Tests and other Media topics

[polonus]

Another of this tracking survey for a particular website. Browser console info ->

CSP errors
checkdefault-src
expand_more
errorscript-src
expand_more
help_outline'self'
'self' can be problematic if you host JSONP, Angular or user uploaded files.
help_outlinehttps://cdn.polyfill.io
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
help_outlinehttps://connect.facebook.net
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
errorhttp://www.google-analytics.com
Allow only resources downloaded over HTTPS.
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
errorhttps://www.google.com
www.google.com is known to host JSONP endpoints which allow to bypass this CSP.
errorhttps://www.gstatic.com
www.gstatic.com is known to host Angular libraries which allow to bypass this CSP.
errorhttp://static.ads-twitter.com
Allow only resources downloaded over HTTPS.
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
help_outlinehttps://analytics.twitter.com
No bypass found; make sure that this URL doesn't serve JSONP replies or Angular libraries.
info_outline'nonce-**CSP_NONCE**'
Nonces should only use the base64 charset.
errordata:
data: URI in script-src allows the execution of unsafe scripts.

checkconnect-src
expand_more
checkframe-src
expand_more
errorimg-src
expand_more
check'self'
check*.blockchain.com
check*.blockchain.info
checkdata:
check*.cryptocompare.com
check*.googleusercontent.com
checkhttps://www.facebook.com
errorhttp://www.google-analytics.com
Allow only resources downloaded over HTTPS.
checkhttps://www.google.com
errorhttp://t.co/i/adsct
Allow only resources downloaded over HTTPS.

Website is insecure by default
100% of the trackers on this site could be protecting you from NSA snooping. Tell blockchain.com to fix it.

Identifiers | All Trackers
 Insecure Identifiers
Unique IDs about your web browsing habits have been insecurely sent to third parties.

d17fa83ec3d5590b861c1273eee8795121613819917 www.blockchain.com__cfduid
Legend

 Tracking IDs could be sent safely if this site was secure.

 Tracking IDs do not support secure transmission.

Help Icon
Click the icons in the tables below for a more detailed explanation.

HTTP security headers
Name

Value

Setting secure

content-security-policy

default-src 'none'; script-src 'self' https://cdn.polyfill.io https://connect.facebook.net http://www.google-analytics.com https://www.google.com https://www.gstatic.com http://static.ads-twitter.com https://analytics.twitter.com 'nonce-**csp_nonce**' data:; connect-src 'self' *.blockchain.com *.blockchain.info *.cryptocompare.com https://blockchain.info https://api.greenhouse.io https://www.google-analytics.com https://stats.g.doubleclick.net https://script.google.com https://script.googleusercontent.com; frame-src 'self' *.blockchain.com *.blockchain.info https://www.google.com https://www.youtube.com; img-src 'self' *.blockchain.com *.blockchain.info data: *.cryptocompare.com *.googleusercontent.com https://www.facebook.com http://www.google-analytics.com https://www.google.com http://t.co/i/adsct; style-src 'self' 'unsafe-inline' https://rsms.me https://fonts.googleapis.com 'nonce-**csp_nonce**'; font-src 'self' https://rsms.me https://fonts.gstatic.com data:; manifest-src 'self'; object-src 'self';

https://csp-evaluator.withgoogle.com/?csp=https://www.blockchain.com/
https://webcookies.org/cookies/www.blockchain.com/19138296
https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address

polonus

[polonus]

Better results come as we combine resources.
Example - https://www.ipqualityscore.com/domain-reputation/grynkewich.com
with https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/68.178.213.37
and https://www.virustotal.com/gui/ip-address/68.178.213.37/relations
and https://www.abuseipdb.com/check/68.178.213.37
and https://dnslytics.com/ip/68.178.213.37
See: https://sitereport.netcraft.com/?url=https://Grynkewich.com
-> https://www.virustotal.com/#/ip-address/34.102.136.180 -> https://www.virustotal.com/gui/ip-address/34.102.136.180/detection
A Tor-address used by hackers: https://ip-46.com/34.102.136.180
Reported 127 times: https://www.abuseipdb.com/check/34.102.136.180?page=2
& https://ip-46.com/68.178.213.37 
More resources: www.liveipmap.com; www.spamrats.com ; findipv6.com ; cleantalk.org ; www.ipligence.com ;
https://www.islegitsite.com/check/ ; https://urlfiltering.paloaltonetworks.com/query/

polonus

[polonus]

Test for EMOTET: Check here: https://www.haveibeenemotet.com/

Fake sender and recipient meant both mail results and address was spoofed,
and was sent through anonymailer or deadfake email service.

There is no legit reason to do so or use such services,
to send mails in name of another user, it is just pure evil,
and there is no excuse for it than being banned right away.

polonus

[polonus]

Another combination of resources, based on a common CloudFlare IP.

https://www.ipqualityscore.com/domain-reputation/circlecloud.net  vs https://ns.tools/circlecloud.net
https://www.ipqualityscore.com/domain-reputation/truckers.com
https://ns.tools/registeredsite.com
https://www.lookip.net/ip/172.65.252.97
https://www.shodan.io/host/172.65.252.97

polonus

[polonus]

Seen in the light of recent existing and persistent CSS-Exchange Server vulnerabilities:

https://www.zdnet.com/article/check-to-see-if-youre-vulnerable-to-microsoft-exchange-server-zero-days-using-this-tool/

and https://github.com/microsoft/CSS-Exchange/tree/main/Security

For the latest download: https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1

Stay safe and secure online as well as offline,

polonus

[polonus]

Checking on a blocked script with jQuery/jquery/1.9.1 min.js in the browser.

See: https://dnsviz.net/d/ajax.aspnetcdn.com/dnssec/  (errors and alerts).

polonus

[polonus]

In the same realm going over some results from the workings of my DNS Query Sniffer by Nir Sofer.

Looking up some Microsoft Telemetry addresses (Watson) -> https://domain.opendns.com/watson.microsoft.com
and https://domain.opendns.com/blobcollector.events.data.trafficmanager.net

and then see: https://dnsviz.net/d/skypedataprdcolwus15.cloudapp.net/analyze/

What errors and alerts do we find

Notices
Errors (1)
-cloudapp.net zone: The server(s) were not responsive to queries over UDP. (2620:1ec:8ec::201)
Warnings (2)
net to- cloudapp.net: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the net zone): -ns2prod.18.azuredns-prd.org, -ns1prod.18.azuredns-prd.org, -ns2prod.18.azuredns-prd.info, -ns1prod.18.azuredns-prd.info
net to cloudapp.net: The glue address(es) for -ns2-201.azure-dns.net (2620:1ec:8ec::201) differed from its authoritative address(es) (2620:1ec:8ec::c9).

The original data Nir Sofer's DNS Query Sniffer produced on my device.

Host Name   Port Number   Query ID   Request Type   Request Time   Response Time   Duration   Response Code   Records Count   A   CNAME   AAAA   NS   MX   SOA   PTR   SRV   TEXT   Source Address   Destination Address   IP Country   
watson.telemetry.microsoft.com   56300   509F   A   11-3-2021 11:06:52.616   11-3-2021 11:06:52.616   0 ms   Ok   3   -104.43.193.48   -blobcollector.events.data.trafficmanager.net  -skypedataprdcolcus15.cloudapp.net                        -192.168.X.XX   -194.134.216.70      

Know that Cloudflare has zero trust in the security of their own networks. 150.000 security camera's being compromised through a hard-coded password - so, you have to be vigilant ever.

In this world you cannot trust a thing coming from the other side of your screens.

Where it went wrong and one of these domains above were involved passively:
https://www.hybrid-analysis.com/sample/f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73/6026cc94aa700773e73ca19c

Stay safe and secure both online and offline, is the wish of,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Next to extensions as BuiltWith, Vulners Web Scanner extension, Zenmate Web Firewall (extension now discontinued)
it is also worth scanning a website online here: https://awesometechstack.com/

See the Tech Stack analysis of this malicious website: https://awesometechstack.com/analysis/website/fullzinfo.pw/
and improvement suggestions: Improvement suggestions
High
 jQuery v2.0.3   Version   Update jQuery to version 3.6.0
High
 jQuery UI v1.10.2   Security   jQuery UI@1.10.2 has 1 vulnerabilities
Medium
 jQuery v2.0.3   Security   jQuery@2.0.3 has 4 vulnerabilities
Low
 jQuery UI v1.10.2   Version   Update jQuery UI to version 1.12.1

Then compare here, where 2 retirable jquery libraries were detected:
https://retire.insecurity.today/#!/scan/c3e7742206ad74bd068554b9fb4effeb4e2c324998ee0ad2932e543318f2da81

Website abuse is, that it is into spam: https://www.virustotal.com/gui/url/fbebebf73fe18453840ed74394506ac439d8bc14ec2d048856fac1842f1677dc/detection

DOM-XSS issues: Results from scanning URL: hxtp://Fullzinfo.pw/assets/plugins/blockUI/jquery.blockUI.js
Number of sources found: 29
Number of sinks found: 8
&
Results from scanning URL: hxtp://Fullzinfo.pw/assets/js/ui-elements.js
Number of sources found: 117
Number of sinks found: 42

And coming round a full circle with this scan, bringing up 205 improvement hints (recommendations):
https://webhint.io/scanner/32cc2961-011f-49ff-860a-c78ab12eeeed

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[polonus]

Online website scanners, they come and go.

Scan here to get quite a number of improvement recommendations, with: https://webhint.io/scanner
For Stack technology use: https://hexometer.com/stack-checker/
A general scanner you can find here: https://securityscan.getastra.com/security-audit?site
More or a less likewise scan: https://awesometechstack.com/products/website-analyzer/

But you also can use specific purpose scanners like CSP scanners, made by Google, VirusTotal.
Also search resources like URLHaus etc., through snort- & SNYK scanners,
jQuery library scanners (retire insecurity),
and DOM-XSS issue (sources & sinks) scanners.

Internet.nl: https://internet.nl
The Greenweb Foundation https://www.thegreenwebfoundation.org/
SecurityHeaders: http://securityheaders.com
Mozilla Observatory: https://observatory.mozilla.org
Guardian360 QuickScan https://quickscan.guardian360.nl
More into deep scanning, use Zap: https://www.zaproxy.org.

Through tools, using a.o. OpenVAS but also through using NMAP linked to a vulnerability database.

Read: https://securitytrails.com/blog/nmap-vulnerability-scan

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[polonus]

Interesting test site: https://csreis.github.io/tests/cross-site-iframe.html

Code: [Select]

VM4 sandbox_bundle.js:15 (electron) Security Warning: webFrame.executeJavaScript was called without worldSafeExecuteJavaScript enabled. This is considered unsafe. worldSafeExecuteJavaScript will be
A browser test for https://build.chromium.org' LUCI Build

Fails at Refused to display 'htxps://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=h…google.com/_ah/conflogin%3Fcontinue%3Dhtxps://chromium-status.appspot.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

polonus

[polonus]

Any known vulnerabilities - quick scan:
https://www.safetydetectives.com/vulnerability-tool/

0 issues found: SERVER DETAILS
Web Server:
cloudflare
IP Address:
104.26.13.84
Hosting Provider:
CLOUDFLARENET
Shared Hosting:
280 sites found (use Reverse IP to download list)
Site made in Word Press

polonus

[polonus]

Happy Easter Days to all of you, that are to read here now.

The Easter Bunny (Paashaas in Dutch) was intelli-skimming over the website security
of "www dot de wegwyzer dot nl.
It was not that bad as we thought it could be at the front-end no issues,
the back-end was another can of worms.

Main issue alerted by my DEVCON extension was: No Content Security Policy configured for this site.

At a first glance, I found -c0.wp.com, -i0.wp.com, -i1.wp.com and -i2.wp.com
-log7.js and -count7.pl from -CloudFlare.net and -c.statcounter.com/t.php XHR in appl/json.
All available through scan-results (special php dictionnairy used in the scanner to reveal this)

Could go over it with -semgrep.dev/s/we30 (online resource)

No retirable libraries: https://retire.insecurity.today/#!/scan/80c30f378317b2e6b7493461a4f674b86929efa1fd5609aa80cd164c34569fc3

But quite some issues at the back-end: https://www.shodan.io/host/84.244.181.151
Excessive server info proliferation there, Apache httpdVersion: 2 / HTTP/1.1 301 Moved Permanently

No direct issues flagged here: https://sitecheck.sucuri.net/results/www.dewegwyzer.nl
Nor here: at a Word Press security scan.

Some hints towards improvement:
https://webhint.io/scanner/c59d294a-27b6-4131-acde-229e9a779c33#category-security

F-grade here: https://observatory.mozilla.org/analyze/www.dewegwyzer.nl
Also: https://observatory.mozilla.org/analyze/www.dewegwyzer.nl#third-party

Then console info (Ctrl+Shift+I) from my browser (and developer extensions).

This is blocked for me inside my ungoogled chrome:

Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
-app.wts2.one/log7.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
onLoadModule.js:72 ...Selector Finder is running...
/favicon.ico:1 Failed to load resource: the server responded with a status of 404 (Not Found)

Selector Finder is running Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
app.wts2.one/log7.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js:1
Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
onLoadModule.js:72 ...Selector Finder is running...
/favicon.ico:1 Failed to load resource: the server responded with a status of 404 (Not Found)
-content-script.js.mapped for me with Selector Finder in the dev. console.

Also consider info from this scan: https://urlscan.io/result/439d58a9-16c1-4867-a99f-4f55f6992ed5/

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

[polonus]

But there is more on this website's security, that may interest us.

NSA snooping secure? No. Who knows you are on this website?
 -app.wts2.one & -www.dewegwyzer.nl will know,
but with no secure tracker transmission that is.

Detected 1 link and/or script to 3rd parties with no integrity check being performed.

Javascript error: -https://www.statcounter.com/counter/counter.js   
File was not found, because err-blocked-by-client.

HTML
-www.dewegwyzer.nl/
5,978 bytes, 80 nodes

Javascript 8   (external 3, inline 5)
INLINE: (function() { // If GPC on, set DOM property to true if not
964 bytes (DOM-XSS issue?).

INLINE: !function(){let e=!1;function n(){if(!e){const n=document.createElement("meta");
613 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
445,247 bytes

INLINE: var sc_project=12462450; var sc_invisible=1; var sc_security="c8e29d42"; var
94 bytes

-www.statcounter.com/counter/​counter.js
-app.wts2.one/​log7.js
-d3uvwl4wtkgzo1.cloudfront.net/​e8af8301-45e2-41c6-9212-9421ce1b1dc7.js
INLINE: var wts=document.createElement('script');wts.async=true; wts.src='-https://app.wt
176 bytes

CSS 1   (external 0, inline 1)
INLINE: a { text-decoration: none; }

Retire.js Did not recognize -https://app.wts2.one/count7.pl?2055386&3&&&&&%3CB%3EDE%20WEGWYZER%3C%2FB%3E&http%3A%2F%2Fwww.dewegwyzer.nl&&&741x604&_&0&&0&&0&0&&no&&&7.21&0.19675618019939423

-   -   Did not recognize -https://app.wts2.one/log7.js
31 bytes INJECTED LocalCDN(o) extension was enabled in the browser for me 

CSP No Content Security Policy found - not verified by DNSSEC.

header -> secure setting only for access-control-allow=origin header.

Apache 2 headers not found vulnerable.  Zen Mate FW finds 100% content, nothing blocked.

So yes, it takes some time to evaluate, when one goes a error-hunting,

polonus (volunteer 3rd party cold reconnaissance website security-analyst and website error-hunter)

[polonus]

We have lost another fine online resource over the Easter week-end:
-https://domxssscanner.geeksta.net/

The service has been taken down and was archived by the developer.
See: https://wiki.mozilla.org/Security/B2G/JavaScript_code_analysis#DOM_XSS_Scanner

Now I use DOM based XSS finder extension for Chrome.

Could be great if this could be brought online: https://github.com/ajinabraham/Static-DOM-XSS-Scanner

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)

[polonus]

But there is an alternative for white hat pentesters and error-hunters like me.
You have to register so these services won't be abused:

https://securityforeveryone.com/tools/all?

polonus