External reconnaissance and vulnerability assessment for Novatech, Inc.
An external security reconnaissance of novatech.net was conducted on March 16, 2026. The assessment examined the site's SSL/TLS configuration, HTTP security headers, DNS records, email authentication, subdomain exposure, and technology stack from an unauthenticated external perspective.
The site runs WordPress on Apache with ModSecurity WAF protection, which is a strong positive finding. However, critical gaps exist in HTTP security headers -- the site lacks HSTS, Content Security Policy, and X-Frame-Options, leaving it vulnerable to clickjacking, protocol downgrade attacks, and content injection. The large subdomain surface (84+ subdomains) exposes internal infrastructure names including FortiGate firewalls, UniFi controllers, cPanel, and Remote Desktop Services.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload to Apache config.Content-Security-Policy: default-src 'self'; script-src 'self' cdn-ljfbp.nitrocdn.com www.googletagmanager.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; and iterate.X-Frame-Options: DENY or SAMEORIGIN to Apache config.nosniff, browsers may MIME-sniff responses and execute uploaded files as scripts, enabling stored XSS through file upload features.X-Content-Type-Options: nosniff to Apache config.forti.novatech.net (FortiGate firewall), dbc-unifi.novatech.net (UniFi controller), cpanel.novatech.net, rds.novatech.net (Remote Desktop), test.novatech.net, old.novatech.net. These names reveal internal architecture to attackers.include: directives (Outlook, Salesforce, HubSpot, SendGrid, Mailgun, ConnectWise, UltiPro, plus 8 IP addresses). SPF has a hard 10-lookup limit -- exceeding it causes SPF validation failures, meaning spoofed emails may pass through.p=quarantine at 100% enforcement. While better than none, spoofed emails are quarantined rather than rejected outright, meaning some may still reach recipients' spam folders.p=reject to fully block spoofed emails.Referrer-Policy: strict-origin-when-cross-origin to Apache config.Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() to restrict unused APIs.Disallow: /portal.novatech.net/ which treats a subdomain as a path. This has no effect (crawlers will still index portal.novatech.net) and reveals the existence of an internal portal to anyone reading robots.txt.certbot renew --dry-run. Set up monitoring for cert expiration./.well-known/security.txt file exists. This RFC 9116 standard file provides security researchers a way to report vulnerabilities responsibly./.well-known/security.txt.Server: Apache without version information. This is a positive finding -- version disclosure helps attackers identify known vulnerabilities.| Control | Status | Details |
|---|---|---|
| ModSecurity WAF | Active | Blocks suspicious requests (406 response with signature detection). Rate-limiting observed after burst scanning. |
| TLS Configuration | Strong | TLSv1.3 with AES-256-GCM-SHA384 cipher suite. No weak protocols detected. |
| HTTP to HTTPS Redirect | Enabled | 301 redirect from HTTP to HTTPS is properly configured. |
| Server Version Hiding | Yes | Apache version number is not disclosed in headers. |
| .htaccess Protection | Yes | Returns 403 Forbidden (direct Apache block, not WAF). |
| DMARC Enforcement | Active | p=quarantine at 100% with reporting to sdmarc.net. |
| SPF Record | Present | Comprehensive SPF with -all (hard fail). Covers all known sending services. |
| Layer | Technology |
|---|---|
| Web Server | Apache (version hidden) |
| CMS | WordPress |
| WAF | ModSecurity |
| SSL | Let's Encrypt (TLSv1.3) |
| CDN / Optimization | NitroPack (cdn-ljfbp.nitrocdn.com) |
| SEO | Yoast SEO |
| Forms | Gravity Forms |
| Knowledge Base | Echo Knowledge Base (epkb) |
| Analytics | Google Tag Manager |
| Email Security | Proofpoint PPE (MX) |
| CRM | Salesforce / Pardot |
| Marketing | HubSpot |
| DNS Registrar | GoDaddy (domaincontrol.com) |
| Firewall | FortiGate (forti.novatech.net) |
| Networking | UniFi (dbc-unifi.novatech.net) |
Source: Certificate Transparency logs (crt.sh). Highlighted entries indicate potentially sensitive infrastructure.
| Record | Value |
|---|---|
| A | 144.208.68.255 |
| AAAA | None (no IPv6) |
| NS | ns61.domaincontrol.com, ns62.domaincontrol.com |
| MX | mx1-us1.ppe-hosted.com, mx2-us1.ppe-hosted.com (priority 5) |
| SPF | v=spf1 with includes for: Proofpoint, Outlook, Salesforce, HubSpot, SendGrid, Mailgun, ConnectWise, UltiPro + 8 IP addresses. Hard fail (-all). |
| DMARC | v=DMARC1; p=quarantine; pct=100; fo=1 with RUA/RUF reporting to sdmarc.net |
| # | Action | Impact |
|---|---|---|
| 1 | Add HSTS header to Apache config | Prevents protocol downgrade attacks |
| 2 | Add X-Frame-Options: DENY | Prevents clickjacking |
| 3 | Add X-Content-Type-Options: nosniff | Prevents MIME-sniffing attacks |
| 4 | Add Referrer-Policy: strict-origin-when-cross-origin | Prevents URL parameter leakage |
| # | Action | Impact |
|---|---|---|
| 5 | Implement Content-Security-Policy (start in report-only mode) | XSS mitigation layer |
| 6 | Audit and consolidate SPF record (reduce lookup count) | Prevents email delivery failures |
| 7 | Fix malformed robots.txt entry for portal.novatech.net | Reduces information disclosure |
| 8 | Add Permissions-Policy header | Restricts browser API access |
| # | Action | Impact |
|---|---|---|
| 9 | Switch to wildcard SSL certs to reduce CT log exposure | Hides subdomain names from public logs |
| 10 | Decommission unused subdomains (test, old) | Reduces attack surface |
| 11 | Upgrade DMARC from quarantine to reject | Full email spoofing protection |
| 12 | Add security.txt file | Responsible disclosure channel |
| 13 | Verify SSL auto-renewal process | Prevents certificate expiration outage |
| 14 | Restrict DNS for internal services to private resolvers | Hides infrastructure details |
This assessment was performed from an external, unauthenticated perspective using publicly available information and standard reconnaissance techniques. It does not constitute a full penetration test. No exploitation of vulnerabilities was attempted. Findings are based on data available at the time of assessment and may change as the target environment evolves. This report is confidential and intended solely for the authorized recipient.