Introducing urlscan dot io (for Security+ & CySA+)

BrianFord

Well-known member
  • Jun 26, 2023
    121
    1
    287
    13,356
    Flagler Beach, FL
    fordsnotes.com
    Fellow Instructors,

    In Security+ and again in CySA+ (and CASP+) students need to understand how the www works. I often use Virustotal dot com to briefly demo how to investigate suspect urls and files. I found another web based (free to use) tool that helps explain more. That's urlscan dot io. I should provide a hat tp to some of my SOC colleagues from LinkedIn who have been pointing at this for a few weeks.

    urlscan.jpg
    A user submits a url and urlscan goes off and scans the site. I chose to scan comptia.org.

    Comptia_http.jpg
    The scan returns info about the site and http transactions (with associated response codes). Note CompTIA dot org is being served (to me) via an IPv6 address in the USA. You can show all of the elements that make up a web page. You can show the site certificates and check their expiration. Another great capability is to show the DOM scripts served from the site to the client browser.

    Comptia_DOM.jpg

    Warning: Make sure that you scan the site in advance and develop your own 'script' about which fields you are going to share with students. There is a ton of info here and you want to avoid having students asking about each and every field.

    That said I was able to turn this into a short (less than 10 minutes) demo that graphically links different concepts important to the course.

    Enjoy!

    Brian
     
    Thanks Brian
    Fellow Instructors,

    In Security+ and again in CySA+ (and CASP+) students need to understand how the www works. I often use Virustotal dot com to briefly demo how to investigate suspect urls and files. I found another web based (free to use) tool that helps explain more. That's urlscan dot io. I should provide a hat tp to some of my SOC colleagues from LinkedIn who have been pointing at this for a few weeks.

    View attachment 1281
    A user submits a url and urlscan goes off and scans the site. I chose to scan comptia.org.

    View attachment 1282
    The scan returns info about the site and http transactions (with associated response codes). Note CompTIA dot org is being served (to me) via an IPv6 address in the USA. You can show all of the elements that make up a web page. You can show the site certificates and check their expiration. Another great capability is to show the DOM scripts served from the site to the client browser.

    View attachment 1283

    Warning: Make sure that you scan the site in advance and develop your own 'script' about which fields you are going to share with students. There is a ton of info here and you want to avoid having students asking about each and every field.

    That said I was able to turn this into a short (less than 10 minutes) demo that graphically links different concepts important to the course.

    Enjoy!

    Brian
     
    One of my favorite demos that I've been using for a very long time is going to shodan.io and searching the term:
    in-tank

    The result this morning was the identification of 4,521 "results" (3,556 in the US), with many of those results showing fuel levels in tanks along with other information.

    Should the public have access to this information?
     

    Attachments

    • Screenshot 2023-07-31 7.11.42 AM.png
      Screenshot 2023-07-31 7.11.42 AM.png
      140.8 KB · Views: 11
    • Like
    Reactions: Aidy
    Fellow Instructors,

    In Security+ and again in CySA+ (and CASP+) students need to understand how the www works. I often use Virustotal dot com to briefly demo how to investigate suspect urls and files. I found another web based (free to use) tool that helps explain more. That's urlscan dot io. I should provide a hat tp to some of my SOC colleagues from LinkedIn who have been pointing at this for a few weeks.

    View attachment 1281
    A user submits a url and urlscan goes off and scans the site. I chose to scan comptia.org.

    View attachment 1282
    The scan returns info about the site and http transactions (with associated response codes). Note CompTIA dot org is being served (to me) via an IPv6 address in the USA. You can show all of the elements that make up a web page. You can show the site certificates and check their expiration. Another great capability is to show the DOM scripts served from the site to the client browser.

    View attachment 1283

    Warning: Make sure that you scan the site in advance and develop your own 'script' about which fields you are going to share with students. There is a ton of info here and you want to avoid having students asking about each and every field.

    That said I was able to turn this into a short (less than 10 minutes) demo that graphically links different concepts important to the course.

    Enjoy!

    Brian

    I like it! Thanks for sharing!