Scope: External web application assessment of zerodaybrief.blog and *.zerodaybrief.blog. Scope covers the static Hugo-generated blog site fronted by Cloudflare CDN, including all public-facing web pages, HTTP headers, DNS configuration, and supporting infrastructure.
Window: 2026-06-26 – 2026-06-26
Limitations: No active nmap port scanning performed (VPN unavailable for raw socket scans). All testing was HTTP/HTTPS-based through the Cloudflare proxy. Origin server IP is hidden behind Cloudflare and was not directly tested.
Assessment conducted following PTES (Penetration Testing Execution Standard).
| Phase | Description | Tools |
|---|---|---|
| Active Reconnaissance | Port scanning and service version detection | nmap |
| Vulnerability Scanning | Automated vulnerability detection using nuclei templates | nuclei |
| Directory Discovery | Web content brute-force discovery of hidden endpoints | ffuf |
| Manual Verification | Hands-on validation of all findings — header inspection, API testing, file access, browser verification | curl, browser inspection |
| Reporting | CVSS 3.1 scoring, finding documentation, metadata creation, PDF report generation | WeasyPrint, Jinja2 |
Timeline: 2026-06-26 – 2026-06-26
Testing Type: Web Application Security Assessment
The /.well-known/http-opportunistic endpoint returns ['http://www.zerodaybrief.blog'], advertising that the site supports HTTP access. While the site correctly enforces HTTPS via 301 redirects and HSTS (max-age=31536000; includeSubDomains), the presence of this endpoint could be leveraged in downgrade attack scenarios if HSTS were somehow bypassed or not yet cached by the client. The practical risk is negligible given the strong TLS enforcement, but this endpoint is unnecessary for a site that fully enforces HTTPS and should be removed to eliminate any ambiguity about transport security expectations.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
curl -s https://www.zerodaybrief.blog/.well-known/http-opportunistic # Returns: ["http://www.zerodaybrief.blog"]
If exploited, limited confidential information is disclosed.
Remove the /.well-known/http-opportunistic endpoint or configure it to return an empty array [] to signal that no HTTP endpoints are available. This endpoint is part of RFC 8164 (HTTP Opportunistic Security) and serves no purpose when the site fully enforces HTTPS with HSTS preloading.
| Control | Status | Value |
|---|---|---|
| TLS | Pass | TLS 1.3 via Cloudflare — HTTPS enforced, valid certificate, HSTS max-age=31536000 with includeSubDomains |
| HSTS | Pass | Strict-Transport-Security: max-age=31536000; includeSubDomains — 1-year pinning, all subdomains covered |
| Content-Security-Policy | Pass | default-src 'self'; script-src 'self' + hash + Cloudflare Insights; style-src 'self' + Google Fonts; frame-ancestors 'none'; form-action 'self' — well-scoped, no unsafe-eval or wildcards |
| X-Frame-Options | Pass | DENY — clickjacking protection enforced at browser level |
| X-Content-Type-Options | Pass | nosniff — prevents MIME-type sniffing attacks |
| Referrer-Policy | Pass | strict-origin-when-cross-origin — referrer data stripped on cross-origin navigation |
| Permissions-Policy | Pass | camera=(), microphone=(), geolocation=() — all sensitive browser features denied |
| Clickjacking Protection | Pass | X-Frame-Options: DENY + CSP frame-ancestors 'none' — dual-layer clickjacking defense |
| SPF | Pass | v=spf1 -all — hard fail policy rejects all email, appropriate for a domain that sends no email |
| DMARC | Pass | No DMARC record found, but domain sends no email (no MX records, SPF hard-fail). DMARC is not needed when no email infrastructure exists. Not a finding. |
| Cloudflare WAF/CDN | Pass | All traffic proxied through Cloudflare — origin IP hidden, DDoS protection, WAF active. CF-Ray headers confirm Cloudflare processing. |
| Non-CDN Port Exposure | Pass | Origin IP hidden behind Cloudflare. No non-CDN ports detected on the proxy IPs (only 443/HTTPS accessible) |
| security.txt | Fail | /.well-known/security.txt returns 404 — no vulnerability disclosure policy or security contact published |
| Directory Listing | Pass | No directory listing enabled on any discovered path — 404s returned cleanly for inaccessible paths |
| HTTP to HTTPS Redirect | Pass | HTTP (port 80) returns 301 redirect to https://www.zerodaybrief.blog/ — all traffic forced to encrypted channel |
| AI Crawler Blocking | Pass | robots.txt blocks GPTBot, ClaudeBot, Google-Extended, Applebot-Extended, Bytespider, CCBot, Amazonbot — comprehensive AI crawler exclusion with Content-Signal directives per EU Directive 2019/790 |
| Category | Critical | High | Medium | Low | Info | Total |
|---|---|---|---|---|---|---|
| Transport Security | 0 | 0 | 0 | 0 | 1 | 1 |
Severity timeframes: Critical — immediate | High — this week | Medium — within 30 days | Low — next maintenance cycle
No nmap scan performed — VPN unavailable. HTTP-based testing conducted through Cloudflare proxy.
Nuclei scanned exposures, misconfigurations, and vulnerabilities templates. One info-level finding: missing X-Permitted-Cross-Domain-Policies header (not reported — obsolete header for Flash/Silverlight).
1 screenshot captured during testing.
Directory: engagements/zerodaybrief-2026-06-26/screenshots/
| # | Filename |
|---|---|
| 1 | F-001-http-opportunistic.png |
| CVSS | Common Vulnerability Scoring System |
| CWE | Common Weakness Enumeration |
| PTES | Penetration Testing Execution Standard |
| WAF | Web Application Firewall |
Until this page is signed, this document is triage output, not a final report. Each finding must be reviewed, verified against ground truth, and either confirmed or marked as a false positive. Only findings marked CONFIRMED represent actionable vulnerabilities.
| ID | Finding | Confidence | Status | Verified by | Notes |
|---|---|---|---|---|---|
| F-001 | HTTP Opportunistic Encryption Endpoint Advertises HTTP Access | Single tool, awaiting review | DRAFT | _________________ | _________________ |
Reviewer signature: _________________________
Date: ____________________
ZER-SEC-2026-177 · 2026-06-26
Confidential · Prepared by Niel