Finance, Tax and Social Security | Ecuador

Summary

Scope: Passive reconnaissance on 8 Ecuadorian government domains handling financial data, tax records, social security, and customs declarations. Method: HTTP probing via WebFetch -- homepage analysis, sensitive path enumeration, WordPress REST API discovery, user enumeration, Liferay service enumeration.

CROSS-DOMAIN FINDINGS SUMMARY (Ranked by Severity)

CRITICAL

#	Domain	Finding	Impact
1	sri.gob.ec	Liferay JSONWS API catalog publicly exposed at `/api/jsonws` -- lists hundreds of backend service methods including User, Organization, Document Library, Permission, Password Policy, and Export/Import services	Full API surface map for Ecuador's tax authority. Methods require auth but attackers have a complete catalog to target credential-stuffing, token reuse, or session hijacking against specific endpoints handling citizen tax PII
2	aduana.gob.ec	WordPress REST API user enumeration at `/wp-json/wp/v2/users` -- returns 8 users including `oraculo` (ID 1, admin account), plus full names and slugs for 7 staff members	Enables targeted brute-force against known usernames. The `oraculo` admin account is a shared vendor/service account (see cross-domain pattern below)
3	seps.gob.ec	WordPress REST API user enumeration returns 3 users: `admins3ps2021`, `simbiontec`, `inhuman_ec` -- admin account name contains year "2021" suggesting password rotation may follow similar patterns	Admin username leaks year-based naming convention. `simbiontec` and `inhuman_ec` appear to be external contractor accounts

HIGH

#	Domain	Finding	Impact
4	superbancos.gob.ec	Apache Tomcat default page exposed on CAS authentication server at `cas.superbancos.gob.ec:8443` -- confirms Tomcat installation with default config, manager webapp references	The Banking Superintendency's central authentication server exposes its technology stack. Default Tomcat pages indicate incomplete hardening of a security-critical system
5	sri.gob.ec	Liferay portal configuration leak via `Liferay.ThemeDisplay` -- exposes Company ID (20101), Group IDs (20128, 34937), User ID (20105), control panel paths, session timeout (900s)	Internal portal structure mapped. IDs can be used to craft targeted API calls against the JSONWS endpoints
6	iess.gob.ec	WordPress 5.7 detected (via emoji script version) -- this version is from March 2021, nearly 5 years old	Social Security Institute handling PII for all Ecuadorian workers runs severely outdated WordPress with hundreds of known CVEs
7	seps.gob.ec	WordPress 6.9.1 with LayerSlider 6.11.8 and multiple plugins exposed -- extensive plugin surface (Contact Form 7, Ninja Tables, Popup Builder, FluentForm, FileBird, FingerprintJS)	Large attack surface through plugin diversity. LayerSlider has had critical vulnerabilities historically
8	finanzas.gob.ec	Internal financial system hostnames exposed: `esigef.finanzas.gob.ec`, `esigef2.finanzas.gob.ec`, `esipren.finanzas.gob.ec`, `spryn.finanzas.gob.ec`, `spryn2.finanzas.gob.ec`, `ebye.finanzas.gob.ec`, `nomina.finanzas.gob.ec`	Complete map of internal financial management and payroll systems. eSIGEF confirmed running ASP.NET. Dual instances (esigef/esigef2, spryn/spryn2) suggest load-balanced or failover architecture
9	aduana.gob.ec	Full WordPress REST API exposed with Disqus, wp-site-health namespaces. Media endpoint leaks internal document filenames (SENAE contract numbers, BID loan references)	Government procurement documents and contract IDs exposed via media API. Document naming reveals internal numbering schemes
10	superbancos.gob.ec	Internal login portal at `/bancos/ingresosb` with LoginPress plugin, simple math CAPTCHA (trivially bypassable), links to CAS system	Banking regulator intranet login uses weak CAPTCHA protection

MEDIUM

#	Domain	Finding	Impact
11	bce.fin.ec	WordPress with Elementor 3.27.2, exposed WP REST API with 12+ namespaces (Wordfence, Yoast, Elementor-AI, NPS-Survey, WPForms) -- no authentication methods advertised in API root	Central Bank's extensive plugin footprint increases attack surface. Empty authentication array in API root is concerning
12	bce.fin.ec	reCAPTCHA site key exposed: `6LdDYVogAAAAAPaQHupFjJEfqNwW0QN7MNptdkg_`	Can be used to test for bypass or misconfiguration
13	finanzas.gob.ec	Wordfence WAF detected but `wp-json/` fully accessible -- Wordfence and Filebird namespaces exposed. "autodiscover" page exists (ID 10976, created 2019)	WAF present but REST API not locked down. The autodiscover page is an anomaly (typically email config)
14	seps.gob.ec	Facebook Pixel `436848186041416` and dual Analytics (GA4: `G-47SH65ZV9H`, Legacy: `UA-35721055-1`) tracking on government financial regulator site	Government tracking citizen browsing behavior on financial regulatory pages. Cross-site tracking via Facebook Pixel raises privacy concerns
15	aduana.gob.ec	Overly restrictive robots.txt blocks CSS/JS/images but does nothing to protect API endpoints	Security theater -- blocks crawlers from harmless static assets while REST API is wide open
16	superbancos.gob.ec	OCI (Oracle Cloud Infrastructure) referenced in appweb portal -- "Server web 2 OCI" with link to "Server web 1 OCI"	Cloud infrastructure provider identified. Dual-server architecture exposed
17	All WordPress sites	No HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy headers detected on any probed domain	All 7 WordPress/Liferay sites lack modern security headers. Vulnerable to clickjacking, MIME sniffing, and protocol downgrade attacks
18	seps.gob.ec	XML-RPC returns 405 (Method Not Allowed) rather than 403/404 -- endpoint exists but only blocks GET requests	XML-RPC may accept POST requests, enabling brute-force amplification attacks

DETAILED FINDINGS BY DOMAIN

1. sri.gob.ec -- SRI (Servicio de Rentas Internas / Tax Authority)

Technology Stack

Liferay Portal (version not explicitly disclosed)
Java backend with portlet architecture
AUI (Alloy UI), jQuery, Metal.js on frontend
Bootstrap-based responsive design
Multiple WAR portlet modules deployed

Analytics

Google Analytics: UA-17155653-2

Subdomains Discovered

Subdomain	Purpose
`srienlinea.sri.gob.ec`	Online tax services portal (SPA with hash routing)
`facturadorsri.sri.gob.ec`	Electronic invoicing system
`declaraciones.sri.gob.ec`	Tax declarations portal

Sensitive Path Results

Path	Result
`/.env`	404
`/.git/config`	Blocked (WAF: "URL was rejected")
`/robots.txt`	Permissive -- `Disallow:` (empty, allows everything)
`/api/jsonws`	EXPOSED -- Full Liferay JSONWS API catalog
`/api/axis`	403 (blocked)
`/c/portal/json_service`	403 (blocked)
`/graphql`	404
`/swagger`	404

CRITICAL: Liferay JSONWS API Exposure

The endpoint https://www.sri.gob.ec/api/jsonws returns a complete catalog of all available JSON Web Services including:

User Services: User CRUD, authentication, role assignments
Organization Services: Organization hierarchy, labor schedules
Document Library (DLApp): 100+ file operation methods (upload, download, versioning, check-in/check-out)
Permission Services: Resource-level permission checking
Password Policy: Configuration and enforcement endpoints
Export/Import: Data migration functionality
Asset Management: Categories, tags, vocabularies
Layout/Portal: Page management, portal configuration

Individual method calls return 403 (require authentication), but the complete service catalog is publicly browsable. This gives attackers a precise roadmap of the entire backend.

Portal Configuration Leak

Liferay.ThemeDisplay object in page source exposes:

Company ID: 20101
Group IDs: 20128 (company), 34937 (site scope)
Default User ID: 20105
Control panel path: /group/intersri/~/control_panel/manage
Session timeout: 900 seconds (15 minutes)

Security Headers

None detected (no HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).

WAF

Present -- blocks .git/config access with "URL was rejected" message. Does NOT block /api/jsonws.

2. iess.gob.ec -- IESS (Instituto Ecuatoriano de Seguridad Social)

Technology Stack

WordPress 5.7 (PHP)
S5 Image and Content Fader plugin
jQuery
Emoji library 13.0.1

Analytics

None detected.

Subdomains Discovered

Subdomain	Purpose
`app.iess.gob.ec`	Application portal (redirects to main site)
`appsrviess.iess.gob.ec`	External service applications
`facturacion.iess.gob.ec`	Electronic billing
`denuncias.iess.gob.ec`	Whistleblower/complaint channel

PII-Handling Portals

Medical appointment system: app.iess.gob.ec/iess-gestion-agendamiento-citas-medicas-web/
Affiliation portal: app.iess.gob.ec/iess-gestion-solicitud-afiliado-web/
Certificate QR validator: app.iess.gob.ec/gestion-portal-validador-qr-web/
Citizen contact form: /public/formulariosContacto.jsf (JSF -- Java Server Faces)

Sensitive Path Results

Path	Result
`/.env`	404
`/.git/config`	404
`/wp-json/`	403 (blocked)
`/wp-json/wp/v2/users`	403 (blocked)
`/xmlrpc.php`	403 (blocked)
`/robots.txt`	Standard WP (blocks `/wp-admin/`, allows `admin-ajax.php`)

Security Assessment

WordPress 5.7 is nearly 5 years old with hundreds of known CVEs
WP REST API and XMLRPC properly blocked (403)
Mixed Java/PHP architecture (JSF forms alongside WordPress)
Handles PII for all Ecuadorian workers (social security, medical records, employment history)
No security headers detected

3. bce.fin.ec -- BCE (Banco Central del Ecuador / Central Bank)

Technology Stack

WordPress (PHP)
Elementor 3.27.2 + Elementor Pro
Slider Revolution
WPForms
Yoast SEO
jQuery
Google reCAPTCHA v3

Analytics

Google Analytics GA4: G-3QMR5L6D9Y
reCAPTCHA Site Key: 6LdDYVogAAAAAPaQHupFjJEfqNwW0QN7MNptdkg_

Subdomains Discovered

Subdomain	Purpose
`mail.bce.fin.ec`	Webmail portal
`facturacion.bce.fin.ec`	Electronic invoicing (JSF login)
`museodelamoneda.bce.fin.ec`	Money museum
`biblioteca.bce.ec`	Economic library
`www.eci.bce.ec`	Electronic certification

Sensitive Path Results

Path	Result
`/.env`	Blocked by security policy (ticket number returned)
`/.git/config`	Blocked by security policy
`/wp-json/`	EXPOSED -- Full API root with 12+ namespaces
`/wp-json/wp/v2/users`	404 (user route disabled/removed)
`/xmlrpc.php`	Returns homepage (soft redirect, not blocked)
`/robots.txt`	Permissive -- empty Disallow, 3 sitemaps exposed

WP REST API Exposure

Publicly accessible namespaces include:

wordfence/v1 -- Security scanning
yoast/v1 -- SEO tools
elementor/v1 and elementor-pro/v1 -- Page builder with form submissions endpoint
elementor-ai/v1 -- AI content tools
nps-survey/v1 -- User feedback collection
wpforms/v1 -- Form builder
redirection/v1 -- URL redirect management
image-optimizer/v1
metaslider/v1
hfe/v1 -- Header/Footer editor
Authentication array is empty in API root response

Security Assessment

WAF actively blocks dotfile access (good)
But REST API is wide open with extensive namespace exposure
Form submissions endpoint (elementor/v1/form-submissions) returns 401 (auth required, good)
User enumeration blocked (404 on users endpoint, good)
XMLRPC not properly blocked (returns homepage instead of 403)

4. aduana.gob.ec -- SENAE (Servicio Nacional de Aduana del Ecuador / Customs)

Technology Stack

WordPress (PHP)
Custom theme: Sitio-32
Download Monitor plugin
WP Banners Lite plugin
Disqus comments integration
Bootstrap framework
Fontello icon library
jQuery

Analytics

Google Analytics GA4: G-7R2ZYSV7DY

Subdomains Discovered

Subdomain	Purpose
`ecuapass.aduana.gob.ec`	Customs declaration system (returned JS error on probe)
`servicios.aduana.gob.ec`	Services portal
`mesadeservicios.aduana.gob.ec`	Service desk
`ventanillaunica.aduana.gob.ec`	Single window for international commerce
`adjudicacion.aduana.gob.ec`	Auctions
`portal.aduana.gob.ec`	Customs portal

Sensitive Path Results

Path	Result
`/.env`	Returns homepage content (soft fail, not blocked)
`/.git/config`	500 Internal Server Error
`/wp-json/`	EXPOSED -- Full API root
`/wp-json/wp/v2/users`	EXPOSED -- Full user enumeration
`/xmlrpc.php`	403 (blocked)
`/robots.txt`	Blocks wp-admin, uploads, plugins, themes, PHP/JS/CSS files

CRITICAL: User Enumeration

/wp-json/wp/v2/users returns 8 WordPress accounts:

ID	Username	Full Name	Notes
1	oraculo	oraculo	Admin account -- vendor/service account
2	cargonza	Carlos Gonzalez	Staff
3	jcortez	Jackson Cortez	Staff
4	dizamora	Didimo Zamora	Staff
5	gicordo	Giovanny Cordova	Staff (primary author, most posts)
6	garellano	Galo Arellano	Staff
8	mquiroga	Miguel Quiroga	Staff
23	rasanchez	Ronald Sanchez	Staff

The oraculo account (ID 1) is the original WordPress admin/superuser. This same "oraculo" pattern has been observed on other Ecuadorian government WordPress sites, suggesting a shared vendor/contractor that deploys and manages these sites.

WP REST API Namespaces

disqus/v1 -- Comments integration with sync/webhook endpoints
wp-site-health/v1 -- Site health monitoring (returns 401)
wp-block-editor/v1
Standard wp/v2 with full CRUD on posts, pages, media
Application password authentication endpoint available

Media API Exposure

/wp-json/wp/v2/media exposes internal document filenames:

SENAE-MEE-2-2-052-V1.pdf
SENAE-SENAE-2026-0012-RE-2.pdf
Acta_entrega_recepcion_definitiva_-EC-L1253-P00052_signed.pdf
Anexo_7_Contrato_SENAE-BID-2025-006-signed.pdf (Inter-American Development Bank contract)

500 Error on .git/config

The server returns a 500 Internal Server Error for /.git/config rather than 404, which may indicate the path is being processed before failing -- potentially a .git directory exists but is not properly served.

5. ecuapass.aduana.gob.ec -- Ecuapass Customs Portal

Assessment

The error suggests a jQuery-dependent Single Page Application
Requires full browser JavaScript execution to render
This is the primary citizen-facing customs declaration portal
Handles sensitive trade data, importer/exporter PII, customs valuations

6. superbancos.gob.ec -- Superintendencia de Bancos (Banking Superintendency)

Technology Stack

WordPress (PHP)
Elementor 3.24.8
Essential Addons for Elementor Lite
FileBird media manager
LoginPress login customizer
Yoast SEO
Download Monitor
WP Mail SMTP
WP Rollback
Templately (40+ routes for template management)
OneDrive integration (ShareoneDrive widget)

Analytics

None detected.

Subdomains Discovered

Subdomain	Purpose
`appweb.superbancos.gob.ec`	Internal application portal (OCI -- Oracle Cloud)
`cas.superbancos.gob.ec:8443`	CAS authentication server
`catastrocompanias.superbancos.gob.ec`	Company registry
`educacionfinanciera.superbancos.gob.ec`	Financial education
`estadisticas.superbancos.gob.ec`	Statistics portal

Sensitive Path Results

Path	Result
`/.env`	404
`/.git/config`	Not probed (root domain inaccessible)
`/bancos/wp-json/`	EXPOSED -- 21 API namespaces
`/bancos/wp-json/wp/v2/users`	403 (blocked)
`/robots.txt`	404

HIGH: Tomcat Default Page on CAS Server

https://cas.superbancos.gob.ec:8443 returns the Apache Tomcat default welcome page instead of a CAS login screen. This reveals:

Tomcat installation (likely version 6 based on page references)
Default installation path: $CATALINA_HOME/webapps/ROOT/index.html
Manager webapp is referenced but claims to be role-restricted
Example servlets and JSP paths mentioned

This is the Central Authentication Service for Ecuador's banking regulator. A default Tomcat page on a CAS server indicates incomplete deployment or misconfiguration.

Internal Login Portal

/bancos/ingresosb exposes an intranet login with:

LoginPress-customized WordPress login
Math CAPTCHA: "diecinueve - 13 =" (trivially bypassable by automation)
Password strength meter (zxcvbn.js)
Caps Lock detection
"Forgotten Password" links to CAS system

WP REST API -- Extensive Namespace Exposure

21 namespaces including:

loginpress/v1 -- Login page configuration
templately/v1 -- Template management with cloud storage
download-monitor/v1 -- Download tracking and analytics
wp-rollback/v1 -- Plugin/theme version management
elementskit/v1 -- Dynamic content and widgets
wp-mail-smtp/v1 -- Email configuration
ea11y/v1 -- Accessibility features

Infrastructure

Oracle Cloud Infrastructure (OCI) confirmed for appweb portal
Dual server architecture: "Server web 1 OCI" / "Server web 2 OCI"
Content managed centrally by User ID 832

7. seps.gob.ec -- SEPS (Superintendencia de Economia Popular y Solidaria)

Technology Stack

WordPress 6.9.1
Bridge theme
LayerSlider 6.11.8
Ninja Tables 5.2.7
Contact Form 7
FluentForm (with submissions and analytics)
Popup Builder
FileBird media manager
FingerprintJS (client device fingerprinting)
Yoast SEO 26.9
Post Grid
jQuery, Swiper.js

Analytics & Tracking

Google Analytics GA4: G-47SH65ZV9H
Google Analytics Legacy: UA-35721055-1
Facebook Pixel: 436848186041416
FingerprintJS -- Client device identification library

Subdomains Discovered

Subdomain	Purpose
`servicios.seps.gob.ec`	Portal services
`sistemas.seps.gob.ec`	Technical systems
`estadisticas.seps.gob.ec`	Statistics portal
`data.seps.gob.ec`	Data portal (DataSEPS)
`mail.seps.gob.ec`	Webmail
`intranet.seps.gob.ec`	Internal network
`centroserviciosacopio.seps.gob.ec`	Information center

Sensitive Path Results

Path	Result
`/.env`	404
`/.git/config`	404
`/wp-json/`	EXPOSED -- Full API root
`/wp-json/wp/v2/users`	EXPOSED -- 3 users enumerated
`/xmlrpc.php`	405 Method Not Allowed (exists, blocks GET)
`/robots.txt`	Blocks wp-admin, documents, internal pages, service portal

CRITICAL: User Enumeration

/wp-json/wp/v2/users returns 3 accounts:

ID	Username	Full Name	Notes
1	admins3ps2021	Alejandro	Admin account with year "2021" in name
3	inhuman_ec	Roque Proano	Likely external contractor
5	simbiontec	Alejandro Lozano	Likely external contractor (Simbiontec is an Ecuadorian web agency)

The admin username admins3ps2021 is concerning:

Contains the year 2021, suggesting possible password rotation patterns following the same convention
Two of three accounts appear to be external contractors, not SEPS staff

XML-RPC Status

Returns 405 (Method Not Allowed) for GET requests. This means the endpoint EXISTS and may accept POST requests, which would enable:

WordPress credential brute-force amplification (system.multicall)
Pingback DDoS amplification
SSRF via pingback

Privacy Concerns

Facebook Pixel tracking on a government financial regulator website
FingerprintJS for device identification
Dual Google Analytics tracking (GA4 + Universal)
Citizens visiting financial regulatory pages are being tracked by Facebook and fingerprinted

8. finanzas.gob.ec -- Ministerio de Economia y Finanzas (Ministry of Finance)

Technology Stack

WordPress (PHP)
Wordfence Security (WAF/firewall)
FileBird media manager
Download Monitor
PromoSlider 3.3.1
jQuery

Analytics

None detected.

Subdomains & Internal Systems Discovered

System	URL	Technology
eSIGEF
aduana.gob.ec	`G-7R2ZYSV7DY`	--
seps.gob.ec	`G-47SH65ZV9H`, `UA-35721055-1`	Facebook Pixel `436848186041416`, FingerprintJS
iess.gob.ec	None	--
superbancos.gob.ec	None	--
finanzas.gob.ec	None	--