Summary
Scope: Passive reconnaissance on 8 Ecuadorian government domains handling financial data, tax records, social security, and customs declarations. Method: HTTP probing via WebFetch -- homepage analysis, sensitive path enumeration, WordPress REST API discovery, user enumeration, Liferay service enumeration.
CROSS-DOMAIN FINDINGS SUMMARY (Ranked by Severity)
CRITICAL
| # | Domain | Finding | Impact |
|---|---|---|---|
| 1 | sri.gob.ec | Liferay JSONWS API catalog publicly exposed at /api/jsonws -- lists hundreds of backend service methods including User, Organization, Document Library, Permission, Password Policy, and Export/Import services |
Full API surface map for Ecuador's tax authority. Methods require auth but attackers have a complete catalog to target credential-stuffing, token reuse, or session hijacking against specific endpoints handling citizen tax PII |
| 2 | aduana.gob.ec | WordPress REST API user enumeration at /wp-json/wp/v2/users -- returns 8 users including oraculo (ID 1, admin account), plus full names and slugs for 7 staff members |
Enables targeted brute-force against known usernames. The oraculo admin account is a shared vendor/service account (see cross-domain pattern below) |
| 3 | seps.gob.ec | WordPress REST API user enumeration returns 3 users: admins3ps2021, simbiontec, inhuman_ec -- admin account name contains year "2021" suggesting password rotation may follow similar patterns |
Admin username leaks year-based naming convention. simbiontec and inhuman_ec appear to be external contractor accounts |
HIGH
| # | Domain | Finding | Impact |
|---|---|---|---|
| 4 | superbancos.gob.ec | Apache Tomcat default page exposed on CAS authentication server at cas.superbancos.gob.ec:8443 -- confirms Tomcat installation with default config, manager webapp references |
The Banking Superintendency's central authentication server exposes its technology stack. Default Tomcat pages indicate incomplete hardening of a security-critical system |
| 5 | sri.gob.ec | Liferay portal configuration leak via Liferay.ThemeDisplay -- exposes Company ID (20101), Group IDs (20128, 34937), User ID (20105), control panel paths, session timeout (900s) |
Internal portal structure mapped. IDs can be used to craft targeted API calls against the JSONWS endpoints |
| 6 | iess.gob.ec | WordPress 5.7 detected (via emoji script version) -- this version is from March 2021, nearly 5 years old | Social Security Institute handling PII for all Ecuadorian workers runs severely outdated WordPress with hundreds of known CVEs |
| 7 | seps.gob.ec | WordPress 6.9.1 with LayerSlider 6.11.8 and multiple plugins exposed -- extensive plugin surface (Contact Form 7, Ninja Tables, Popup Builder, FluentForm, FileBird, FingerprintJS) | Large attack surface through plugin diversity. LayerSlider has had critical vulnerabilities historically |
| 8 | finanzas.gob.ec | Internal financial system hostnames exposed: esigef.finanzas.gob.ec, esigef2.finanzas.gob.ec, esipren.finanzas.gob.ec, spryn.finanzas.gob.ec, spryn2.finanzas.gob.ec, ebye.finanzas.gob.ec, nomina.finanzas.gob.ec |
Complete map of internal financial management and payroll systems. eSIGEF confirmed running ASP.NET. Dual instances (esigef/esigef2, spryn/spryn2) suggest load-balanced or failover architecture |
| 9 | aduana.gob.ec | Full WordPress REST API exposed with Disqus, wp-site-health namespaces. Media endpoint leaks internal document filenames (SENAE contract numbers, BID loan references) | Government procurement documents and contract IDs exposed via media API. Document naming reveals internal numbering schemes |
| 10 | superbancos.gob.ec | Internal login portal at /bancos/ingresosb with LoginPress plugin, simple math CAPTCHA (trivially bypassable), links to CAS system |
Banking regulator intranet login uses weak CAPTCHA protection |
MEDIUM
| # | Domain | Finding | Impact |
|---|---|---|---|
| 11 | bce.fin.ec | WordPress with Elementor 3.27.2, exposed WP REST API with 12+ namespaces (Wordfence, Yoast, Elementor-AI, NPS-Survey, WPForms) -- no authentication methods advertised in API root | Central Bank's extensive plugin footprint increases attack surface. Empty authentication array in API root is concerning |
| 12 | bce.fin.ec | reCAPTCHA site key exposed: 6LdDYVogAAAAAPaQHupFjJEfqNwW0QN7MNptdkg_ |
Can be used to test for bypass or misconfiguration |
| 13 | finanzas.gob.ec | Wordfence WAF detected but wp-json/ fully accessible -- Wordfence and Filebird namespaces exposed. "autodiscover" page exists (ID 10976, created 2019) |
WAF present but REST API not locked down. The autodiscover page is an anomaly (typically email config) |
| 14 | seps.gob.ec | Facebook Pixel 436848186041416 and dual Analytics (GA4: G-47SH65ZV9H, Legacy: UA-35721055-1) tracking on government financial regulator site |
Government tracking citizen browsing behavior on financial regulatory pages. Cross-site tracking via Facebook Pixel raises privacy concerns |
| 15 | aduana.gob.ec | Overly restrictive robots.txt blocks CSS/JS/images but does nothing to protect API endpoints | Security theater -- blocks crawlers from harmless static assets while REST API is wide open |
| 16 | superbancos.gob.ec | OCI (Oracle Cloud Infrastructure) referenced in appweb portal -- "Server web 2 OCI" with link to "Server web 1 OCI" | Cloud infrastructure provider identified. Dual-server architecture exposed |
| 17 | All WordPress sites | No HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy headers detected on any probed domain | All 7 WordPress/Liferay sites lack modern security headers. Vulnerable to clickjacking, MIME sniffing, and protocol downgrade attacks |
| 18 | seps.gob.ec | XML-RPC returns 405 (Method Not Allowed) rather than 403/404 -- endpoint exists but only blocks GET requests | XML-RPC may accept POST requests, enabling brute-force amplification attacks |
DETAILED FINDINGS BY DOMAIN
1. sri.gob.ec -- SRI (Servicio de Rentas Internas / Tax Authority)
Technology Stack
- Liferay Portal (version not explicitly disclosed)
- Java backend with portlet architecture
- AUI (Alloy UI), jQuery, Metal.js on frontend
- Bootstrap-based responsive design
- Multiple WAR portlet modules deployed
Analytics
- Google Analytics:
UA-17155653-2
Subdomains Discovered
| Subdomain | Purpose |
|---|---|
srienlinea.sri.gob.ec |
Online tax services portal (SPA with hash routing) |
facturadorsri.sri.gob.ec |
Electronic invoicing system |
declaraciones.sri.gob.ec |
Tax declarations portal |
Sensitive Path Results
| Path | Result |
|---|---|
/.env |
404 |
/.git/config |
Blocked (WAF: "URL was rejected") |
/robots.txt |
Permissive -- Disallow: (empty, allows everything) |
/api/jsonws |
EXPOSED -- Full Liferay JSONWS API catalog |
/api/axis |
403 (blocked) |
/c/portal/json_service |
403 (blocked) |
/graphql |
404 |
/swagger |
404 |
CRITICAL: Liferay JSONWS API Exposure
The endpoint https://www.sri.gob.ec/api/jsonws returns a complete catalog of all available JSON Web Services including:
- User Services: User CRUD, authentication, role assignments
- Organization Services: Organization hierarchy, labor schedules
- Document Library (DLApp): 100+ file operation methods (upload, download, versioning, check-in/check-out)
- Permission Services: Resource-level permission checking
- Password Policy: Configuration and enforcement endpoints
- Export/Import: Data migration functionality
- Asset Management: Categories, tags, vocabularies
- Layout/Portal: Page management, portal configuration
Individual method calls return 403 (require authentication), but the complete service catalog is publicly browsable. This gives attackers a precise roadmap of the entire backend.
Portal Configuration Leak
Liferay.ThemeDisplay object in page source exposes:
- Company ID:
20101 - Group IDs:
20128(company),34937(site scope) - Default User ID:
20105 - Control panel path:
/group/intersri/~/control_panel/manage - Session timeout: 900 seconds (15 minutes)
Security Headers
None detected (no HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
WAF
Present -- blocks .git/config access with "URL was rejected" message. Does NOT block /api/jsonws.
2. iess.gob.ec -- IESS (Instituto Ecuatoriano de Seguridad Social)
Technology Stack
- WordPress 5.7 (PHP)
- S5 Image and Content Fader plugin
- jQuery
- Emoji library 13.0.1
Analytics
None detected.
Subdomains Discovered
| Subdomain | Purpose |
|---|---|
app.iess.gob.ec |
Application portal (redirects to main site) |
appsrviess.iess.gob.ec |
External service applications |
facturacion.iess.gob.ec |
Electronic billing |
denuncias.iess.gob.ec |
Whistleblower/complaint channel |
PII-Handling Portals
- Medical appointment system:
app.iess.gob.ec/iess-gestion-agendamiento-citas-medicas-web/ - Affiliation portal:
app.iess.gob.ec/iess-gestion-solicitud-afiliado-web/ - Certificate QR validator:
app.iess.gob.ec/gestion-portal-validador-qr-web/ - Citizen contact form:
/public/formulariosContacto.jsf(JSF -- Java Server Faces)
Sensitive Path Results
| Path | Result |
|---|---|
/.env |
404 |
/.git/config |
404 |
/wp-json/ |
403 (blocked) |
/wp-json/wp/v2/users |
403 (blocked) |
/xmlrpc.php |
403 (blocked) |
/robots.txt |
Standard WP (blocks /wp-admin/, allows admin-ajax.php) |
Security Assessment
- WordPress 5.7 is nearly 5 years old with hundreds of known CVEs
- WP REST API and XMLRPC properly blocked (403)
- Mixed Java/PHP architecture (JSF forms alongside WordPress)
- Handles PII for all Ecuadorian workers (social security, medical records, employment history)
- No security headers detected
3. bce.fin.ec -- BCE (Banco Central del Ecuador / Central Bank)
Technology Stack
- WordPress (PHP)
- Elementor 3.27.2 + Elementor Pro
- Slider Revolution
- WPForms
- Yoast SEO
- jQuery
- Google reCAPTCHA v3
Analytics
- Google Analytics GA4:
G-3QMR5L6D9Y - reCAPTCHA Site Key:
6LdDYVogAAAAAPaQHupFjJEfqNwW0QN7MNptdkg_
Subdomains Discovered
| Subdomain | Purpose |
|---|---|
mail.bce.fin.ec |
Webmail portal |
facturacion.bce.fin.ec |
Electronic invoicing (JSF login) |
museodelamoneda.bce.fin.ec |
Money museum |
biblioteca.bce.ec |
Economic library |
www.eci.bce.ec |
Electronic certification |
Sensitive Path Results
| Path | Result |
|---|---|
/.env |
Blocked by security policy (ticket number returned) |
/.git/config |
Blocked by security policy |
/wp-json/ |
EXPOSED -- Full API root with 12+ namespaces |
/wp-json/wp/v2/users |
404 (user route disabled/removed) |
/xmlrpc.php |
Returns homepage (soft redirect, not blocked) |
/robots.txt |
Permissive -- empty Disallow, 3 sitemaps exposed |
WP REST API Exposure
Publicly accessible namespaces include:
wordfence/v1-- Security scanningyoast/v1-- SEO toolselementor/v1andelementor-pro/v1-- Page builder with form submissions endpointelementor-ai/v1-- AI content toolsnps-survey/v1-- User feedback collectionwpforms/v1-- Form builderredirection/v1-- URL redirect managementimage-optimizer/v1metaslider/v1hfe/v1-- Header/Footer editor- Authentication array is empty in API root response
Security Assessment
- WAF actively blocks dotfile access (good)
- But REST API is wide open with extensive namespace exposure
- Form submissions endpoint (
elementor/v1/form-submissions) returns 401 (auth required, good) - User enumeration blocked (404 on users endpoint, good)
- XMLRPC not properly blocked (returns homepage instead of 403)
4. aduana.gob.ec -- SENAE (Servicio Nacional de Aduana del Ecuador / Customs)
Technology Stack
- WordPress (PHP)
- Custom theme: Sitio-32
- Download Monitor plugin
- WP Banners Lite plugin
- Disqus comments integration
- Bootstrap framework
- Fontello icon library
- jQuery
Analytics
- Google Analytics GA4:
G-7R2ZYSV7DY
Subdomains Discovered
| Subdomain | Purpose |
|---|---|
ecuapass.aduana.gob.ec |
Customs declaration system (returned JS error on probe) |
servicios.aduana.gob.ec |
Services portal |
mesadeservicios.aduana.gob.ec |
Service desk |
ventanillaunica.aduana.gob.ec |
Single window for international commerce |
adjudicacion.aduana.gob.ec |
Auctions |
portal.aduana.gob.ec |
Customs portal |
Sensitive Path Results
| Path | Result |
|---|---|
/.env |
Returns homepage content (soft fail, not blocked) |
/.git/config |
500 Internal Server Error |
/wp-json/ |
EXPOSED -- Full API root |
/wp-json/wp/v2/users |
EXPOSED -- Full user enumeration |
/xmlrpc.php |
403 (blocked) |
/robots.txt |
Blocks wp-admin, uploads, plugins, themes, PHP/JS/CSS files |
CRITICAL: User Enumeration
/wp-json/wp/v2/users returns 8 WordPress accounts:
| ID | Username | Full Name | Notes |
|---|---|---|---|
| 1 | oraculo | oraculo | Admin account -- vendor/service account |
| 2 | cargonza | Carlos Gonzalez | Staff |
| 3 | jcortez | Jackson Cortez | Staff |
| 4 | dizamora | Didimo Zamora | Staff |
| 5 | gicordo | Giovanny Cordova | Staff (primary author, most posts) |
| 6 | garellano | Galo Arellano | Staff |
| 8 | mquiroga | Miguel Quiroga | Staff |
| 23 | rasanchez | Ronald Sanchez | Staff |
The oraculo account (ID 1) is the original WordPress admin/superuser. This same "oraculo" pattern has been observed on other Ecuadorian government WordPress sites, suggesting a shared vendor/contractor that deploys and manages these sites.
WP REST API Namespaces
disqus/v1-- Comments integration with sync/webhook endpointswp-site-health/v1-- Site health monitoring (returns 401)wp-block-editor/v1- Standard
wp/v2with full CRUD on posts, pages, media - Application password authentication endpoint available
Media API Exposure
/wp-json/wp/v2/media exposes internal document filenames:
SENAE-MEE-2-2-052-V1.pdfSENAE-SENAE-2026-0012-RE-2.pdfActa_entrega_recepcion_definitiva_-EC-L1253-P00052_signed.pdfAnexo_7_Contrato_SENAE-BID-2025-006-signed.pdf(Inter-American Development Bank contract)
500 Error on .git/config
The server returns a 500 Internal Server Error for /.git/config rather than 404, which may indicate the path is being processed before failing -- potentially a .git directory exists but is not properly served.
5. ecuapass.aduana.gob.ec -- Ecuapass Customs Portal
Assessment
- The error suggests a jQuery-dependent Single Page Application
- Requires full browser JavaScript execution to render
- This is the primary citizen-facing customs declaration portal
- Handles sensitive trade data, importer/exporter PII, customs valuations
6. superbancos.gob.ec -- Superintendencia de Bancos (Banking Superintendency)
Technology Stack
- WordPress (PHP)
- Elementor 3.24.8
- Essential Addons for Elementor Lite
- FileBird media manager
- LoginPress login customizer
- Yoast SEO
- Download Monitor
- WP Mail SMTP
- WP Rollback
- Templately (40+ routes for template management)
- OneDrive integration (ShareoneDrive widget)
Analytics
None detected.
Subdomains Discovered
| Subdomain | Purpose |
|---|---|
appweb.superbancos.gob.ec |
Internal application portal (OCI -- Oracle Cloud) |
cas.superbancos.gob.ec:8443 |
CAS authentication server |
catastrocompanias.superbancos.gob.ec |
Company registry |
educacionfinanciera.superbancos.gob.ec |
Financial education |
estadisticas.superbancos.gob.ec |
Statistics portal |
Sensitive Path Results
| Path | Result |
|---|---|
/.env |
404 |
/.git/config |
Not probed (root domain inaccessible) |
/bancos/wp-json/ |
EXPOSED -- 21 API namespaces |
/bancos/wp-json/wp/v2/users |
403 (blocked) |
/robots.txt |
404 |
HIGH: Tomcat Default Page on CAS Server
https://cas.superbancos.gob.ec:8443 returns the Apache Tomcat default welcome page instead of a CAS login screen. This reveals:
- Tomcat installation (likely version 6 based on page references)
- Default installation path:
$CATALINA_HOME/webapps/ROOT/index.html - Manager webapp is referenced but claims to be role-restricted
- Example servlets and JSP paths mentioned
This is the Central Authentication Service for Ecuador's banking regulator. A default Tomcat page on a CAS server indicates incomplete deployment or misconfiguration.
Internal Login Portal
/bancos/ingresosb exposes an intranet login with:
- LoginPress-customized WordPress login
- Math CAPTCHA: "diecinueve - 13 =" (trivially bypassable by automation)
- Password strength meter (zxcvbn.js)
- Caps Lock detection
- "Forgotten Password" links to CAS system
WP REST API -- Extensive Namespace Exposure
21 namespaces including:
loginpress/v1-- Login page configurationtemplately/v1-- Template management with cloud storagedownload-monitor/v1-- Download tracking and analyticswp-rollback/v1-- Plugin/theme version managementelementskit/v1-- Dynamic content and widgetswp-mail-smtp/v1-- Email configurationea11y/v1-- Accessibility features
Infrastructure
- Oracle Cloud Infrastructure (OCI) confirmed for appweb portal
- Dual server architecture: "Server web 1 OCI" / "Server web 2 OCI"
- Content managed centrally by User ID 832
7. seps.gob.ec -- SEPS (Superintendencia de Economia Popular y Solidaria)
Technology Stack
- WordPress 6.9.1
- Bridge theme
- LayerSlider 6.11.8
- Ninja Tables 5.2.7
- Contact Form 7
- FluentForm (with submissions and analytics)
- Popup Builder
- FileBird media manager
- FingerprintJS (client device fingerprinting)
- Yoast SEO 26.9
- Post Grid
- jQuery, Swiper.js
Analytics & Tracking
- Google Analytics GA4:
G-47SH65ZV9H - Google Analytics Legacy:
UA-35721055-1 - Facebook Pixel:
436848186041416 - FingerprintJS -- Client device identification library
Subdomains Discovered
| Subdomain | Purpose |
|---|---|
servicios.seps.gob.ec |
Portal services |
sistemas.seps.gob.ec |
Technical systems |
estadisticas.seps.gob.ec |
Statistics portal |
data.seps.gob.ec |
Data portal (DataSEPS) |
mail.seps.gob.ec |
Webmail |
intranet.seps.gob.ec |
Internal network |
centroserviciosacopio.seps.gob.ec |
Information center |
Sensitive Path Results
| Path | Result |
|---|---|
/.env |
404 |
/.git/config |
404 |
/wp-json/ |
EXPOSED -- Full API root |
/wp-json/wp/v2/users |
EXPOSED -- 3 users enumerated |
/xmlrpc.php |
405 Method Not Allowed (exists, blocks GET) |
/robots.txt |
Blocks wp-admin, documents, internal pages, service portal |
CRITICAL: User Enumeration
/wp-json/wp/v2/users returns 3 accounts:
| ID | Username | Full Name | Notes |
|---|---|---|---|
| 1 | admins3ps2021 | Alejandro | Admin account with year "2021" in name |
| 3 | inhuman_ec | Roque Proano | Likely external contractor |
| 5 | simbiontec | Alejandro Lozano | Likely external contractor (Simbiontec is an Ecuadorian web agency) |
The admin username admins3ps2021 is concerning:
- Contains the year 2021, suggesting possible password rotation patterns following the same convention
- Two of three accounts appear to be external contractors, not SEPS staff
XML-RPC Status
Returns 405 (Method Not Allowed) for GET requests. This means the endpoint EXISTS and may accept POST requests, which would enable:
- WordPress credential brute-force amplification (system.multicall)
- Pingback DDoS amplification
- SSRF via pingback
Privacy Concerns
- Facebook Pixel tracking on a government financial regulator website
- FingerprintJS for device identification
- Dual Google Analytics tracking (GA4 + Universal)
- Citizens visiting financial regulatory pages are being tracked by Facebook and fingerprinted
8. finanzas.gob.ec -- Ministerio de Economia y Finanzas (Ministry of Finance)
Technology Stack
- WordPress (PHP)
- Wordfence Security (WAF/firewall)
- FileBird media manager
- Download Monitor
- PromoSlider 3.3.1
- jQuery
Analytics
None detected.
Subdomains & Internal Systems Discovered
| System | URL | Technology | Purpose |
|---|---|---|---|
| eSIGEF | |||
| aduana.gob.ec | G-7R2ZYSV7DY |
-- | |
| seps.gob.ec | G-47SH65ZV9H, UA-35721055-1 |
Facebook Pixel 436848186041416, FingerprintJS |
|
| iess.gob.ec | None | -- | |
| superbancos.gob.ec | None | -- | |
| finanzas.gob.ec | None | -- |