings regarding potential improvements or configurations that could enhance overall password security without immediate risk.

Example Findings:

  1. The organization’s website discloses detailed information about its password policy, including minimum character requirements and expiration intervals, which might be exploited by attackers to test weak passwords.
  2. The SSPR portal does not enforce strong authentication methods, allowing for potential unauthorized access through social engineering or other means.

This documentation provides a clear overview of the purpose and functionality of the Password Management Scanner, detailing what it detects and the critical inputs required for its operation. It also outlines the business impact and associated risk levels that organizations should be aware of when evaluating their own security posture regarding password management practices.