Author Topic: Tests and other Media topics  (Read 579354 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #735 on: December 09, 2019, 03:29:05 PM »
Two browser extensions that can extend the info detected here:
https://observatory.mozilla.org/analyze/meedoeninarnhem.nl  a random example with C-grade status

are Recx Security Analyser v.1.3.0.4 (described earlier in this section Tests & other Media topics).

and CSP Evaluator ->
Quote
base-uri 'self';
img-src * data: 'unsafe-inline';
default-src data: * 'unsafe-inline';
frame-ancestors 'self';
manifest-src 'self';
media-src *.readspeaker.com *.speechstream.net 'self';
script-src * 'unsafe-inline' 'unsafe-eval';
object-src 'self';

checkbase-uri
expand_more
check'self'

checkimg-src
expand_more
check*
checkdata:
check'unsafe-inline'

checkdefault-src
expand_more
checkdata:
check*
check'unsafe-inline'

checkframe-ancestors
expand_more
check'self'

checkmanifest-src
expand_more
check'self'

checkmedia-src
expand_more
check*.readspeaker.com
check*.speechstream.net
check'self'

errorscript-src
expand_more
error*
script-src should not allow '*' as source
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

help_outlineobject-src
expand_more
help_outline'self'
Can you restrict object-src to 'none' only?


Legend
errorHigh severity finding
errorMedium severity finding
help_outlinePossible high severity finding
removeDirective/value is ignored in this version of CSP
help_outlinePossible medium severity finding
clearSyntax error
info_outlineInformation
checkAll good


Could be also combined with results from https://webcookies.org/cookies/www.arnhem.nl/15998357

Enjoy, my good friends, enjoy,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #736 on: December 10, 2019, 01:45:02 PM »
Test websites for Dutch NCSC TLS-guidelines: https://internet.nl/

10 online tool -> https://geekflare.com/ssl-test-certificate/

Check site's cert fingerprint with this here: https://www.grc.com/fingerprints.htm

Each site's authentic security certificate fingerprint (shown above) was just now obtained by GRC's servers from each target web
server. If your web browser sees a different fingerprint for the same certificate (carefully verify the Certificate Name is identical) that
forms strong evidence that something is intercepting your web browser's secure connections and is creating fraudulent site certificates.   

polonus
« Last Edit: December 10, 2019, 05:50:27 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #737 on: December 14, 2019, 11:14:01 PM »
You will find trackers reported, for instance through DNS Query Sniffer tool,
then check here: https://whotracks.me/trackers/gstatic.html
Also compare this search tool with insecure tracking found with Tracker SSL extension.

Enjoy, my good friends. enjoy,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #738 on: December 16, 2019, 02:54:39 PM »
Looking for alternatives for urlquery dot net, now it is more often down then up:
https://postmodernsecurity.com/2015/09/11/malware-analysis-and-incident-response-tools-for-the-frugal-and-lazy/
Examples from there: https://forum.avast.com/index.php?action=post;topic=129271.735;last_msg=1529228 (random example);
also: https://fortiguard.com/webfilter?q=justshopclub.com
Also do a IP scan: https://www.shodan.io/host/31.192.111.83  to be verified at VT IP relations, you can use VT4Browsers extension.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #739 on: December 25, 2019, 01:42:39 PM »
L.S.

Hunting for website errors that could be exploited, I stumbled upon this in the CSP arena:
Often CSP security is wrongly implemented or in cases can be circumvented.
Read: https://github.com/qazbnm456/awesome-web-security  (see the CSP security section)
Also for instance: https://github.com/portswigger/irule-detector

I have this installed in the browser: CSP Evaluator extension.
See response headers in Web Developer extension for particular websites.
Also Evading CSP with DOM-based dangling markup

For instance we have CSP evaluation for https://observatory.mozilla.org/
with a possible medium severity finding with "script-src 'self'".
As 'self' can be problematic if you host JSONP, Angular or user uploaded files.
Which is not true as we check here: https://urlscan.io/result/2170f2aa-7870-4748-b629-7f246e95b6ae#behaviour

Seems folks have only just begun implementing strong Content Security Policies
and evaluating whether some attacker can bypass them.

Also XSS scanning could be worth while: https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-reflected-xss/
Can be combined with CSP bypasser via http://attacker.tld/link-subresource (link not found), still something of a push,
so read here: https://news.ycombinator.com/item?id=14077955

For security researchers and analysers/pentesters, this is the season just for some back-up reading on these subjects,
and to further protection againsts such weaknesses. Enjoy, my friends, enjoy,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #740 on: December 25, 2019, 10:00:59 PM »
Random example of such a CSP Evaluation:

CSP Evaluated for the Sucuri SiteChek website: High Security Findings 2.
Quote
errorscript-src [missing]
script-src directive is missing.
expand_more

errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
expand_more


Page meta security headers not set securely set for (missing) /
Upgrade insecure-requests CSP Header HTTP Security Header  RECX Security Analyser.

I would expect an A grade result, not a B+ like: https://observatory.mozilla.org/analyze/sitecheck.sucuri.net

Content Security Policy      -20   Content Security Policy (CSP) implemented unsafely.

This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.
Quote
Content Security Policy Analysis
Test   Pass   Info
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src      x
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src      V
Blocks execution of plug-ins, using object-src restrictions      X
Blocks inline styles by not allowing 'unsafe-inline' inside style-src   X   
Blocks loading of active content over HTTP or FTP      V
Blocks loading of passive content over HTTP or FTP       V      
Clickjacking protection, using frame-ancestors      X
Deny by default, using default-src 'none'      X
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins   X   
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs      X
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional) -
V = green X = red

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #741 on: December 27, 2019, 02:53:30 PM »
L.S.

Another evaluation of CSP on this website: -> https://www.sitejabber.com/reviews/htbridge.com
Quote
frame-ancestors 'none'; *
script-src [missing]
script-src directive is missing.
expand_more

errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
Also: https://observatory.mozilla.org/analyze/www.sitejabber.com#third-party
https://observatory.mozilla.org/analyze/www.sitejabber.com
and https://securityheaders.com/?followRedirects=on&hide=on&q=www.sitejabber.com
and https://report-uri.com/home/analyse/https%3A%2F%2Fwww.sitejabber.com%2F   (* same results)

On header security: https://securityheaders.com/?q=https%3A%2F%2Fwww.sitejabber.com%2Freviews%2Fhtbridge.com&followRedirects=on

Also consider: https://webcookies.org/cookies/www.sitejabber.com/28801934?542749

On the hoster: Server: Apache/2.4.18
Quote
The header exposes web server version details. These server no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product.

No base-uri allows attackers to inject base tags which override the base URI to an attacker-controlled origin. Set to 'none' unless you need to handle tricky relative URLs scheme

Username Enumeration exploit(s) - view host details: https://www.shodan.io/host/52.4.241.179

look for SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 exploits

Note: 1. the device may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version.
         2. Another threat with detected Google Tag Manager:
             https://blog.sucuri.net/2018/04/malicious-activities-google-tag-manager.html

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #742 on: December 28, 2019, 02:26:48 PM »
The State of JavaScript 2019
jQuery just has slightly over 11% of user-base left now: https://2019.stateofjs.com/
React and Angular.js the way to go?

Interesting: https://2019.stateofjs.com/testing/  & https://2019.stateofjs.com/other-tools/

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #743 on: December 28, 2019, 04:04:35 PM »
Various domain checks: https://www.zonemaster.net/domain_check
The following nameservers failed to resolve to an IP address : -ns-02.avast.com, -ns-06.avast.com.

35% only here: https://en.internet.nl/site/avast.com/735290/
Consider also: https://mxtoolbox.com/SuperTool.aspx?action=mx%3asecurity.nl&run=toolpage#

8 problems found: https://mxtoolbox.com/domain/avast.com/

Just F-grade here: https://observatory.mozilla.org/analyze/avast.com (was an earlier -B grade).

A & C-scan results: https://observatory.mozilla.org/analyze/avast.com#third-party

Not vulnerable to TLS-Robot attack. (https://www.tbs-certificates.co.uk/FAQ/en/outils-scan-ssl-tls.html)

Not compliant: https://observatory.mozilla.org/analyze/avast.com#tls
See for improvement to modern times: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
Moderate: avast.com
New test
YOUR SCORE:
Unfortunately, the tested resource isn’t running on the latest TLS 1.3.

polonus
« Last Edit: December 28, 2019, 04:24:06 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #744 on: December 29, 2019, 10:54:55 PM »
A nice collection of tools can be found here ->: https://report-uri.com/home/analyse
Among them an additional CSP Analyser.
Additional CSP inspection and validation ->: https://cspvalidator.org/#url=https://cspvalidator.org/

Checking the one with the other gives
Quote
Valid policy at -> https://report-uri.com/home/analyseView
Raw Policy
Warning
1:462: The child-src directive is deprecated as of CSP level 3. Authors who wish to regulate nested browsing contexts and workers SHOULD use the frame-src and worker-src directives, respectively.

1:502: The upgrade-insecure-requests directive is an experimental directive that will be likely added to the CSP specification.

Info
1:529: A draft of the next version of CSP deprecates report-uri in favour of a new report-to directive.
So well worthy to bookmark this website address, when website developers have need of this addidtional inspection and validation  ;)  (Remember always online nothing is a 100% full proof best policy, todays' standards aren't tomorrow's).

Inside Avast Secure Browser I now use CSP Evaluator extension and CSP Tester extension next to JNote extension,
a JavaScript error notifier.

So we keep collecting various interesting tools for our toolboxes.

Check and test well into the coming new year 2020, my good friends, enjoy.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #745 on: December 29, 2019, 11:33:45 PM »
For those that are about to have a Content Security Policy set out,

Inspecting and testing CSP for -https://sitecheck.sucuri.net

I found when validating CSP Strings it had "upgrade-insecure-requests", an experimental directive
that will be likely added to the CSP specification.

Adding scrpt-src gave "directive is missing"
and for "object-src", that when this is missing injections of plug-ins which can execute JS is possible.
So it is better to set it to 'none'.

Just with the online and extension versions of CSP validation that was a lesson we have just learned to-day,
and we were also able to give feedback to the folks behind https://cspvalidator.org/#url=https://report-uri.com/home/analyse

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Tests and other Media topics
« Reply #747 on: January 01, 2020, 10:28:42 PM »
Reference the DNS info above, I can recall, Firefox are introducing addition measures for secure DNS connections, a bit like https secure connections.  I commented on how/if avast would deal with this additional protection level.

This was the post by Asyn:
https://forum.avast.com/index.php?topic=19387.msg1530670#msg1530670

And my comment:
I wonder if/how this might impact the Avast HTTPS scanning ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #748 on: January 01, 2020, 11:46:57 PM »
Hi DavidR,

Some issues for DNS resolving will not be fixed as, like for instance PTR request for NIXDOMAINS.
Read: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/

The overhaul or even partial overhaul of the DNS infrastructure will not materialize, I am afraid. Not even in a minimal sense.

And considering recent DoH being brought into firefox, there are grieve concerns from some it may just enhance Big Tech's grip.

But I cannot see anything wrong with bringing in Google's site verification, very important when sites are just starting to resolve.

Maybe we should enter into a way of encrypting DNS requests, there are some android apps that can do this.

polonus


« Last Edit: January 01, 2020, 11:49:30 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #749 on: January 02, 2020, 11:31:21 AM »
An example where digging goes wrong.
DNS lookup fails with "254.242.55.65.in-addr.arpa" for instance.

DNSQuerySniffer, running under the browser, does not come up with a reply and cannot resolve.
You often experience that with PTR requests that involve MS.

So then looked here:
Quote
id 7223
opcode QUERY
rcode NXDOMAIN
flags QR RD RA
;QUESTION
254.242.55.65.in-addr.arpa. IN A
;ANSWER
;AUTHORITY
55.65.in-addr.arpa. 1799 IN SOA ns1.msft.net. msnhst.microsoft.com. 2019121601 7200 900 7200000 3600
;ADDITIONAL
this with toolbox google app's Dig DNS lookup.

Just like we expected NXDOMAIN, not registered domain or as a result of some server hick-up.

Many folks never really studied DNS and the ways to manipulate DNS.
A shame really, for it is an important issue,
playing out everywhere, also in the background (Cloud, Big Tech data retrieving).

Conclusion here "Parties fail to innovate and to overhaul and that even partly",
or just call it like Americans do "sloppiness", whatever.

Info credits go to luntrus,

Vizualize here: https://dnsviz.net/d/security.nl/dnssec/
also see: https://dnssec-debugger.verisignlabs.com/

polonus
« Last Edit: January 02, 2020, 02:18:09 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!