Author Topic: Tests and other Media topics  (Read 579469 times)

0 Members and 4 Guests are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #810 on: July 10, 2020, 01:25:02 PM »
Mozilla now shortens lifespan of TLS certificates also to enhance https security.
A better way to do this is to use DANE for web:
Read: https://cs.gmu.edu/~eoster/doc/2015-08-US-Telecom-DANE.pdf

Check with DANE SMPT Validator (random example): https://dane.sys4.de/smtp/security.nl
or through https://www.huque.com/bin/danecheck  or  https://check.sidnlabs.nl/dane/

polonus
« Last Edit: July 10, 2020, 11:10:21 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #811 on: July 12, 2020, 06:11:59 PM »
Privacy error on page. Nontrusted Certificate F-grade, see full report here:
https://www.ssllabs.com/ssltest/analyze.html?&hideResults=on&d=myavcs.com
opening up to  -https://www.disasterrecoverycenter.org  also NON TRUSTED and expired!
This website has a T-grade, which is even worse. Advanced iFrame functions there.

You can report similar UNTRUSTED websites through the suspicious site reporter extension in the browser.

Here we can read about exploitable PHP functions and how they have been troubling us for the last thirty years and more:
https://stackoverflow.com/questions/3115559/exploitable-php-functions
and another discussion here on appsec:
https://security.stackexchange.com/questions/1382/disable-insecure-dangerous-php-functions

pol

« Last Edit: July 13, 2020, 12:14:48 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #812 on: July 21, 2020, 03:25:01 PM »
Testing for php on a particular PHISHING page where we know it has Endurance Page Cache php translation to html as scan for Endurance Page Cache html may help to reveal it in the code (regular expression mail-code etc.),
example checking on -https://cndherbals.com/endurance-page-cache.html
Quote
  type="text/javascript" >
function validateEmail(email) {
var re = /^(([^<>()[\]\.,;:\s@\"]+(\.[^<>()[\]\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
return re.test(email);
}
var hash = window.location.hash.substring(1);
if(validateEmail(hash)) {
window.location = "-https://www.yuxuans.cn/wp-admin/network/dooo/quota/?email="+hash;
}
also uses MonsterInsights on Google Analytics,

polonus
« Last Edit: July 21, 2020, 03:28:50 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #813 on: July 22, 2020, 01:12:03 PM »
Domain names and subdomain enumeration...Used are dns en WHOIS protocol methods.
Re: https://dnsspy.io/scan
Also for sub-domains: https://securitytrails.com/blog/subdomain-scanner-find-subdomains.

Automatically generated at places where you could register.
Via zone-owner, authorities here are very restrictive because of risks.
Through DNS queries (example Cisco Umbrella (OpenDNS)
Via Certificate Transparency:  https://crt.sh/.
Through scans at shodan & censys etc.
Through multi-threaded scripts, Clone DNS-root-directories to see what is still available (free).
But these are rate-limited against obvious abuse.

Google is your best friend: Google for site:example.com of delivers info on subsites op; just try for instance site:wordpress.com or site:moonfruit.com. The latter has many a phishing site (eg with site:moonfruit.com owa).
Such queries could be combined with Google dorks e.g. for specific Wordpress versions and/or used themes/ plugins.
Info credits go to: Erik van Straten.

Look at resources like: RobTex.com

https://pentest-tools.com/information-gathering/find-subdomains-of-domain#

Also try:  https://www.ultratools.com/

There are many (semi-)public DNS servers that gather data on DNS lookups.
Such data is being used to look up sub-domains and hostnames per IP.
Resources can be public or on demand.
Whenever you use a "secret"hostname one should check what DNS servers will get your requests.
Do not use public name servers and/or on clients.

Then we have AFXR unrestricted open to offenders, to get to all of the zone.
This should be limited to trusted name servers.
Check all name servers for a particular domain. open to offenders, all of the zone can be found.
This should be limited to trusted name servers. Check all name servers of that particular domain.
Has a zone file been entered online?

dig ANY. De DNS server for that domain has all known domains from cache.

An open root directory on a web server can also lead to disclosure.

Also a DNS server or interface of control panel (etc.) could be hacked.

Also look for test-servers. Often these are not being maintained.

The plugin update check for WordPress is spurious, it cannot be trusted fully.
Using back up plugins check plug-ins are not available online.
Remove disable plugins and all remaining files.. (info credits anonymous resources)

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #814 on: July 24, 2020, 12:35:53 PM »
What to do when we have a domain like: -http://ww12.d-analyse.com/  for instance?
This is a parking logic - parking crew monetizing website.

Hosted @, see:https://www.shodan.io/host/54.72.9.115
on -ec2-54-72-9-115.eu-west-1.compute.amazonaws.com

Is this website a legit website? This because the domain format is not a valid one, e.g. ww12.etc.
Can we say this a form of van cert. abuse?

Parking-monetizers (in the cloud) can so avoid detection.

Somewhat higher up in that hosting domain we find:
https://dnsspy.io/scan/eu-west-1.compute.amazonaws.com  (info credits go to: luntrus)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #815 on: August 07, 2020, 09:37:44 PM »
XSS Filters a cure against DOM-XSS exploits.
Example code
Quote
*/
require ("mocha");
expect = require (/ expect.js');
xssFilters = require (''.../src/XSS-filters');
testutils = require ('./utils.js');
/require ('./unit/private-xss.filters.js');
require ('./unit/xss.filters.js');
source Yahoo Archives.
- See owasp.org XSS Filter Evasion Sheet.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #816 on: August 08, 2020, 09:20:17 PM »
But nothing comes guaranteed in webcode development and with script security,
so one can even evade such XSS Filters:
https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Already convinced this will be an ongoing battle i.m.h.o.

For instance abuse scans worked with issues from a XSS Bypass Filter list,
for instance add: <script/src=data:,alert()> or e.g. %3Cscript/src=data:,alert(retire.js)%3E
(only for legit pentesters that were granted exclusive written permisson from the owner).

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: August 09, 2020, 09:48:13 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #817 on: August 09, 2020, 11:10:11 AM »
L.S.

No more SQL injections with WASPlang?

* Sql injections are to be avoided using prepared statements with parameters
Sanitizing is felt to be for dummies.
However, considering the following  (for what it is worth ;)).

Little footprint, assembly line makes it harder for XSS attacks and SQL injection to succeed,
but only when code neatly sanitized *

Features

encourages immutability
immutable c-strings, memory manipulation, global variables, imported functions, 1st class functions
optional standard library runtime
functions with inline web assembly
test framework support
easy project dependency management
self hosting

Source: https://github.com/wasplang/wasp

Simplified parser code for configuring WSON (like JSON but then for WASPlang),
see: https://github.com/wasp-lang/wasp/issues/18

Also read: https://github.com/renjithgr/starred-repos & for sanitizing:
https://drupal.stackexchange.com/questions/1967/what-does-sanitized-mean-in-api-documentation

And to make this circle discussion go round again:
https://api.drupal.org/api/drupal/includes%21common.inc/function/filter_xss/7.x (see warnings there).

Info credits dehondgaatlatijddeaud & #sockpuppet & luntrus

polonus (volunteer 3rd party cold recon website securety analyst and website error-hunter)
« Last Edit: August 09, 2020, 12:20:43 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #818 on: August 10, 2020, 10:28:15 AM »
DOM-XSS exploits are just part of the story.
Pentesters and researchers work preferably from combined sec lists like:
https://github.com/danielmiessler/SecLists

So for instance analyse XSS-DOM sinks and sources -> https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
with weaknesses (medium and low vulnerabilities) through retirable jQuery libraries:

Many developers use  Retire.JS (developed by Erlend Oftedal), also found online as:
https://retire.insecurity.today/  (Retire.JS can also be used as extension inside the browser).

Know that some libraries has reached EOL for quite some time, read:
https://github.com/jquery/jquery.com/issues/162#issuecomment-298656430

Only vulnerable in the case that certain functions are being called, so better to upgrade that particular library.

In that code there may be a weakness like s.iframe Src+,
but it could be src already before taht has been validated properly. 
(my info sources; luntrus & not me)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #819 on: August 10, 2020, 12:05:46 PM »
Why the above information urges us to scan for such exploitable website code?

Let's go over vulnerable jQuery code from a site that is launching heodo malware and emotet malcode:
https://urlhaus.abuse.ch/url/428165/

Word Press scan shows 5 security issues in Word Press CMS.
Outdated plug-ins like header-footer-elementor 1.4.1 and elementor 2.9.7
User enumeration not set to disabled. Directory listing /wp-content/uploads/   is left as:  enabled

Detected as vulnerable jQuery library to be retired, see: https://retire.insecurity.today/#!/scan/ac83b63cdec87cf9d917d6cb12995a5df8c57a639e8063305f2e5f6f76c546f8

Results from scanning URL: -https://earnquick.co.uk/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Number of sources found: 41
Number of sinks found: 17

Sources: .top  .innerHTML  [name=  location.  .top,  .opener  .name=  .name&  .name,  .parent(  .open( 
Sinks: value=  href= data (g.data)  .data  data=  .write(  value  src= 

Site not flagged by DShield    CLEAN
AlienVault OTX      CLEAN
Cisco Talos    CLEAN
abuse.ch (Feodo)    CLEAN
URLhaus    CLEAN
Spamhaus (Drop / eDrop)    CLEAN

polonus (volunteer 3rd part cold recon website security-analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #820 on: August 11, 2020, 07:23:29 PM »
Check a website domain for hsts-preload inclusion: hstspreload.org

Site should be set to be in a certain ruleset. already available in the browser.
Re: https://trac.torproject.org/projects/tor/ticket/10424
Read -> http://www.thoughtcrime.org/software/sslstrip/

Why could this be important on tor to avoid certain recent MIM attacks?
Re: https://scotthelme.co.uk/hsts-preload-test/

Read: https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac

Tor will protect your identity not your data going over the exit node.

This hacker still seems to have owned 10% of existing exit nodes, hence mainly interested in bitcoin exit nodes.

We can assume his activities will not be taken lightly by fellow cybercrime colleages.  :D

See that https everywhere even as coming built-in with tor won't always protect the end-user against downgrading attacks.

polonus
« Last Edit: August 11, 2020, 08:06:35 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #821 on: August 11, 2020, 10:17:41 PM »
The first person that spoke about such SSL downgrading attack like SSL-stripping,
was a researcher by the name of Moxie Marlinspike.

There are three ways to perform such SSL stripping attack:
1. Using a Proxy Server;
2. Via ARP Spoofing;
3. Using  an insecure Hotspot

Also a 4th, I found up. Using a particular scan service (info credits: luntrus)
Example XSS-DOM scan: Results from scanning URL: -http://ad.nl
Number of sources found: 2
Number of sinks found: 421 (same results as with -https://ad.nl (random example)

Ways to protect against this is to enable HTTPS on pages of your website,
implement HSTS policy, as we discussed above, the browser won't open a site
unless the site uses HTTPS.  (info credits Comodo's SSL).

Mind that Mainland China now blocks https-traffic using TLS 1.3 & ESNI (known as encrypted server name indication),
read: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/  &   https://gfw.report/blog/gfw_esni_blocking/en/

To test this - To perform this test, go and visit here: https://www.cloudflare.com/ssl/encrypted-sni/
and then click the orange button for “Check My Browser”. Just a moment later you  will see the results.

Chrome does not support ESNI yet at this moment. We can forsee it being rolled out like DoH.
As some schools would not like seeing their filtering software not functioning properly because of this.
So there are still some hooks, but different from interfering with Big Firewall surveillance measurements,
 as mentioned above.  ;)

Enjoy, my good friends, enjoy.

polonus
« Last Edit: August 11, 2020, 11:28:01 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #822 on: August 13, 2020, 10:07:22 PM »
And again the community lost a fine website scan site.
This was hacked: -http://www.redleg-redleg.com/ 

The site at https://aw-snap.info/ is no longer available.
Also https://aw-snap.info/file-viewer/ gone.
Thank you redleg for all the scan results. We will miss you,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #823 on: August 26, 2020, 04:25:44 PM »
How to block first party pixel tracking -> Privacy Badger is one of the many tools capable of doing this.
Read: https://www.eff.org/deeplinks/2019/07/sharpening-our-claws-teaching-privacy-badger-fight-more-third-party-trackers
Also https://ublockorigin.com/ is an adblocker capable of doing so.

Lets us see what Facebook does to circumvent this.
Whenever an end-user opens a Facebook ad a unique string becomes added to the landing page URL.
In there we will find hidden first party tracking pixels to circumvent third party tracking blocking.
This is downloaded like it would be a first party cookie, and can then still land at Facebook's desks.
This is now the only default Facebook will offer the user.

One now whould use rules to block, like
Code: [Select]
|| facebook.com*
and so on for all of Facebook domains and subdomains.

To block one could also use specific browser extensions like Neat URL and Facebook Container.
On Windows I use cookienator as a tool.

Also this Google and firefox extension -> https://github.com/jparise/chrome-utm-stripper
But a two-sided sword, when you like to unsuscribe for instance:
https://github.com/jparise/chrome-utm-stripper/pull/24


polonus

« Last Edit: August 27, 2020, 06:08:52 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Tests and other Media topics
« Reply #824 on: August 26, 2020, 06:03:30 PM »
Checked on cookies for a click-bait website a (conspiracy resource content website):
https://webcookies.org/cookies/niburu.co/347973

Compare with cookieserve scan results:
Cookie   Description   Duration   Type
__cfduid   The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.   4 weeks   Necessary
60554656f3b887df8b325edf687fb71c      50 years ago   undefined

Also re: https://urlscan.io/result/fde1ce16-e8c0-4e60-8d61-14ee9919bac5/

DOM-XSS scan results -> Results from scanning URL: -https://niburu.co/
Number of sources found: 1
Number of sinks found: 221
&
Results from scanning URL: -https://niburu.co/modules/mod_sp_poll/assets/js/script.js
Number of sources found: 3
Number of sinks found: 4
&
Results from scanning URL: -https://niburu.co/media/jui/js/jquery-migrate.min.js?cf580d0734d987ba044c67a0cf573cc5
Number of sources found: 62
Number of sinks found: 31
&
Results from scanning URL: -https://niburu.co/modules/mod_gjc_slider/assets/js/jquery.gjc_slider-min.js
Number of sources found: 0
Number of sinks found: 0  no conflict..

2 vulnerable jQuerr libraries detected: https://retire.insecurity.today/#!/scan/d35a703f86d9f686d5118a1f878f9a74b322af98ad0abc763d56f661d48acee8

Improvement hints: https://webhint.io/scanner/13fda575-cb6d-42ab-a91c-3c0836e170d8

Outdated Joomla CMS: https://sitecheck.sucuri.net/results/niburu.co

Externally linked sites Google Safebrowsing approved.

For: -https/static.addtoany.com/menu/page.js
We have Hardening Improvements

Security Headers
Missing security header for ClickJacking Protection.
Alternatively, you can use Content-Security-Policy: frame-ancestors 'none'.
Affected pages:
-https://static.addtoany.com/404javascript.js
-https://static.addtoany.com/404testpage4525d2fdc

Missing Content-Security-Policy directive.
 We recommend to add the following CSP directives
(you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src.
Affected pages:
-https://static.addtoany.com/404javascript.js
-https://static.addtoany.com/404testpage4525d2fdc

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!