Tests and other Media topics

[polonus]

Security grade of this search engine webpage: https://www.qwant.com/
Re: https://www.shodan.io/host/194.187.168.100
See: https://webhint.io/scanner/47f3776f-d541-49f3-93c0-a8d2dfb3c168
Cookie & Security Scan report: https://webcookies.org/cookies/www.qwant.com/1128157?673125
Re: B-grade: https://observatory.mozilla.org/analyze/www.qwant.com

Errors in browser console: Refused to load the image 'hxtps://lite.qwant.com/img/v4/header/header-bg-tablet.svg?redirect=OperaMobi13.04&1539938515=' because it violates the following Content Security Policy directive: "img-src blob: 'self' s1.qwant.com s2.qwant.com s.qwant.com data: s-boards.qwant.com s-lite.qwant.com www.qwant.com".

/undefined:1 GET -https://www.qwant.com/undefined 404
Image (async)
replaceInnerHTML @ app.js?1576502819736:3
constructor @ app.js?1576502819736:3
startApplication @ bootstrap.js?1576502819736:196
(anonymous) @ bootstrap.js?1576502819736:140
b.then @ app.js?1576502819736:1
initApplication @ bootstrap.js?1576502819736:139
languageFileLoad @ bootstrap.js?1576502819736:254
load (async)
(anonymous) @ bootstrap.js?1576502819736:224

DOM-XSS issues: Results from scanning URL: -https://www.qwant.com/
Number of sources found: 2
Number of sinks found: 38

and results from scanning URL: -https://www.qwant.com/js/app.js?1576502819736
Number of sources found: 302
Number of sinks found: 1037

and results from scanning URL: -https://www.qwant.com/js/app.js?1576502819736
Number of sources found: 609
Number of sinks found: 291

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Domain name cert checks.

Combine tests here, for instance: https://www.immuniweb.com/radar/?id=v4BmqgTP
and https://www.immuniweb.com/ssl/ & https://www.immuniweb.com/websec/
also https://www.immuniweb.com/websec/?id=U3EpLj3f (example)
and at https://moz.com/learn/seo/domain

Check: crt.sh for certificate transparancy scans.

polonus

[polonus]

Next to testing with Retire.JS extension inside the browser or https://retire.insecurity.today/
developed by Erlend Oftedal, we can also test at DomStorm's class selector XSS at
-> https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
Other modules also available.. handy for DOM-XSS searches for sinks and sources.
Other example test: https://domstorm.skepticfx.com/modules?id=559b066c34473500003d257b

Enjoy, my friends, enjoy,

polonus

[polonus]

To make the theoretical ideas stand out more practically - when we combine retire.JS -
domstorm repository, SNYK vulners etc., is to know how to protect against this,
especially against abuse combined with payload injectors. (XSSight abuse etc.).

In general: Defenses against XSS
What input do we trust? (browser- and client-side validation)
Does it adhere to expected patterns?
Never simply reflect untrusted data.
Applies to data within our database too.
Encoding of context(Java/attribute/HTML/CSS

polonus

[polonus]

Re: http://research.insecurelabs.org/jquery/test/

Let us take a particular example with known abuse and analyse retirable jQuery library there.
Re: https://www.abuseipdb.com/check/195.62.29.11 *
Check that particular IP for "vulners": https://www.shodan.io/host/195.62.29.11 common OpenSSH abuse...
Site report: https://sitereport.netcraft.com/?url=http%3A%2F%2Fparagon.net.uk
We see an outdated Word Press CMS version there: WordPress Version 4.9.13
We see it has passed various reputation checks (questionable in the light of the abuse report, see above *)
Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK

External hosts also Google Safe Browsing approved:
Externally Linked Host   Hosting Provider   Country   
    -www.godaddy.com   GTT Communications Inc.   United States    
    -www.heg.com   Host Europe GmbH   United Kingdom    
    -domains.meshdigital.com   Host Europe GmbH   United Kingdom    
    -www.domainbox.com   Host Europe GmbH   United Kingdom    
    -aboutus.godaddy.net   Dosarrest Internet Security LTD   United States   

For the DOM we go here: https://urlscan.io/result/4c8d465b-1577-496b-9b0c-3c768c8c3dd0

1 Retirable jQuery library: https://retire.insecurity.today/#!/scan/608243a0f733be6600ab4c37808b81dd7dfbaccd646f3cbc5fc5251850d95bfc

DOM-XSS Sinks and Sources there: Results from scanning URL: -https://www.heg.com/wp-includes/js/jquery/jquery.js?ver=1.12.4
Number of sources found: 41
Number of sinks found: 17

Sources, output that could be controlled - .top! .innerHTML= [name= .location. .name write( opener| .parent .open( .op= =top+ "top"
sinks, methods to do so, .value href= data= .src=

The SNYK results from webhint - hint #1: 'jQuery@1.12.4' has 2 known vulnerabilities (2 medium). See 'https://snyk.io/vuln/npm:jquery' for more information@ https://webhint.io/scanner/9d38081f-16c8-4085-a918-baedbc3e3c9c#category-security

We find two requests with regular content  on -https://www.heg.com/wp-includes/js/jquery/jquery.js?ver=1.12.4

Read: https://github.com/jquery/jquery/issues/2432

Also valuable info from: https://webcookies.org/cookies/www.heg.com/28887761?484748
about outdated PHP and excessive server info proliferation; X-Powered-By: PHP/5.4.44
The header exposes web server version details. These serves no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product - Server: Apache/2.2.15 (CentOS)
-> https://www.centos.org/forums/viewtopic.php?t=65285

Results of vulners webscanner extension for/on HEG website:

wXw.heg.com
Apache, headers
Not vulnerable
PHP, headers - 5.4.44 vulnerable
7.5
jQuery, headers - 1.3
Not vulnerable
jQuery, script
Not vulnerable
jQuery Migrate, script
Not vulnerable
Bootstrap, script
Not vulnerable
Font Awesome, html
Not vulnerable
Yoast SEO, html - 4.5
Not vulnerable
Wordpress - 4.9.13
Not vulnerable
2017 -Vulners.comvulners.com

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Compare malicious IP scans.

Re: https://urlhaus.abuse.ch/url/294136/
IP server info: https://www.shodan.io/host/108.58.8.186
together with Netcraft's site report: https://sitereport.netcraft.com/?url=ool-6c3a08ba.static.optonline.net
Confirmation of scanning and Mirai-like infestations: https://viz.greynoise.io/ip/108.58.8.186

pol

[polonus]

Testing PHP - http://evuln.com/tools/php-security/
There are also free apllications, so I won't give that address for we don't wanna break those 
Also: https://phpstan.org/  as an online tool.
Example test on index.php: https://phpstan.org/r/2976723a-53b1-4698-8984-ccbbdee9b292

https://www.quora.com/How-do-I-view-a-PHP-source-code-of-a-website-just-like-we-see-the-HTML-and-other-codes

Sucuri also has resources: https://wordpress.org/support/topic/sucuri-auditqueue-php-and-other-files/
Re: https://www.unphp.net/decode/788b15af31089576dfcc553a4eddedd0/

Vulners extension for this site -forum.avast.com gives vuln. PHP.headers 5.4.49   7.5
-> https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/opbyp-1/PHP-PHP.html

Often PHP could mean a "can of worms", specifically outside the kernel source of PHP based CMS like Word Press etc.

General interpretation of web security: https://infosec.mozilla.org/guidelines/web_security

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

L.S.

Linting for javascript errors and flaws, e.g. javascript-validation.
Combine with results from vulners webs scanner extension, Zen Mate Web Firewall extension &
Javascript Error Notifier extension and shodan extension for eventual website server info.

Using an online Javascript Validator: http://beautifytools.com/javascript-validator.php
Tested:  -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 3
Number of sinks found: 0
Linting produced:
Line   Col   Errors
5   1   Missing semicolon.
0   0   Use the function form of "use strict".
26   94   Missing semicolon.
31   146   Use '===' to compare with 'false'.

Scanned for retirable jQuery library: -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Detected libraries:
jquery-migrate - 1.4.1 : -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
No vulnerable libraries found

Line   Col   Errors
222   58   Unnecessary semicolon.
258   18   'options' is defined but never used.
298   22   'e' is defined but never used.
308   28   'e' is defined but never used.
360   35   'options' is defined but never used.
399   1   'new_max' is defined but never used.
424   53   'options' is defined but never used.
475   1   'whCustom' is defined but never used.
530   22   'index' is defined but never used.
460   1   'html_el' is defined but never used.
464   1   'full_slider' is defined but never used.
651   8   Use '===' to compare with '0'.
695   27   'direction' is defined but never used.
751   58   Expected an assignment or function call and instead saw an expression.
760   9   ['jswing'] is better written in dot notation.
760   30   ['swing'] is better written in dot notation.
794   62   A leading decimal point can be confused with a dot: '.3'.
801   62   A leading decimal point can be confused with a dot: '.3'.
808   65   A leading decimal point can be confused with a dot: '.3'.
811   22   A leading decimal point can be confused with a dot: '.5'.
812   71   A leading decimal point can be confused with a dot: '.5'.
834   41   A leading decimal point can be confused with a dot: '.75'.
836   44   A leading decimal point can be confused with a dot: '.9375'.
838   47   A leading decimal point can be confused with a dot: '.984375'.
842   70   A leading decimal point can be confused with a dot: '.5'.
843   60   A leading decimal point can be confused with a dot: '.5'.
843   67   A leading decimal point can be confused with a dot: '.5'.
781   49   Use '===' to compare with '0'.
784   6   Use '===' to compare with '0'.
794   6   Use '===' to compare with '0'.
795   33   's' is already defined.
796   10   's' is already defined.
801   6   Use '===' to compare with '0'.
802   33   's' is already defined.
803   10   's' is already defined.
808   6   Use '===' to compare with '0'.
809   33   's' is already defined.
810   10   's' is already defined.
815   7   Use '===' to compare with 'undefined'.
819   7   Use '===' to compare with 'undefined'.
823   7   Use '===' to compare with 'undefined'.
906   50   'delay' is defined but never used.
1173   17   Use '===' to compare with 'true'.
1289   5   'win' is defined but never used.
1186   22   'avia_is_mobile' is not defined.

Then we gonna compare to detected sinks and sources via a DOM XSS scan:

But here we found sources and sinks in retirable code:
https://retire.insecurity.today/#!/scan/618f3f67a7d9c4e74e7f1378ebe74d92b11d17db042b56d657463ceec95256d0

Detected sources and sinks: .parent, .top, .location, &  location.href. =

Re: https://domstorm.skepticfx.com/ ->https://domstorm.skepticfx.com/modules?id=56b4dfde108b7c00007363ac
Pentest tool like:  https://github.com/lwzSoviet/NoXss

jQuery versions with known weaknesses
Bug 9521 - $("#<img src=x onerror=...>")
Bug 11290 - $("element[attribute='<img src=x onerror=...>'")
jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript
jQuery issue 11974 - parseHTML executes inline scripts like event handlers

enjoy, my good friends, enjoy.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Firefox is gonna block websites with T.L.S. 1.0 & 1.1. coming March.
Re: https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/

Check TLS here: https://www.cdn77.com/tls-test
or here: http://ssl-checker.online-domain-tools.com/
and here: https://www.checktls.com/

Also consider: https://geekflare.com/ssl-test-certificate  or  https://mxtoolbox.com/problem/smtp/smtp-tls
-> https://www.checktls.com/TestReceiver?LEVEL=DETAIL&amp;EMAIL=    (=domain name of mail server).

polonus

[polonus]

Interesting test here: https://hidester.com/webrtc-ip-leak-test/
and more at that site where that came from.
Redirect checker and many other tools here: http://www.internetofficer.com/seo-tool/redirect-check/

Check websites for trackers (check Ghostery & ZenMate Web Firwall extension) here:
(random example): https://whotracks.me/websites/rijmwoordenboek.nl.html

URL analysis: www.theurlanalyzer.com  &  against threats: https://csi.forcepoint.com/  (5 reports a day free access)

polonus

[polonus]

Establish ad-tracking from three scan sources:
1. https://whotracks.me/websites/rijmwoordenboek.nl.html
2. https://urlscan.io/result/a317a0a7-0228-4827-94ed-a9c080b3f0ea#transactions
3. https://rijmwoordenboek.nl/
Privacy impact = E-grade status.

polonus

[polonus]

Check subdomain enumeration: search query = site:example.com
& https://pentest-tools.com/information-gathering/find-subdomains-of-domain#
or  https://www.ultratools.com/
also  https://securitytrails.com/dns-trails

subdomain enumeration methods
Scraping
Brute-force
Alterations & permutations of already known subdomains
Online DNS tools
SSL certificates
Certificate Transparency
Search engines
Public datasets
DNS aggregators
Git repositories
Text parsing (HTML, JavaScript, documents…)
VHost discovery
ASN discovery
Reverse DNS
Zone transfer (AXFR)
DNSSEC zone walking
DNS cache snooping
Content-Security-Policy HTTP headers
Sender Policy Framework (SPF) records
Subject Alternate Name (SAN)

info source credits go to SecOff.

polonus

[polonus]

Because of a bug Let's Encrypt revokes 3.000.000 certificates:
Read: https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

Test here if your cert was being revoked: https://checkhost.unboundtest.com/

Later they decided they would not do that, read https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591
(really a good thing, while everything went right except for the CAA authentication)

polonus

[polonus]

L.S.

On this Australian website I found a tracker named Tealium: -https://www.news.com.au/

Checked @whotracks.me: https://whotracks.me/trackers/tealium.html
& https://whotracks.me/websites/instagram.com.html

Also consider: https://webcookies.org/cookies/www.news.com.au/2208692?353391

CSP policy

block-all-mixed-content;
style-src https: 'unsafe-inline';
script-src https: blob: 'unsafe-inline' 'unsafe-eval';
img-src https: data:;
frame-src https:;
with high risk setting: errorscript-src
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
checkblob:
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().
&
object-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?

Also check policy using  https://csp-evaluator.withgoogle.com/ ->

checkblock-all-mixed-content
expand_more

checkstyle-src
expand_more
checkhttps:
check'unsafe-inline'

errorscript-src
Host whitelists can frequently be bypassed. Consider using 'strict-dynamic' in combination with CSP nonces or hashes.
expand_more
errorhttps:
https: URI in script-src allows the execution of unsafe scripts.
checkblob:
error'unsafe-inline'
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
help_outline'unsafe-eval'
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

checkimg-src
expand_more
checkhttps:
checkdata:

checkframe-src
expand_more
checkhttps:

errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
expand_more

info_outlinerequire-trusted-types-for [missing]
Consider requiring Trusted Types for scripts to lock down DOM XSS injection sinks. You can do this by adding "require-trusted-types-for 'script' to your policy

Blocked for me in the browser are -resources.newscdn.com.au & -multitools.newscdn.com.au, -tags.tiqcdn.com, -e.infogram.com &
-tags.news.com.au.

Re: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3Lm57d3MuXl1tLnx1YA%3D%3D~enc

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[bob3160]

I venture to say that almost all news sites you visit will probably at least try to track your location.
The question remains, what are they doing with the information they've collected?