ISO 27001:2022 A.5.17
Authentication information
UnveilScan findings mapped to this control
The scanner emits 10 distinct findings on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).
dns.subdomain_takeover
⏱ 30 min
DNS — Subdomain takeover
Risk if ignored: An attacker claims the dangling CNAME and serves content under YOUR subdomain with a valid certificate. Devastating for phishing.
security reputational
web.cross_origin_password_form
⏱ 4h
WEB — Cross origin password form
Risk if ignored: Either phishing or compromised template — credentials actively flow to a foreign origin on every submission.
security legal reputational
web.leak.aws_credentials
⏱ 1 day
WEB — Leak.aws credentials
Risk if ignored: Your AWS keys are publicly readable. Attackers routinely spin $20k+ of crypto-miners within minutes of finding these.
security financial
Also maps to 2 other controls
web.leak.docker_env
⏱ 15 min
WEB — Leak.docker env
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.leak.htpasswd
⏱ 15 min
WEB — Leak.htpasswd
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 2 other controls
web.leak.ssh_authorized_keys
⏱ 15 min
WEB — Leak.ssh authorized keys
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.leak.ssh_id_dsa
⏱ 15 min
WEB — Leak.ssh id dsa
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 2 other controls
web.leak.ssh_id_rsa
⏱ 2h
WEB — Leak.ssh id rsa
Risk if ignored: SSH private key is downloadable — anyone with the file can log in as that key's owner.
security
Also maps to 2 other controls
web.secrets_in_html
⏱ 4h
WEB — Secrets in html
Risk if ignored: A cloud/SaaS token is visible on every page load. Attackers scrape homepages at scale for exactly this — rotation within hours is the bare minimum.
security financial legal
web.wayback.secret
⏱ 15 min
WEB — Wayback.secret
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational