twa icon indicating copy to clipboard operation
twa copied to clipboard
verified publisher icon trailofbits

More .well-known checks

Open woodruffw opened this issue 6 years ago • 5 comments

.well-known (RFC) is becoming an increasingly popular destination for stashing site-wide metadata. Some of that metadata is relevant to site security or may unintentionally leak information, so we should scan it.

Some starting points:

  • Presence of/interesting things in an MTA-STS policy (RFC)
    • This might be hampered by the fact that the RFC requires this policy to be hosted on a separate subdomain, e.g. mta-sts.example.com/.well-known/mta-sts.txt.
  • Asset links: https://developers.google.com/digital-asset-links/v1/getting-started
  • A number of different things on this list: https://en.wikipedia.org/wiki/List_of_/.well-known/_services_offered_by_webservers

woodruffw avatar Jan 27 '20 00:01 woodruffw

Hi, I would like to work on this issue as part of Hacktoberfest 2022.

vanjo9800 avatar Oct 01 '22 10:10 vanjo9800

Go for it!

Sent from mobile. Please excuse my brevity.

On Oct 1, 2022, at 5:30 AM, Ivan Ivanov @.***> wrote:

 Hi, I would like to work on this issue as part of Hacktoberfest 2022.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

woodruffw avatar Oct 11 '22 07:10 woodruffw

@vanjo9800 Are you still working on this? If not I'd also like to take a stab at it.

gracefkang avatar Jan 24 '23 01:01 gracefkang

They haven’t responded in over a year, so you should feel free to take it over. Thanks!Sent from mobile. Please excuse my brevity.On Jan 23, 2023, at 7:12 PM, gracefkang @.***> wrote: @vanjo9800 Are you still working on this? If not I'd also like to take a stab at it.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

woodruffw avatar Jan 24 '23 02:01 woodruffw