Avast WEBforum

Other => General Topics => Topic started by: polonus on February 10, 2015, 11:16:31 PM

Title: Musings about my volunteer website security scan experiences....
Post by: polonus on February 10, 2015, 11:16:31 PM
@those interested in this topic, and bob3160 for the initial idea to bundle the posting subjects (thanks to all  ;) )

With thanks to those that share my enthusiasm here and check (against) my results,
Pondus, !Donovan, Eddy, Michael, Para-Noid, mchain and many many more.
Without your ongoing inspiration and cooperation I would not be where I am now
and not at least Avast that creates this wonderful platform here to work together to  improve Avast support.

You will read here about a variety of topics considering to what I do in the virus and worms.
All I do here has one first and single aim, that is adding to the splendid avast online protection
and so users with avast are with the best here with the unique shields, domain rep scan, etc.

My first topic is called: Google Safebrowsing and Yandex Safebrowsing Results Differ considerably,
well most of the time they are consistent and alert the same website threats.

Blacklisting results play an important role in online protection against suspicious/malicious websites.
This starts with scanning a website at Virustotal which results mainly consists of blacklisting results.
A Quttera scan checks against  the following blacklists:
PhishTank - domain is Clean. 
Quttera Labs - domain is Clean. 
Yandex-SafeBrowsing - domain is Clean. 
Google-SafeBrowsing - domain is Clean. 
MalwareDomainList - domain is Clean. 
Combined with the avast protection of shields and avast's browser extension, the DrWeb extension block list and all domains flagged by Bitdefender TrafficLight we have already streered away from many a dangerous click.

But safebrowsing differs, search page for htxp://www.oradio.com.br/ at google does not flag.
At Yandex searchpage we get:
Quote
Visiting this site may lead to malware being installed on your computer of mobile device, which may be used without your knowledge, and valuable data may become corrupted or stolen. Details

Details: https://www.yandex.com/infected?url=http%3A%2F%2Fwww.oradio.com.br%2F&lang=pt&fmode=inject&tld=com&la=&text=http%3A%2F%2Fwww.oradio.com.br%2F&l10n=en&mime=html  SOPHOS detects malware on website as Troj/JsRedir-NN.

Also the options: View secure cached page
This will not harm your computer or its data
and
Visit this page anyway
Following this link may harm your computer or mobile device  (a thing we are ill adviced to do i.m.o.).

Why the Yandex search page protects users against a visit there and Google Safebrowsing does not.

Conclusion - one should use various blacklists to feel somewhat more secure.

polonus

(more to follow in this thread...)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 11, 2015, 03:58:26 PM
FPs a problem for all anti-malware vendors, VT is gonna help against mistaken detection.
How is this going to work out in the grey area for PUP detections and persistent adware/junkware.
Will we get TRUSTED PUP or TRUSTED JUNKWARE?
Read here about this new feature coming to Virustotal:
http://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html

Anyone?

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: Secondmineboy on February 11, 2015, 05:05:06 PM
Will read it when im finally back home, PUPs are a serious issue nowadays as we can see that even AV vendors bundle them with their software, pups need to be detected much better. Will forward that link to the developer of a new upcoming AV Software :) PS: he is 14 right now
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 11, 2015, 05:51:37 PM
Why set this door open ajar, or build in a PUP-adware cat flap trap?
Please dear VT, my code swims like a PUP, quacks like a PUP, but I swear it is no PUP,
oh no, and it ain´t no adware, no way, it is just a genuine False Positive  ;D

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on February 11, 2015, 10:49:32 PM
I'd like to know how they can tell who put that key logger on my computer??? (If I had one.)
Did I do it intentionally or, was it done maliciously???
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 11, 2015, 11:00:06 PM
Hi bob3160,

Indeed there is a thin grey line between legitimate keyloggers and hidden keyloggers that are part of full-fledged trojans. The term for this category of malware is the Trojan-Spy, malware that will
Quote
track user activity, save the information to the user's hard disk and then forward it to the author or 'master' of the Trojan.
Read more in depth here: https://securelist.com/analysis/36138/keyloggers-how-they-work-and-how-to-detect-them-part-1/

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on February 11, 2015, 11:18:24 PM
Hi bob3160,

Indeed there is a thin grey line between legitimate keyloggers and hidden keyloggers that are part of full-fledged trojans. The term for this category of malware is the Trojan-Spy, malware that will
Quote
track user activity, save the information to the user's hard disk and then forward it to the author or 'master' of the Trojan.
Read more in depth here: https://securelist.com/analysis/36138/keyloggers-how-they-work-and-how-to-detect-them-part-1/ (https://securelist.com/analysis/36138/keyloggers-how-they-work-and-how-to-detect-them-part-1/)

polonus
I'm well aware of what a Keylogger does Damien. If I choose to install it to monitor activity on my system, it a legitimate tool.
If it's installed without my knowledge, then it's malicious.
I want to know how an AV can tell the difference between my installation and a malicious install ???
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 11, 2015, 11:45:18 PM
This is the main way to tell the difference:
Quote
Behavioral detection differs from appearance detection in that it identifies the actions performed by the malware rather than syntactic markers. Identifying these malicious actions and interpreting their final purpose is a complex reasoning process.
Quote from:
Hervé Debar PhD, HDR. So the source and the way it was installed play an important role.
Compare it to shop camera monitoring that can discriminate between some-one buying tools for a DIY job or to be used in breaking & entering a house illegially. When you buy a Balaclava and a sledge hammer, you could be a security risk and suspicious. ;D  ;D

Damian

Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on February 12, 2015, 12:03:31 AM
If it were that simple, there wouldn't be any false positives. :)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 12, 2015, 12:30:50 AM
Hi bob3160,

Well, there is more to this than meets the eye. Many times in the virus and worms we  see developers that come and complain about false positives and fp detections on (new) packer obfuscation for instance. And as a complication a whole row of what came whitelisted before can now come up as a FP with a new (slightly different) update. Avast has really some problems there to tackle. So the new VT whitelisting and demasking of FPs can certainly help towards that goal. Recently Avast had quite some problems with new updates of proggies and tools. Signing their code by developers and certification may help - also additional meta-scans can make a FP less obvious.
And of-course the bundled junk/ad-& spyware should never go under the detection radar as this ever expanding new bundling craze is making the whole exercise even more complicated. And then there is the explosion of new detections that is making the whole process even more complicated. That for simplicity...  ;D

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 19, 2015, 04:39:01 PM
When doing a "cold reconnaissance third party" website scan we always like to have the full story from a to z.
What vulnerable technology was being used for server and website software? What free plug-in's and themes were vulnerable?
Was there any second line security being brought into place? And we want to know why the website could have been attacked, what attack was being performed and similar questions. Sometimes we can get these details from a Clean MX report or from a threat description by a researcher - or when we are lucky from a combination of online scan results and descriptions.

But NinjaFirewall also give all the "gory" details at once as there is: type of threat, what was being targeted, where it was being targeted, what vulnerability or exploit was being abused, the malware domain that caused the threat, and the malware raw code.
Example: http://ninjafirewall.com/malware/index.php?threat=2014-12-18.01 and now combine with info here: https://www.mywot.com/en/scorecard/clickevents.com.my?utm_source=addon&utm_content=popup and here:
https://wordpress.org/support/topic/gwt-malware-warning-for-my-website-and-defaced
When we let this info all sink in we'll see we are being confronted with a flaw of the SoakSoak malware just by googling on "collect.js malware". Whenever we see "collect.js malware" a little lightbulb flash goes off at the back of our head and we will
mumble "Oh, SEO related malcode!".
Another lesson learned another threat recognized.  ;D
NinjeFirewall has a free offshoot for WP PHP as a stand-alone plug-in, worth to recommend it to people that are curious and have similar interests like little old me,  ;)

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 24, 2015, 01:57:04 PM
Time to return to the dramatically bad situation where security headers are concerned.
One important example from the Hall of Shame: https://www.microsoft.com
See: https://www.uploady.com/download/gN0Vfam8FKU/F9RytmG59o8~34EA
and https://www.uploady.com/download/GbzM~734U3J/7WSvra~jOTelppAr
X-Frame Options - missing
Provides clickjacking protection by instructing browsers that this page should not be placed within a frame. Possible values are: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, and allow-from: - allow rendering if framing page is within the specified URI domain. Allow from is supported by IE and Firefox, but not Chrome or Safari. It will also interfere with In Page Google Analytics since it requires your page to be framed by Google.
Strict-Transport-Security missing
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for users to ignore SSL negotiation warnings.
X-Content-Type-Options      Use 'nosniff'  missing
The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that by clever naming could be treated by MSIE as executable or dynamic HTML files.
Warning on Content-Type
Instructs the browser to interpret the page as a specific content type rather than relying on the browser to make assumptions.
X-XSS-Protection      Use '1; mode=block' missing'
This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. Typically this is enabled by default, but if it was disabled by the user this header will force the filter to be active for this particular website. This header is supported in IE 8+.
Warning Set-Cookie   MS-CV=Rzov4KmjtEO7jS...12:43:49 GMT; path=/   Add 'secure; httponly;'
The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.
Cache-control has warning.
Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Two missing headers on caching: Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches.
Content-Security-Policy missing: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. (https://www.owasp.org/index.php/Content_Security_Policy). Content-Security-Policy is recotnized in Chrome 25+ and Firefox 23+
Additionally 4 warnings here: https://asafaweb.com/Scan?Url=https%3A%2F%2Fwww.microsoft.com
The excessive header info proliferation is one of the protection schemes everybody should know about, you do not want any script kiddie know your full server version number info.

What I find here, my dear forums friends, is beyond belief really. What security does MS uphold? I trust no one, unless I test,
and this is just one big EPIC FAIL: and what about all those poor coders that have to write code to bring their recent page to IE 6,7.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on February 24, 2015, 02:30:06 PM
Here the situation is not much better: https://securityheaders.com/test-http-headers.php
What These Numbers Mean
Quote
We detected 2 Happy Findings on microsoft.com. According to the data we have gathered microsoft.com scores worse than approximately 50% of sites out there. The good news is that adding many of our HTTP header recommendations for security take very little time to implement and have a big impact!
quote from SHODAN.
But that may have fallen on deaf ears with the MS coders?

polonus

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 02, 2015, 07:36:22 PM
Tracking the trackers - nice to be used against ghostery and http switchboard extensions.
Go here: https://tools.digitalmethods.net/beta/trackerTracker/
Give in for example: https://plus.google.com/u/0/_/n/gcosuc
Results ntok=APfa0bpLV_DUrqCeO917WArh_zsnBp57wzFI67I7aw5QOWGaHfBGpm9lOUVMto9rzPAyGr1Yv-ZczxK3tE24GZgT-N_po0x_lA%3D%3D  raw data

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 02, 2015, 11:15:36 PM
Here we did a succesful query for a malware tracking result:
Process log
Retrieving: wXw.adayg.com/tj.js
Matching..
Retrieving: htXp://adayg.com/index.html
Matching..
Retrieving: htXp://www.zjhbot.com/fengshou/index.html
Matching..
Collating results
Results - first result was delivering object!
url   scheme   host   path   type   query   aid   cid   date   patterns   objects   name   affilition
htxp://adayg.com/index.html   htxp   adayg.com   /index.html   analytics      1184   2081   2015-03-02 23:05:40   \.51\.la   htxp://js.users.51.la/17431151.js   51.La   
wXw.adayg.com/tj.js         wXw.adayg.com/tj.js   n/a            2015-03-02 23:05:52            
htxp://www.zjhbot.com/fengshou/index.html   htxp   wXw.zjhbot.com   /fengshou/index.html   n/a

Damian
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 03, 2015, 06:24:19 PM
What the tracker tracker gave here: http://szybki.fakt.pl
url   scheme   host   path   type   query   aid   cid   date   patterns   objects   name   affilition
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      13   81   2015-03-03 18:19:47   google-analytics\.com\/(analytics\.js|urchin\.js|ga_exp\.js|ga\.js|u\/ga_debug\.js|u\/ga_beta\.js|u\/ga\.js|cx\/api\.js|collect)   http://www.google-analytics.com/ga.js   Google Analytics   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      13   81   2015-03-03 18:19:47   \/?__utm\.   http://www.google-analytics.com/r/__utm.gif?utmwv=5.6.3&utms=1&utmn=360433009&utmhn=www.fakt.pl&utme=8(4!variant)9(4!Fakt%20reactivation)&utmcs=UTF-8&utmsr=1024x768&utmvp=400x300&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmdt=Gwiazdy%2C%20Wydarzenia%2C%20Filmy%2C%20Sport%20-%20Fakt.pl&utmhid=1904198816&utmr=-&utmp=%2F&utmht=1425403101138&utmac=UA-4033697-1&utmcc=__utma%3D158728749.1147822484.1425403101.1425403101.1425403101.1%3B%2B__utmz%3D158728749.1425403101.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=1416442177&utmredir=1&utmu=qSAAAAAAAAAAAAAAAAAAAAAE~   Google Analytics   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      37   443   2015-03-03 18:19:47   (\.googlesyndication\.com\/simgad\/|\.googlesyndication\.com\/pagead\/|partner\.googleadservices\.com\/gampad\/)   http://pagead2.googlesyndication.com/pagead/show_ads.js   Google Adsense   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      41   257   2015-03-03 18:19:47   (\.doubleclick\.net|g\.doubleclick\.net)   http://googleads.g.doubleclick.net/pagead/viewthroughconversion/972452827/?value=0&label=AT7fCI3luQIQ2-fZzwM&guid=ON&script=0   DoubleClick   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      93   66   2015-03-03 18:19:47   (facebook\.com\/connect|facebook\.com\/v2\.0\/connect)   http://static.ak.facebook.com/connect/xd_arbiter/rFG58m7xAig.js?version=41#channel=f273b4f26c&origin=http%3A%2F%2Fwww.fakt.pl   Facebook Connect   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      93   66   2015-03-03 18:19:47   connect\.facebook\.net   http://connect.facebook.net/pl_PL/sdk.js   Facebook Connect   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      313   381   2015-03-03 18:19:47   \.hit\.gemius\.pl   http://onet.hit.gemius.pl/fpdata.js?href=www.fakt.pl   Gemius   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      313   381   2015-03-03 18:19:47   \/?xgemius\.js   http://ocdn.eu/static/mastt/xgemius.js   Gemius   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      464   2806   2015-03-03 18:19:47   facebook\.com\/(v2\.0\/)?(plugins|widgets)\/.*\.php   http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com%2Ffaktpl&locale=pl_PL&send=false&layout=button_count&width=130&show_faces=false&action=like&colorscheme=light&font=arial&height=21&appId=260859193942272   Facebook Social Plugins   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      605   174   2015-03-03 18:19:47   platform\.twitter\.com\/widgets   http://platform.twitter.com/widgets.js   Twitter Button   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      609   457   2015-03-03 18:19:47   (\.adform\.net|\.adformdsp\.net)   http://track.adform.net/adfserve/?bn=5643036;srctype=4;ord=%5Btimestamp%5D   Adform   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      615   2382   2015-03-03 18:19:47   (\.google\.com\/buzz\/api\/button\.js|apis\.google\.com\/js\/plusone\.js|apis\.google\.com\/js\/platform\.js)   https://apis.google.com/js/platform.js   Google+ Platform   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      642   677   2015-03-03 18:19:47   atemda\.com   http://p73.atemda.com/impressionlink.ashx?cipl=l9LafwOETCTkFe0sbgrKMsxZaQ%2fj0%2bVg%2b2lbgaAE5jYcaVav6E5Jxymu520mDjJtdkPOh4lAcfCSxDhPv34RdH5RiT4mXw58D02AMfd%2fXTI%3d&etp=RASP_FAKT-top&cb=403178055   AdMeta   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      2160   355   2015-03-03 18:19:47   googleads\.g\.doubleclick\.net\/pagead\/viewthroughconversion   http://googleads.g.doubleclick.net/pagead/viewthroughconversion/972452827/?value=0&label=AT7fCI3luQIQ2-fZzwM&guid=ON&script=0   Google Dynamic Remarketing   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      13   81   2015-03-03 18:19:47   google-analytics\.com   http://www.google-analytics.com/ga.js   Google Analytics   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      37   443   2015-03-03 18:19:47   (googlesyndication\.com|googleadservices\.com|2mdn\.net)   http://pagead2.googlesyndication.com/pagead/show_ads.js   Google Adsense   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      41   257   2015-03-03 18:19:47   doubleclick\.net   http://googleads.g.doubleclick.net/pagead/viewthroughconversion/972452827/?value=0&label=AT7fCI3luQIQ2-fZzwM&guid=ON&script=0   DoubleClick   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      609   457   2015-03-03 18:19:47   adform\.net   http://track.adform.net/adfserve/?bn=5643036;srctype=4;ord=%5Btimestamp%5D   Adform   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      313   381   2015-03-03 18:19:47   \.gemius\.pl   http://onet.hit.gemius.pl/fpdata.js?href=www.fakt.pl   Gemius   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      642   677   2015-03-03 18:19:47   \.atemda\.com

Interesting tracking facts.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 04, 2015, 01:23:13 PM
Para-Noid says users have to learn to look before they leap - alwats, and he is right. I wondered why certain https-everywhere re-writes will create undreamt of possibilties for devious user tracking.
Read through this posting first: https://forum.avast.com/index.php?topic=167274.0 and see the added attached report of what tracking goes on on that Dutch zimbra webmail website.
Para-Noid asked me to post a heads-up on this insecurity here. And so I did.
I had to combine some of my insights and do some research to be aware of such threats. I remember our forum member, DavidR, always warning about the risks involved with the https-only scheme. I then stumbled on the re-writes from HTTPS Everywhere's Atlas to make http pages fit https-only and combined what I uri I found in the re-writes with the results of the tracking the trackers tool results. And then it dawned upon me. There are additional risk factors with all recent weakness found up in the SSL protocol and encryption -Poodle and Freak and so on.
Let us proceed with an example here. Combine the info from: https://www.eff.org/https-everywhere/atlas/domains/  with results here: https://tools.digitalmethods.net/beta/trackerTracker/
See the attached results. So be aware of trackers where you least expect them.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 04, 2015, 06:20:26 PM
What added tracking the trackers scan results brought on various script versions and according vulnerabilities (version info) and other CMS weaknesses and evental abuse: https://forum.avast.com/index.php?topic=167317.msg1190378#msg1190378

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: Para-Noid on March 04, 2015, 06:51:39 PM
There is definitely a need for anti-tracking add-ons like Ghostery and ad blockers such as AdBlock Edge in Firefox or uBlock in Chrome.
Many people use NoScript in Firefox or ScriptNo in Chrome. Using link scanners such as "Scan URL with" (Firefox) before clicking is also wise. Check then click.

It's all about security.
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 04, 2015, 06:54:06 PM
Do not forget Avast Online Security!

pol
Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on March 05, 2015, 11:16:36 PM
Do not forget Avast Online Security!

pol
;) ;D ;)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 06, 2015, 03:34:21 PM
Read about your browser fingerprinting: http://akademie.dw.de/digitalsafety/your-browsers-fingerprints-and-how-to-reduce-them/
You might have seen my tracker tracker scan reports recently, I also have some extensions in Google Chrome to warn me there: HTTP Switchboard, SPOF-O-Matic, Ghostery, Disconnect, canvasFingerPrintBlock, StopFingerprinting, uBlock, and naturally AVAST! Online Security. It is always handy to have script blocking like NoScript and RequestPolicy in firefox, and ScriptSafe and HTTP Switchboard in Google Chrome.
For instance a script like script type="text/javascript" src="//tags.bkrtx.com/js/bk-coretag.js could be a possible Frontend SPOF - and moreover it is a pop-up virus - you do not want to connect to it with your browser.
Read: http://blog.qisupport.com/tags-bkrtx-com-bk-coretag-js-pop-virus-removal-steps/

As I said befor on these forums a decent adblocker like uBlock for instance (or for conventionalists ABP) is a must also to keep all sort of website malcode at bay. What you aren't able toclick, cannot infest you, right?

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 08, 2015, 01:26:05 AM
This Dutch news site does not have known trackers were identified by Netcraft: http://toolbar.netcraft.com/site_report/?url=Nu.nl
But it does do tracking on ads, analytics and also checks on opt outs for webbeacons.
Possible front en SPOF 95% -> htxp://cts.snmmd.nl/service/js/nunl/home/
Script blocker blocks - service.nu.nl
The web beaqcons are to be avoided: https://www.mywot.com/en/scorecard/beacon.krxd.net

See my track tracker report results - do not open links given there inside a browser -
data just for security and track blocking research purposes

pol
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 09, 2015, 05:44:39 PM
Some SSL online scan links: https://www.bluessl.com/en/ssltest
https://ssl.trustwave.com/support/support-certificate-analyzer.php?address=
https://www.whynopadlock.com/
https://certlogik.com/ssl-checker/
https://www.poodlescan.com/
https://www.wormly.com/test_ssl
http://geekflare.com/ssl-test-certificate/
https://www.jitbit.com/sslcheck/
https://www.digicert.com/help/
https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
https://www.ssllabs.com/

enjoy,

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on March 09, 2015, 07:53:24 PM
I'll let Avast do the scanning for me. :)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 09, 2015, 11:00:52 PM
Hi bob3160,

I also let avast do the resident av scanning and also use Avast protection inside the browser with Avast Online Security. ;D
But the additional ssl scanners are just to check for specific issues when you do "third party cold reconnaissance scanning" of (potential) suspicious or malicious websites like I do. That is not a "hobby" for everyone, but there are some connoisseurs here on the forums who are into this as well, like my good forum friends Pondus, mchain, Eddy and many many more. All with one aim only to enhance and improve avast detection. And that is why and for whom I give these links. Just like to mention the efforts of our forum friend Oliver in the "virus and worms" to find detection for examples of an evolving threat just lately performed through rogue windows uninstall executables, executables  that were malware re-engineered by highly dangerous malcreants or should I say savvy cybercriminals.
We must be glad we have such security research students amids us that give their best for the protection of all of our userbase and beyond.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 09, 2015, 11:16:23 PM
I hope the following site is being blocked by an extension for you: htxps://banner.easyspace.com/
No valid host name: Valid Host Names      Not matched   *-.iomart.com
-iomart.com - Extended Validation (EV) Not Installed
SSL certficate is using SHA-1 algorithm that expires after 2015. You should re-issue your SSL certificate as SHA-2 to avoid padlock warning in Chrome - ERROR: The secure URL you submitted was redirected to:
htxp://banner.easyspace.com/ - website: banner.easyspace.com is not listed in the certificate.
Done. Total pages crawled: 1
No issues found

Pages failed to crawl (error returned from the server):
htxps://banner.easyspace.com/
htxps://banner.easyspace.com/

Update your certificate chain.
Your certificate chain is valid, but some older browsers may not recognize it. To support older browsers, download and install the missing intermediate certificate.

Transaction Protection
CNAME IS MISMATCH
SSL Issuer: RapidSSL CA
SSL Expires: 2016-12-30 21:03:34 UTC 

I get ERR_BLOCKED_BY_CLIENT

Funny that Avast Online Security gives this site as a safe website.
There are other issues reported here about their sneaky adware springboard ways: http://www.sitepoint.com/forums/showthread.php?53374-Easyspace-com-Scandalous

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 10, 2015, 12:08:38 AM
Here you have them all these malicious IPs and neatly sorted every 15 minutes:
http://www.e-fensive.net/malware.pests

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 15, 2015, 06:32:18 PM
Just established that WOT does canvas fingerprinting from their website: Prevented a script on htxps://www.mywot.com from capturing the following 32px × 32px canvas:
What tracking WOT does? Mainly ad tracking, see attached file.
Poosible Frontend-SPOF from fonts.googleapis.com  twice.
Facebook Connect = Facebook Tracker and Google Analytics tracking is being blocked in the browser for me as is the canvas fingerprinting (fonts.googleapis.com).

pol

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 15, 2015, 07:18:06 PM
See also http://www.cookiechecker.nl/check-cookies.php?url=https%3A%2F%2Fwww.mywot.com&cache=false
What you normally block via ScriptSafe, view: https://www.uploady.com/download/Bw68Kvl86Wc/XYwYZnUPZq52Gn76
See also on the wot.api -> http://xss.cx/2011/09/15/ghdb/dork-xss-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-apimywotcom.html
Cool cookiepedia: http://cookiepedia.co.uk/cookie/679473
Cookiesearch has: mywot.com
Jan 25, 2015
Name
SESSf6ce7e3db235723091e59a653e7d96f2
Domain
.mywot.com
Expires
Jan 25, 2016 at 12:23 PM
Value
sfe05b4tkpbf7sp2kp94h95765

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 15, 2015, 10:50:11 PM
Canvas Fingerprinting can be stopped by blocking script, test: https://www.browserleaks.com/canvas

So ScriptSafe in Chrome or NoScript in firefox is a good canvas fingerprint blocker as well.
Sites with canvas fingerprinting: https://securehomes.esat.kuleuven.be/~gacar/persistent/canvas_urls.html

Extension that blocks fingerprinting and canvas fingerprinting in Google Chrome: https://chrome.google.com/webstore/detail/stopfingerprinting/kfhlgmfkolojpnmhgggilmillpcokmnb

https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 19, 2015, 03:13:39 PM
Another list of blacklisted IPs: http://www.infiltrated.net/blacklisted
Take for instance this 95.79.14.131
-> a badbot: https://www.blocklist.de/fr/search.html?as=42682&page=16
forum spam: http://www.liveipmap.com/95.79.14.131
various abuse: https://www.projecthoneypot.org/ip_95.79.14.131
Extended spam activity report: https://cleantalk.org/blacklists/95.79.14.131
and naturally reported here: http://www.stopforumspam.com/ipcheck/95.79.14.131

pol
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on April 30, 2015, 06:30:11 PM
My scan routines took me to various issues, I mention below, first a short IP scanner list.

Various IP scan links: Detected: http://www.ipvoid.com/scan/202.137.230.220/
See: http://aliveproxies.com/ipproxy/proxyserver-403275/
See complaints: http://www.liveipmap.com/
See: https://cleantalk.org/blacklists/
See: http://botscout.com/ipcheck.htm?ip=
See: https://www.stopforumspam.com/ipcheck/
See: http://botnet-tracker.blogspot.nl/
See: http://www.reputationauthority.org/lookup.php?ip= &Submit.x=14&Submit.y=3&Submit=Search
See: http://liveipmap.com/
Mail and content-spammer: https://www.projecthoneypot.org/ip_
See: https://www.blockedservers.com/blocked/ipv4/

Sucuri Scans do not always state that PHP software is outdated we should check ourselves.
Grey area malware -> https://forum.avast.com/index.php?topic=170314.0
added the blocklist to adblocker - daily updates provided.
Directory indexing enabled - gross insecurity for CMS! example -> wp-content/uploads/enabled

Certificate trust issues: example - https://forum.avast.com/index.php?topic=170272.0

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 01, 2015, 01:24:03 PM
Mozilla will deprecate NON-Secure-HTTP to work towards HTTPS.
But what about HTTPS and Insecure Sources, wrong implementation, etc. etc.
First ensure HTTPS is really secure than get away from HTTP.
Lot of sites have HTTPS encryption, while communication is not encrypted.
Re: https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: Para-Noid on May 01, 2015, 04:17:32 PM
The main problem with some, not all, HTTPS sites is that often times their so-called login screen(s) are not really secure.
I saw an article about this somewhere, now I can't find it.  ???
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 01, 2015, 07:01:50 PM
You didn't mean this aticle with the POC script: http://www.stealmylogin.com/
Here we enter the First Law of Security: Technology is not a panacea, and TLS/SSL alone can't answer the issues.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 02, 2015, 12:45:44 AM
Interesting website defacement analysis examples that could be instructive: http://izumino.jp/Security/def_jp.html
See this one: http://izumino.jp/Security/analyze/22768201.html
Compare here: http://killmalware.com/mastergoji.com/#
And here: http://izumino.jp/Security/analyze/24156183.html  see also: http://zrmidia.com.br/v2/shortcodes/
Header and Content matches given. -> http://izumino.jp/Security/analyze/24130080.html

VT results normally do not flag non-malicious defacements. Killmalware has many detections.
Sometimes Quttera flags where Sucuri does not and v.v.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 04, 2015, 02:12:49 PM
Now I gonna give you some information I have acquired online,
see for instance : http://code.tutsplus.com/tutorials/8-regular-expressions-you-should-know--net-6149
link article author = Vasili.
pattern: /^<([a-z]+)([^<]+)*(?:>(.*)<\/\1>|\s+\/>)$/
Regular expression to detect tags //((\%3c)|<)((\%2F)|/)*
[a-z0-9 \%] + ((\%3E)|>)/ix
//((\%3c)|< will check for opening angle bracket or hex equivalent ('3C')
((\%2F)|\/)* forward slash for a closing tag or the hex equivalent thereof ('2F ')
[a-z0-9 \%]+ checks for an alphanumeric string  inside the tag, or hex representations thereof
(the additional percentage character0 Read: http://stackoverflow.com/questions/28449927/a-z0-9-regexp-matching-square-brackets (posting source: BeNdEr
Regular expression for username: http://stackoverflow.com/questions/18562664/regular-expression-for-username-with-a-z0-9-3-20 and one could use this /^[a-z][a-z0-9_-]{2,19}$/i   info source: Casimir et Hippolyte
((\%3E)|>) checks for closing angle bracket or hex equivalent thereof ('3E') ->
http://stackoverflow.com/questions/10095039/are-the-angle-brackets-or-special-in-a-regular-expression -
info source: Casimir et Hippolyte
Modifiers 'í' and "x" (at the end of the regex after the closing /'are used to match without case sensitivity and to ignore white spaces respectively. All XML/HTML tags should be so checked.
But remember the method is FP prone!

Background Reading Regular Expressions Cookbook by Jan Goyvaerts  (Author), Steven Levithan (Author)

Firewalls cannot block web application attacks. Preventive WAF rules aren't always possible. On HTTP protocol it is easy to steal and spoof identity. We could analyze log files from webservers. NID may not work on HTTPS. No NID available, another zone of attack.
NIDs are to work on TCP/IP level, and are ineffective on the HTTP layer. IDS evasive techniques can be used: HTTP encoding, fragmenting)

Forms of attacks on web applications:
Bots are being used. Google search tool based flaws are being exploited. Directed Attacks, PHBB, Mambo, AWStats are known targets.

will be continued,

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 04, 2015, 02:49:42 PM
Continued....

Malicious File Execution
CSRF
XSS (cross site scripting) favorite and most common apllication layer hacking technique.
host = the fully qualified domain
name of the client, of the IP address
ident = identity check is enabled & clientmachine runs identd, this is identity information.
authuser = basic HTTP authentication - user name = value of token
date = date and time of request ()
status = HTTP status code
bytes = in object returned, exclusing all HTTP Headers.

The server gives result status : HTTP/1. x 200 OK TimeStamp, Identifier of the Server: Apache, Content-type: text/html, charset = ISO-8859-/(MIME formatted info) document is sent (DOCTYPE etc.).

HTTP Evasion techniques:
where? in request URI portion
           at the HTTP protocol
           other parts of HTTP header
           HTTP body
types? obfuscation-techniques
           inserting additional characters to deceive IDS
           evasion against URL and URL parameter
form    multiple slashes
           traversal attacks
           and infinite combinations      // .  / /.//.

Normalisation
            URL encoding
            Null byte string termination
            Self referencing path /./ and encoded equivalent.
            Path back references /../  and encoded equivalents
            mixed case
            common removal
            conversions of backslash -> forward slash character
            conversion of ISS-specific Unicode encoding (%uXXYY)
            decode HTML entities
Code: [Select]
unction decodeHTMLEntities(text) {
    var entities = [
        ['apos', '\''],
        ['amp', '&'],
        ['lt', '<'],
        ['gt', '>']
    ];

    for (var i = 0, max = entities.length; i < max; ++i)
        text = text.replace(new RegExp('&'+entities[i][0]+';', 'g'), entities[i][1]);

    return text;
}
William Lahti
regular expression matching HTML entities
    var entity = /&(?:#x[a-f0-9]+|#[0-9]+|[a-z0-9]+);?/ig;

polonus
           
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 04, 2015, 03:51:24 PM
continued......
hex encoding & UTF-8 Unicode encoding are RFC standard for request URI,
using % to escape a one encoded byte
%43 = 'C'

. GET / under html HTTP/1.1 encodes
. GET ?%69/.6E%6%65%78%.2E%68%74%6D56C HTTP/1.1
-> https://wordpress.org/support/topic/get-your-security-holes-fixed-damn-it
(link article author = spencerp)

Web Applications run on the OS/layer7, the so-called application layer.
Application layer adware detection and relevant traffic detection

                                                       WA logs
                         FW logs
Web Client                        WAFlogs
                                                                             W Appl.      SGL/ DB
                          layer 3/4  FW                               
                                                         WSFW
                                                          WAF
                           NIDS     
                                                                                WA          SQL

The layer 3/4 FW OSI layer 3 = network layer
                                layer 4 = transport layer

TCP/UDP/ICMP/protocol related and corresponding ports.

FW can detect anomalities in protocol traffic - does not detect DATACHECK, HTTP Data, network and transport data.

Other layers higher up are not being detected.
Web Application FWs work on OSI layer 7 (application layer) HTTP(S) and SOAP.

Do: detailed request analysis, rules for allowing POST/PUSH, OPTIONS, etc.,
limits in file transfer size, URL parameter argument length, policy rule execution, request rule blocks.

Web Appl have a framework: PHP, ASP, J2EE.

Best practice is to perform input/output validation - malformed and malicious input should be detected and logged.

Detect abuse/misuse/fraud and gives a reconstruction of user input
(View logged requests extension with Request Maker extension  in Google Chrome)

will be continued....

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 06, 2015, 04:23:33 PM
Online regular expression tester: http://www.freeformatter.com/regex-tester.html
Tested against ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
as a regular expression to check on the validity of a particular URL. Entry tested: 184.149.5.45
Result: "Fully matches the source string!".

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 07, 2015, 05:29:33 PM
continued...

There are two detection methods: rule based with static rules and anomaly-based with dynamic rules.
Rule based - for pre-known values, e.g. certain input characters and a limit amount of transfer.
Sub-methods for positive security and negative security. The negative model is known as blacklisting, it is easily implemented and less fp-prone. Can be used for known attacks (string, behavior).
The positive model is deny-all, policy of allowed, traffic, whitelist could be banned, manually defined, only legit traffic, FP's will improve whitelisting, a FW will work in this way.

Anomaly-based, the rules are established through a learning phase, through verified clean traffic, all that does not come with the ruleset here is flagged!

XSS flaw detection - Cross Site-Scripting.
embedding script tags in URLs/HTTP requests enticing unaware users to click on them to execute malicious javascript to be executed on the victim's machine (client) through lacks of imput/output validation of the server to rejct active code/javascript/or code characters.

List of possible HTML tags/script inclusions:
javascript, vb script, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, title, base.

The regex to detect keywords goes like /(javascript \ vbscript |expression|applet|script|embed|object|iframe|frame|frameset)/i

but XSS can be hidden inside a javascript code part as infection, it is just inserted js code!

Code injection flaws could be in any type of code: SQL, LDAP, XPath, XSLT, HTML, OS commands.

will be continued....

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 13, 2015, 05:59:29 PM
..continued...

SQL injections should jump out of the original SQL statement.
methods: use of single quote (')
               use of double dash (--)
(') delimiter for a SQL query.
(--) comment character in Oracle/MS SQL.

/(\(')|C\%27)|(\-\-)|(#)|(\%23)/ix(\')|(\%27) the single quite and URL-encoded equivalent.
(\-\-) the double dash
(#)|(\%23) the pound sign in it's URL-encoded equivalent.

So detect hex equivalent of (') single quote itself or the presence of -- at the beginning of a comment., so the rest that follows is ignored.

MS SQL Server should watch out for # or its hex equivalent.

Hex equivalent of -- does not count because it is not a HTML meta character, so %2D fails

will be continued...

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 24, 2015, 02:47:42 PM
Hi folks,

Aren't we landing from a insecure http landscape into an enforced insecure https landscape via https everywhere?
That is the question.
Isn't logjam and it's twin cousin poodle the writing on the wall, the "mene tekel ufarsin" that this protocol also has been downgraded and pn*wed grand time by the forces that be. Just think of you sending post in a sealed enveloppe and it appears to have been read and resealed before arriving at it's destination. How would you feel? From what times do we remember such practices, at least the enveloppes were then Reichs-stamped, remember, so we knew. Now those that do the de-encrypting aren't even to ask questions about how the results they get were acquired and by what method(s). And when we say logjam is only there because there is nation-might, it isn't that only, because we are also at risk sitting in a public Internet cafe. We should be protected against this asap.

But these are just symptoms of underlying factors and let me tell you a bit what I find everyday while doing specific scans.
Whenever you want to be aware of the situation install Recx Security Analyzer v.1.3.0.4 extension inside your browser and have a look at the results at a particular SSL site, the same doing a scan here online: http://cyh.herokuapp.com/cyh

Where and how were those people trained to not know best practices to secure their website servers? They apply all sorts of additional security technology (crap) but the major security hardening has been omitted. Weak certification, encryption that comes offered from the wrong side up (thank you very much goes NSA). Extensive (name) server info proliferation to the world and attackers alike. Do a asafaweb scan at https://asafaweb.com/ and you probably see what I mean from all the errors and warnings you get there. JQuery all sorts installed with alternating vulnerable and non-vurnable versions installed.
Themes that haven't been worked on for over two years, quite secure  :o. WordPress security scans and Joomla scans also deliver the same tragic situation. And this is n't only the situation at amateur sites, there is some big sites that are in a similar sorry state security-wise.

Over 500 Cloud services now found vulnerable to logjam exploitation! All the places that use https but where the log-in data go in clear txt over the wires or want to kick up script from non-https sources. Aren't these guys that have to keep us secure not been trained anymore with security in mind? Are they so dumbed down or only interested in the money that server admins and big hosters aren't interested because the common user won't ask questions anyway. I see this "circus" go past everyday in my scan results, folks, and it isn't getting you in a very optimistic mood. There is left an awful  lot to be done and  there is a lot of awareness to be raised to keep the abusers of our internet security at bay. I hope this posting may help, the "mene tekel ufarsin" is there on the wall but can anyone read what the txt has...((מנא ,מנא, תקל, ופרסין)7)  that the statue has a golden head but is standing on clay feet and may topple over every day now and there is no golem to come to the rescue ;)

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on July 05, 2015, 02:34:05 PM
Let us continue our postings about the use of regular expressions and security.
For a good background read go here: http://www.softpanorama.org/Scripting/Javascript/javascript_regular_expressions.shtml
link article info - Copyright © 1996-2015 by Dr. Nikolai Bezroukov.
..continued: /((%3D)|(=)) the equals sign "=" or its URL-encoded equivalents/variants.
[^ \n]* zero or more non-newline characters.
((\%27 | (\')| single quote double dah.
(\-\-) | (\%3B) | (;)) or semi-colon or their URL-encoded versions.

SQL Keyword 'or' attack, regular expression to detect attack:
/ \w*((\%27)| (\')) (\s | \+ | \%20)* (\%6F) | (\%4F)) ((\%72)|/) (%52))/ix
\w* zero or more alphanumeric or underscore characters
(\s | \+ | \%20)* zero or more whitespaces or their HTTP-encoded equivalents
((\%27)| (\')) the singkle quote or its HEX-equivalent.
(\%6F) | (\%4F)) the word 'or' with combinations of its upper case or lower case.
((\%72)|/) (%52))                  or lower case.

UNION keyword attack used by attackers to combine a select statement into a single result set
(note the difference between set and list - my note - pol).
/ ((\%27)|(\'))  (select | union | insert | update | delete | replace | ix    SQL-Keuwords.

(\%27)|(\') the single quote and its hex-equivalents.

will be continued on "dangerous procedures start etc".

polonus (volunteer website security analyst and website error-hunter)

P.S. The use of regular expressions for data validation can be followed here: http://wenku.baidu.com/view/88e25d4d2e3f5727a5e962d0.html
I use the Google Translator Tooltip Extended Script via Tampermonkey to translate the Chinese instructions
from that website on the fly.

达米安 Damian
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on July 05, 2015, 11:21:50 PM
Has the overal server security situation, especially seen to server security header implementation, improved since 5 years ago:
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
Personally from what I see on the Internet I do not think so.
Just look here: https://forum.avast.com/index.php?topic=173228.0

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on August 22, 2015, 08:05:09 PM
Para-Noid pointed me on the additional info we get via the Netcraft Report info like here in this thread:
-https://forum.avast.com/index.php?topic=175440.msg1245377#msg1245377
Recently I have been using a low level sie explorer - it keeps us informed about the received data, links, scripts and frames found for a specific site. Then a benifit is that avast online security nor the shields will alert like they often do on other scans tghat reveal too much of the detection at hand (code, url, IP etc.). And it "sees"more than for instance Releg's fileviewer, where I saw a toggle coding and where the low level scan rewarded me with the suspicious IP that came out of the toggle code.
That is why I tried it on the website that was scanned in the above thread.
Quite different scanner here: -http-sniffer.find-my-search.com/en/web-sniff-of/www.htyzs.cn/

polonus

Important Update, see why bob3160 was right after all in his reaction to this posting: https://forum.avast.com/index.php?topic=176080.msg1249559#new

Thanks, bob3160, for alerting me and breaking all result urls.

Damian
Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on August 22, 2015, 08:08:12 PM
(http://www.screencast-o-matic.com/screenshots/u/Lh/1440266869121-62865.png)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on August 22, 2015, 08:18:22 PM
Hi bob3160,

I broke all links, how this can be alerted, no warning for me  by Avast.

polonus

Update While bob3160 warning was a valid one, all of the links to the low level scan explorer has been taken out (while they were already broken), both in the virus and worms postings and also in my WOT ratings as "luntrus". I have already thanked bob3160 for his attentiveness there. Good we always help each other out here in the forums.  ;)

Damian
Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on August 22, 2015, 08:22:01 PM
The warning came from gmail. That's also why none of the links in that email are clickable.
I'm not the expert so am simply passing this along. :)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on August 22, 2015, 08:29:06 PM
So this has/had nothing to do with Avast. As I have no live links in the message there I gather all is OK now.
Why GMail warned for you I am not aware, my webmail from Avast had no alerts.
Anyway there is nothing malicious in the posting now, cannot be.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: Pondus on August 22, 2015, 08:54:15 PM
As it say  contain link to websites hosting malware

And that may mean code samples at display    ;)

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on August 22, 2015, 09:21:08 PM
Hi Pondus,

After bob3160 posted that alert I made all links non-clickable, so now there is txt only in the posting.
Those that wanna reconstruct (for the samples to go to) now have to do so themselves. This teaches me to better break all links,
as it does not demand rocket technology to revive a particular link. No live links and no links coming to bite after we provided added detection.  ;D

So this also could be a policy for the virus and worms to break all links with -http etc.
Another safe way to present anything without risks is as an image.

polonus

Update all links to the so-called low level website explorer scans have been removed now.

D
Title: Re: Musings about my volunteer website security scan experiences....
Post by: Para-Noid on August 25, 2015, 09:58:57 PM
That is why when I do cold research I always use copy/paste then run the online scan.
That way I never, ever go to the actual website.

This one is safe (at least it better be) https://forum.avast.com
I then copy/paste forum.avast.com  into either netcraft.com or virustotal and go from there.
I use netcraft.com as a starting point. I use the information provided there to look deeper. Sometimes the lack of
information can send up a red flag in a hurry as seen here https://forum.avast.com/index.php?topic=175440.msg1245377#msg1245377
see http://toolbar.netcraft.com/site_report?url=htyzs.cn%2F there is some information missing...red flag.
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on August 25, 2015, 10:23:20 PM
At this san you see what is insecure there: -https://asafaweb.com/Scan?Url=htyzs.cn

Custom errors: Fail

Requested URL: -http://htyzs.cn/trace.axd | Response URL: -http://htyzs.cn/trace.axd | Page title: XXXXXXXX | HTTP status code: 403 (Forbidden) | Response size: 1,867 bytes | Duration: 264 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.
Excessive headers: Warning

Requested URL: -http://htyzs.cn/ | Response URL: -http://htyzs.cn/ | Page title: | HTTP status code: 200 (OK) | Response size: 22,057 bytes (gzip'd) | Duration: 2,473 ms
Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Microsoft-IIS/7.5
X-Powered-By: UrlRewriter.NET 2.0.0, ASP.NET
X-AspNet-Version: 2.0.50727


Result
It looks like custom errors are not correctly configured as the requested URL contains the heading "Server Error in".

Custom errors are easy to enable, just configure the web.config to ensure the mode is either "On" or "RemoteOnly" and ensure there is a valid "defaultRedirect" defined for a custom error page as follows:

<customErrors mode="RemoteOnly" defaultRedirect="~/Error" />
Clickjacking: Warning

Requested URL: -http://htyzs.cn/ | Response URL: -http://htyzs.cn/ | Page title: | HTTP status code: 200 (OK) | Response size: 22,057 bytes (gzip'd) | Duration: 2,473 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on August 30, 2015, 01:09:09 PM
We always should be aware of malicious  obfuscated code injections.
Read: http://security.stackexchange.com/questions/34271/how-can-you-inject-malicious-code-into-an-innocent-looking-url 
and  example: http://stackoverflow.com/questions/3115204/unicode-mirror-character
For some further background info: http://www.casaba.com/products/UCAPI/

So always valdate these uri's and see where they actually will take you!

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: bob3160 on September 04, 2015, 04:27:58 PM
@Damien,
Wonder if this may interest you:
(https://camo.githubusercontent.com/59a8b2a2fe49b370c0f4627f4750df690119734e/687474703a2f2f692e696d6775722e636f6d2f557342535941702e676966)
Not a tool for the faint of heart and not a tool I'd ever use.
https://github.com/10se1ucgo/DisableWinTracking (https://github.com/10se1ucgo/DisableWinTracking)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on September 04, 2015, 04:38:15 PM
Hi bob3160,

Seems like overkill, just want to kill some insecure tracking and with the add-ons in Google Chrome I have apt posibilty.
AOS has this. DrWeb's, and uMatrix is so versatile you can almost kill all on a particular website.
Then there is Ghostery, so what more do I want. I am not paranoid about this and very selective.
For instance this one, a weird clicker like HeroFW app that circumvents ad-blockers: http://t130210.security-ids-snort-emerging-sigs.securityupdate.info/herofw-app-crew-and-this-looks-like-some-weirdclick-tracking-crap-t130210.html
Anyway, thanks for the heads-up and I will skim through that code there,

Damian

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on September 10, 2015, 02:41:18 PM
What users of WP CMS should read: http://codex.wordpress.org/Hardening_WordPress
and this http://www.woothemes.com/2013/09/improve-your-wordpress-security-with-these-10-tips/
They could take a scan at Sucuri's and check their WP here: https://hackertarget.com/wordpress-security-scan/

Still seeing too much outdated CMS, CMS themes,  plug-ins, USER inumeration and directory indexing enabled warnings,
excessive server info proliferation, clickjacking and other warnings, etc. etc. the insecurities of bulk hosting and eventual evolving general IP blocks, use of left software (developers will not maintain, bugs, vulnerabilities and exploits are not being patched).

Don't be a trained monkey  ;) but educate yourself about the dangers you could be for your visitors.
Remember milions visit WP driven websites every day and could get infested by malware driven sites.
Be responsible and act accordingly as webmaster, website admin and hosting staff!

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on September 11, 2015, 10:46:43 PM
In the light of the new growing mal-ad injection threat, the following.
Insecure javascript inclusion. Using the -src attribute of a <script> tag to directly or indirectly include a JS-file
from an external domain into the top-level document of a webpage.

Keeping JS separate from HTML markings is a good practice. Good is including JS from the same host or domain,
could be excluded from evaluation with insecure inclusion techniques. Sites run the risk their homepages come under the control of the included javascript code and even higher risk from multiple sources.

Some advertisers provide nothing on their root URLs but point just to some stored JS file using URL-paths. A single compromised JS-file could directly cause security breaches on thousands of sites.

Now one can understand why using a decent adblocker is not a luxury or use an adblocking browser on Android for that matter.
Google Safebrowsing is a last resort line of defense!

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on September 23, 2015, 12:22:28 AM
Interesting diuscussion why we see so many defacements on WP websites lately. Read: http://wordpress.stackexchange.com/questions/28548/wordpress-hacks-defacing
Partly I agree where they point at sloppy and insecure hosting. Furthermore there is no excuse for folks that do not fully patch or update their CMS, plug-ins and themes and even worse code that have been left by developers - or those that have User Enumeration available or Directory Indexing or can be abused via linked Javascript or linked iFrames. Where the hosting is considered I just remind you of excessive server header info proliferation, and various warnings etc - server misconfigurations, security header fails, PHP weaknesses and other exploitable code etc. etc.

I have reported many a defacement and especially those with malicious code in the "virus and worms" in the hope it may inspire some to do something about insecure websites and enhance pro-active secure hosting in some form. Often one feels like preaching for the choir and the message falling on deaf ears. See for instance here: http://killmalware.com/michaeldechiara.com/  Outdated CMS there, not the latest version of WP. A 01 type of defacement: https://sitecheck.sucuri.net/results/michaeldechiara.com#sitecheck-details
For the code and the hack: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmichaeldechiara.com

For more general details on how websites get hacked and defaced: https://www.quora.com/How-are-websites-hacked-to-have-their-content-defaced-How-can-I-prevent-such-attacks-on-my-website

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on October 03, 2015, 10:11:25 PM
At the moment SSL security is gaining momentum through the big campaign driven by Google and others to change http to https - we know this as the "https everywhere campaign". It only can be a big step forward when everything is implemented in the right way, encryption without (export)  restrictions, served up from the right angle and not from the wrong insecure side up, etc. etc.
Right server and security header configurations and off-course certification should be O.K. and properly implemented.

And until now a lot is (still) going wrong, too many sites where log-in still goes on unencrypted and log-in data go straight over the wires.

Safer Chrome Security Report extension will set these insecure sites out. Also we get sites reported as insecure where certificates are concerned at Comodo Site report.

To-day I got an question about a certificate flagged in the Virus and Worms: https://forum.avast.com/index.php?topic=177190.0 
Andrey, pro was so friendly as to translate my reply there into Russian.

A new link I give here for users to check revocation with can be found here:  https://certificate.revocationcheck.com
enjoy and when issues of the report aren't clear do not hesitate to report in the virus and worms.

A couple of other links to put your queries into are:
https://www.bluessl.com/en/ssltest
http://cyh.herokuapp.com/cyh
https://www.ultratools.com/tools/zoneFileDumpResult
http://dnscheck.iis.se/
https://certlogik.com/ssl-checker/www.reddit.com/
https://www.wormly.com/test_ssl
https://www.digicert.com/help/
https://www.ssllabs.com/ssltest/
https://sslbl.abuse.ch/intel/11c94f0bf7c5f512ddf3b016c206674a6f630dd0
http://codefromthe70s.org/certcheck.aspx
https://ssl.trustwave.com/support/support-certificate-analyzer.php?address=

enjoy,

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on October 05, 2015, 12:09:08 AM
Dear followers of this thread,

Finding far too many insecurities during my scanning is really discouraging.
Normal IT staff is not up to it, and technical IT cannot make the difference somehow,
also pro-active hosting is too few and too far in between.  :(

Here an excample where 1600 attempts at canvas fingerprinting were blocked by my chrome extension, read the full story here: https://forum.avast.com/index.php?topic=177229.0

Now theory on best practices and actual practice isn't often in balance.
Here I have a site author that discusses ways to block canvas fingerprinting,
but that very article site breaches your privacy with a so-called Facebook Likebutton
we find tracking us now from many, many a webpage (together with his AddThis friend and Google+ pal).

The Facebook Like-button  was neatly replaced by my PrivacyBadger extension inside Google Chrome,
but one sees what experts are  preaching and what they actually do online are two different things.   :D
Here is the link to find that button (if you have an extension to set it out).
http://gizmodo.com/what-you-need-to-know-about-the-sneakiest-new-online-tr-1608455771

There is also a SPOF report for that site:
Possible Frontend SPOF from:

-kinja.com - Whitelist
(100%) - <script async type="text/javascript" src="//kinja.com/api/profile/assets/javascripts/sso.js">
-html5shiv.googlecode.com - Whitelist
(97%) - <script src="//html5shiv.googlecode.com/svn/trunk/html5.js">
-pagead2.googlesyndication.com - Whitelist
(44%) - <script type="text/javascript" src="-http://pagead2.googlesyndication.com/pagead/show_ads.js">
-www.googletagservices.com - Whitelist
(7%) - <script type="text/javascript" src="//-www.googletagservices.com/tag/js/gpt.js" async>
-c.amazon-adsystem.com - Whitelist
(7%) - <script type="text/javascript" src="//-c.amazon-adsystem.com/aax2/amzn_ads.js" async>

Not blocking these could also make that website load quite a bit slower.

Privacy is a non-existant animal to-day and that should be our conclusion. We could make it a bit more difficult for the trackers and profilers and those that dragnet us, but at the end we haven't enough defenses.
Script and request blocking are still our best bets, but you cannot win where others forget about the security of their online visitors - outdated (server) software, outdated CMS, use of left software, misconfigurations, bad hosting, incompetence and disinterest are hard devils to fight. 

polonus (volunteer website security analyst and website error-hunter)

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on November 02, 2015, 02:07:47 PM
Let us continue now with the reg ex snippets series - continued - Dangerous procedures start with 'sp' or 'xp' -'xp_cmdshell'
allows execuring to a windows shell command through the SQL server.
access rights gained so is loadsystem/exec(\s|\+)+(s|x)p\w+/ix
exec keyword to run the stored or extended procedure.
(\s|\+)+ one or more white spaces or their HTTP encoded equivalents
\w+ one or more alphanumeric or underscorecharacters to complete the name of the procedure.

OS command injection flaw   /(\||% 00|system\(|eval\(|'|\\)/i
\| pipe symbol,word in commands to pipe, the stdout of one program into stdin of another.
%00 The null character (dex & hex 0) used in C/C++ based programs as a string delimiter -Tricked to be treated as last char to abuse PHP to read further past the NULL character.
systen\( System() is a function in programming languages like PERL and PHP will execute additional external program and will display the output.
eval ( Eval() is a function in PHP. Perl and other languages which evaluates a string as PHP (Perl)--code
' The blacktickoperation is similar to the system () function in that respect that it executes an external program.
\\ The backlash is used for escaping characters. If the escaping backlash can be escaped, attackers may junp out of the escaped sequence.
Will be continued with Malicious File Execurion and reg ex...

polonus (volunteer website security analyst and website error hunter)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on November 02, 2015, 02:40:05 PM
Continued -
Malicious File Execution
Appl. that allows users to provide a filename or part of a filename are often vulnerable if input validation is not very accurate. Manipulation of filename may cause the appl. to open up an external URL or execute a system program.

PHP has the weakness to allow URLs in include and require statements. This is cause of the most dangerous vulnerabilities in PHP applications, include "php://input"; POST include "data; base64, PDgwaH?--"
/(https?\ftp\php|data):/i protocols follwed by colon

Insecure Direct Object Reference

Internal - Files or Directories
Objects - URLs
may -Database keys (acct_no, group_id
include - Other database object names in table name

/(\.|C%|:25)2E)\'|(%|%25)2E)(\|(%|%25)2F|\\|(%|%25)5c)/i(\.|(%|%25)2E)
two dots and their URL encoded equivalents & the slash and backslash and their URL-encoded equivalents
%25)5c) "but also "/".

will be continued...


polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on November 02, 2015, 02:50:52 PM
Now you can start to apreciate this Privoxy filter survey:
http://downyours.org/?filters_484a7c06c4b8474f8853a42eb790a0ded3c310d37b994e29896e4fde1ee0c668
I used this in user scripts in Tampermonkey in the Google Chrome browser.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on November 18, 2015, 07:26:22 PM
For those in volunteer website security analysis, this passive scanning report for 1380 business websites in the Netherlands is exemplary how third party cold reconnaisance scanning could be performed. Read the pdf on results and methodology.

In the scanning there was also scanned for ftp-banners (this could be performed through a dazzlepod ip scan (banner.nse), but there we cannot share the results),for those that want to test their ftp server: https://ftptest.net/

Here you can perform various tests online: https://pentest-tools.com/network-vulnerability-scanning/openssl-heartbleed-scanner

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: Para-Noid on November 18, 2015, 07:51:51 PM
@ polonus 

Please make the results/reports clickable.
But keep the possible infectious sites non-clickable.
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on November 22, 2015, 12:41:39 AM
Still a very intersting link on security risks: https://www.owasp.org/index.php/Top_10_2010-Main
Also look here for vulnerability scanning of javascript libraries.
From working them inside sandboxes to test then as fit to use as a 100% security guarantee probably never coulkd get handed out, the interaction with other code etc. is too darned complicated.
Using strict mode. Time to retire some code libraries as vulnerable.
Also read here: http://www.educatedguesswork.org/2011/08/guest_post_adam_barth_on_three.html
It is striking that defacers code with XSS threats in mind, there you find minimal sources and sinks.
Also read here for content security policies: https://mikewest.org/2011/10/content-security-policy-a-primer
Javascript security it ain't easy folks, it ain't easy at all,

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on November 22, 2015, 11:12:30 PM
10 gigantic security fails from the real IT world, read here in English - by Fahmida Y. Rashid, the link goes here: -> http://computerworld.nl/security/90318-10-enorme-beveiligingsblunders-van-systeembeheerders
English txt starts from line 6.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on December 26, 2015, 12:42:53 PM
For website admins and developers that use jQuery.

While checking website for jQuery libraries to be retired at: http://retire.insecurity.today/#
polonus also went over a nice publication by Stefano di Paola on jQuery security.

This mindedsecurity.com article author came to the conslusion that jQuery has all the characteristics of a sink.
A sink, that is a function or method that can be considered as insecure, when one of its arguments
comes from untrusted input and is not correctly being validated according to the layer
the function is communicating to. So jQuery.html is a sink and no one will complain.

jQuery has also been designed to perform different operations based on argument type and content.
Using the same interface for query and executing may be a very bad idea.

jQuery as selector? Never use jQuery() or $() with a non-validated argument. No matter of what
version is being used. Check and read the code!

jQuery developers should retire all old versions (zip them all for reference).
Change and lock the jQuery do-everything behavior.
Do not allow Client side into HPP.
encodeURIComponent
Do not use $.html()with untrusted input.
Check whether it will work as expected. <.*\?>  :o
Please, test your RegExps.! because Client Request Proxy is frameable by design.
An unfriendly header can be attached/added X-Ms-Origin: -http://cyber.at.at.tacker
XMLHttpRequest.attr = val  will make this work.
IE will see some code as valid JSON and you canb still be left with an unvalidated object!

Be cautious and shy using 3rd party services as they could produce 3rd party surprises.
HTML Injection Vulnerabilities, so test and audit all your 3rd party code!

Check using http://www.domxssscanner.com/

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on December 27, 2015, 02:06:15 PM
For a list of sinks in jQuery, see: https://code.google.com/p/domxsswiki/wiki/jQuery
jQuery Methods That Directly Update the DOM:
.after()                       .prependTo()
.append()                   .replaceALL()
.before()                     .replaceWith()
.html()                        .Unwrap()
.insertAfter()               .wrap()
.insertBefore()            .wrapAll(0
.prepend()                  .wrapInner()
Note text() updated DOM but it is safe.
Do not send unvalidated data to these methods or properly escape before doing so.

More danger: jQuery or $(danger) immedeately evaluates the input,
e.g. $("<img src=x onerror=alert(1)>").on(),.add(html),

Further research of these 300 methods is needed to identify all the safe versus unsafe methods:
https://coderwall.com/p/h5lqla/safe-vs-unsafe-jquery-methods
http://stackoverflow.com/questions/9735045/is-jquery-text-method-xss-safe
https://blog.csnc.ch/2013/01/dom-based-xss-unsafe-javascript-functions/

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on March 28, 2016, 04:14:41 PM
Seems that many a nameserver and hosting or whatever server is still vulnerable to the so/called DROWn attack. One could test here:
https://test.drownattack.com/?site=  Mind you that all underlaying servers and services thereof should be secure.
Checked this and it fits the Hall of Shame: https://securityheaders.io/?q=https%3A%2F%2Fbing.com
Results for bing.com
Sites that use the certificates below are vulnerable to eavesdropping. Attackers may be able to decrypt recorded traffic and steal data.
Update server software at all IP addresses shown, and ensure SSLv2 is disabled.
Would you believe these results?
https://test.drownattack.com/?site=bing.com supports SSLv2 export ciphers

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on April 16, 2016, 08:46:45 PM
@developers and code analysts,

Just read a still very actual article about the disadvantages of inline CSS and Javascript code.
Robert Nyman writes on the subject here:
https://robertnyman.com/2008/11/20/why-inline-css-and-javascript-code-is-such-a-bad-thing/
I just added a userscript, called Obtrusive Javascript Checker to the browser via Tampermonkey extension.
While I type this message I experience 25 inline events - onsubmit 1, onchange 2, onselect 1, onclick 20 and onkeyup 1
When I click the post button I enable this action:
Code: [Select]
onclick(return submitThisonce(this);.
Nice to have this under the hood for those that analyze Javascript code every day.
For all others it  Obtrusive JS Checker will mean a lot of unnecessairy clutter.

On the consequenses for Content Security Policy and CSP Violation Fixing, read here: http://www.cspplayground.com/compliant_examples
Quote
Most uses of inline scripts that would break when using CSP can be fixed by factoring the javascript out to an external .js file, and making the location of that file a CSP-approved source.

Here a CSP generator: http://cspisawesome.com/

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on April 28, 2016, 10:32:04 PM
While those scanning here still find many an insecurity: https://securityheaders.io/
We have online mitigating tools like this Content-Security-Policy header generator at http://cspisawesome.com/

And while we find many an insecurity here as well: https://sritest.io/
we have a SRI hash generator online here: https://www.srihash.org/

Enjoy and secure,

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on April 28, 2016, 11:02:43 PM
PHP is at the root of many an attack. That is why I come up with this link to check: http://yehg.net/encoding/index1.php
From the same developer as the Malware Script Detector v.v. 1.1. extension that runs under Tampermonkey on Google Chrome for me
and has warned me for many an unobtrusive script threat - BEAST, SQL code. Together with the blocking from Netcraft's Extension it is great protection inside the browser.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 01, 2016, 01:24:30 PM
What I would not like you to consider and why not is explained here.
Someone (Bart Blaze) was into this...he states...
 
Quote
Before we begin, I’d like to make clear that if you want to test your skills after reading this article or want to test malware in general, you should set up a proper testing environment. Make sure you are using a Virtual Machine if testing on your own machine, or create a machine for the sole use of testing malware and antimalware tools. In either case, it’s a good idea to use a separate network or use a DMZ should you have one. Personally I recommend having the machine connected to the internet, so the malware can do its evil work to its maximum potential and you will be able to carefully study and dissect its workings completely.
Then he contined
Quote
o not use shared folders between VM & host
do use a separate network
do use a pyisical device and no VM
have antivirus solution installed on your physical device, when using a VM
etc. etc.
Read all the particulars of his article, as you translate this link into English: https://www.security.nl/posting/41479/Security+Tip+van+de+Week%3A+onderzoek+malware+in+je+eigen+lab

Now while this set-up is meant for security research on a corporational netrwork and not for the unaware home/hobby user,
it is still rather very problematic. Leave this exploration to the professionals.

Doing this at home is unwise as it could a turn your device into a virtual malware-ridden doorstopper state
or at least make you have serious problems from your Internet provider.
 -
When this happens over the weekend you are in big trouble and out on your own.
Furthermore some malcode is know to break out of a VM or sandbox
and could seriously hamper/tamper with your network surroundings.
Always use a separate lab setting off of the Interwebs and in perfect isolation.

Now all users here may understand why polonus went for third party cold reconnaissance.
Let third party scanners do the work for you, do pre-scanning as well and never visit a suspicious or malicious website itself.
Later I give you my experience with Malzilla but that is another story.
I like to use third party scanners, html validators, javascript unpackers, js beautifiers, php scanners,
looking where code may have access, whether there is inline code,
I look for security related information from seo scanning sites. DNS scanning, SSL scanning etc. etc.
Looking for cloaking, suspicious  iFrame , difference between Google and Googlebot response code.

Whenever I stuble on code errors I read on stackoverflow and also check for the security implications.

Direct malcode access is an unwise idea for anyone without the proper tools and surroundings.
Just a single confrontation with a file infector or malcode that does not obey the VM surrounding
and starts to eat itself through your sandbox and then you are food for the birds.

And where your provider is concerned:
"Do not do the crime, if you cannot pay the time or even worse".

Have a great first of May, ye all...

polonus

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 22, 2016, 01:22:27 AM
A lot of developers and javascript coders use ready made examples taken from the Interwebs.
This is a risky practice, whenever the code is buggy or even insecure, you are bound to copy that.
Do not reinvent the wheel but at least test the wheels.
A good free book to start and read: https://addyosmani.com/resources/essentialjsdesignpatterns/book/
free for non-commercial use only.

Enjoy my good friends, enjoy.

polonus

Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 22, 2016, 04:09:43 PM
While going over these javascript design vulnerabilities we have to be aware of the top web security vulnerabilities, a nice list is being given here by Gergely Kalman: https://www.toptal.com/security/10-most-common-web-security-vulnerabilities
When you read this you will understand why we do the scans we do. Analyze the HTTP response headers, see where code is same origin, e.g. SRI Hash Website Scan, Safer Chrome Security Report, look for Cloaking and hidden iFrames, Tracker SSL insecure IDs tracking, retirable jQuery scans, CMS insecurity scans, SSL tests, DNS tests, Website and nameserver misconfiguration test (asafaweb scan etc.). DOM XSS vulnerability scan, Javascript Unpacker Scan, and various other scans.
So we have to filter untrusted input, broken authentication and involved threats, input sanitization problem (XSS), store data internally and set session variable (undefined functions and variables always form a threat vector). Security misconfigurations like user enumeration set by default and directory listing, server header info proliferation, excessive services and outdated or even left software running etc. Non-HTTPS content, lack of PFS, requests should not be able to alter the resource requested. Do not use vulnerable components (plug-ins), header injection can be rather bad,

JavaScript sources are functions or DOM properties that can be influenced by the user. Vulnerable JavaScript sources that can be exploited for a DOM-based attack include the following:

Location-based, such as location, location.href, document.URL and so on.
Client-side storage based. For instance, it could be document.cookies, sessionStorage and localStorage.
Navigation-based, such as navigation.referrer, window.name, history et al.
Cross-domain functions. See: http://www.domxssscanner.com/

Quote
Some common exploitable JavaScript sinks:

Execution-based, such as eval(), Function(), setTimeout(), setInterval() and so on.
URL-based, for instance location and location.assign().
HTML-based, such as document.write(), HTML elements and attributes.
XHR calls, postMessage, client-side storage and other JavaScript variables.

postMessage is a JavaScript function under HTML5 that facilitates communication across iframes, i.e. two iframes loaded from separate domains on the same page or between the page and an iframe within it. This communication is entirely client-side. If postMessage restrictions are set loosely, it could result in invalidated malicious data being sent across iframes or a potential data leak scenario making it possible to perform data extraction across sites. The white-list paradigm applies here as well.

With HTML5, client-side storage mechanisms have gone beyond the cookie with newer options such as localStorage, Web SQL and IndexDB. Storage of sensitive data on the client side using these mechanisms fosters a huge security risk, bigger than cookies ever posed.

Quote taken from author: Lavakumar Kuppan on HTML5 security Check using: https://html5.validator.nu/

polonus (volunteer website security analyst and website error-hunter)

P.S. Also learn about Bug Patterns: https://find-sec-bugs.github.io/bugs.htm  Created by Philippe Arteau
and http://alistapart.com/blog/post/pattern-library-security-vulnerability    from Mat  Marquis
blog has a vulnerability by itself: Pattern Library Security Vulnerability · An A L... padlock icon
alistapart.com
Alerts (1)
Insecure login (1)
Password will be transmited in clear to http://alistapart.com/?ACT=159
Infos (1)
Encryption (HTTPS) (1)
Communication is NOT encrypted    Safer Chrome Security Report.

Damian
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on May 22, 2016, 10:37:11 PM
Let us give an example from what I said about copying ready made code from the book
and then maybe also copying the vulnerabilities of that code example. Let us take a ready jQuery code pattern example from the free book I presented earlier in this thread. Let's go.

Example from a txtbook
Code: [Select]
(function( $ ) {
 
   // Pre-compile template and "cache" it using closure
   var resultTemplate = _.template($( "#resultTemplate" ).html());
 
   // Subscribe to the new search tags topic
   $.subscribe( "/search/tags", function( e, tags ) {
       $( "#lastQuery" )
                .html("<p>Searched for:<strong>" + tags + "</strong></p>");
   });
 
   // Subscribe to the new results topic
   $.subscribe( "/search/resultSet", function( e, results ){
 
       $( "#searchResults" ).empty().append(resultTemplate( results ));
 
   });
 
   // Submit a search query and publish tags on the /search/tags topic
   $( "#flickrSearch" ).submit( function( e ) {
 
       e.preventDefault();
       var tags = $(this).find( "#query").val();
 
       if ( !tags ){
        return;
       }
 
       $.publish( "/search/tags", [ $.trim(tags) ]);
 
   });
 
 
   // Subscribe to new tags being published and perform
   // a search query using them. Once data has returned
   // publish this data for the rest of the application
   // to consume
 
   $.subscribe("/search/tags", function( e, tags ) {
 
       $.getJSON( "http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?", {
              tags: tags,
              tagmode: "any",
              format: "json"
            },
 
          function( data ){
 
              if( !data.items.length ) {
                return;
              }
 
              $.publish( "/search/resultSet", { items: data.items } );
       });
 
   });
 
 
})( jQuery );


Tested through an unpacker the results comes up as

Code: [Select]
tested script
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable _
     error: undefined function $
It is working but the error seems in the PHP returning an empty string (pol).
Q.E.D. meaning as what had to be demonstrated to my audience here.

So we find complicating factors because we have to consider intricate code chains, just outside the jQuery "fit to use"
status. code.

All coding is not that easy as it presents itself at first sight, my good friends,

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on June 21, 2016, 04:21:04 PM
Sometimes we find the defacement hack example right out on the Interwebs: https://gist.github.com/anonymous/e1a67816dd5956fc8adc
Where was it abused recently, well here: http://killmalware.com/diazepamabuse.com/#
reversed DNS is DROWn vulnerable: -seo217.seoboxes.com -> https://test.drownattack.com/?site=seo217.seoboxes.com
GoDaddy dot com abuse. Outdated WordPress:
WordPress Version
4.1.11
Version does not appear to be latest 4.5.2 - update now.

Warning Directory Indexing Enabled  :o
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

pol
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on June 22, 2016, 06:50:26 AM
Lately I did a scan here: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp
for -www.comcast.com and found Please contact the Certificate Authority for further verification.
Warnings
RC4
This server uses the RC4 cipher algorithm which is not secure. Disable the RC4 cipher suite and update the server software to support the Advanced Encryption Standard (AES) cipher algorithm. Contact your web server vendor for assistance.
Root installed on the server.
For best practices, remove the self-signed root from the server, type  Microsoft-IIS/8.0 443
Read why here: https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/
read also: http://www.ghacks.net/2015/07/19/how-to-block-the-insecure-rc4-cipher-in-firefox-and-chrome/
To test SSL at your end: https://www.howsmyssl.com/   &  https://www.ssllabs.com/ssltest/viewMyClient.html
Seems also DROWn vulnerable.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on June 22, 2016, 05:17:29 PM
Do the Internet Health Test: https://www.battleforthenet.com/internethealthtest/
or https://www.eff.org/nl/testyourisp

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on July 05, 2016, 02:35:12 PM
There are quite some users here that use the Disconnect extension in Google Chrome for instance, well worth knowing what comes whitelisted there: https://github.com/mozilla-services/shavar-list-exceptions/blob/master/allow_list
Landed there going over this: https://stackoverflow.com/questions/17360488/malware-infected-sites-listonly-url
and also why developers should benefit from this API https://developers.google.com/safe-browsing/?hl=en
open to a security check here on unmasked parasytes: http://www.unmaskparasites.com/security-report/
https://www.crunchbase.com/organization/unmask-parasites  Sucuri and it's klone SiteGuarding make use of this.
A bookmarklet can be found here: http://iosbookmarklets.com/tutorials/unmask-parasites-bookmarklet/
My favorite adblocker of choice is uBlock origin.

polonus
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on July 06, 2016, 06:39:38 PM
Various script is often developed and produced tested as "fit to use". Often on a second glance over it, many an error can be detected, that may or may not have security implications on a particular website.

Let us take a look at a random script from a random website:  http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwossen.com.ar%2Fmedia%2Fsystem%2Fjs%2Fcaption.js

First we run the code through a beautifier to come up with this
Code: [Select]
var JCaption = new Class({
    initialize: function (a) {
        this.selector = a;
        $$(a).each(function (a) {
            this.createCaption(a)
        }, this)
    },
    createCaption: function (a) {
        var f = document.createTextNode(a.title),
            c = document.createElement("div"),
            d = document.createElement("p"),
            e = a.getAttribute("width"),
            b = a.getAttribute("align");
        if (!e) e = a.width;
        b || (b = a.getStyle("float"));
        if (!b) b = a.style.styleFloat;
        if (b == "" || !b) b = "none";
        d.appendChild(f);
        d.className = this.selector.replace(".", "_");
        a.parentNode.insertBefore(c, a);
        c.appendChild(a);
        a.title != "" && c.appendChild(d);
        c.className = this.selector.replace(".", "_");
        c.className = c.className + " " + b;
        c.setAttribute("style", "float:" + b);
        c.style.width = e + "px"
    }
});

Now we analyze the code and get the following error
Code: [Select]
found JavaScript
     error: undefined variable Class
     error: line:12: TypeError: Class is not a constructor
Class is not a constructor inside the function. Function call is expected, expression is found.

In this case the error is not a real security issue, because of the sri hash A-Status found in this scan:
https://sritest.io/#report/36fb6a47-4160-4160-b8b4-b1a2066bcd28

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Musings about my volunteer website security scan experiences....
Post by: polonus on July 07, 2016, 12:52:13 AM

Some resources on a malicious IP = 218.60.108.138
1. https://cymon.io/218.60.108.138
2. https://www.virustotal.com/en/ip-address/218.60.108.138/information/
3. https://www.threatcrowd.org/ip.php?ip=218.60.108.138
4. https://www.reasoncoresecurity.com/ip-address-218.60.108.138.aspx
5. https://www.threatminer.org/host.php?q=218.60.108.138
6. http://support.clean-mx.com/clean-mx/viruses.php?virusname=Trj/WLT.B&sort=id%20DESC
7. https://www.scumware.org/report/www.zaccl.com.html

There are much more resources to look up specific malicious IP info, like dazzlepod, netcraft, urlquery, but the above mentioned resources
are some that come into a specific similar category.

Enjoy, my friends, enjoy,

polonus