Tests and other Media topics

[polonus]

Comparing the workings of Retire.js extension and DEVCOM Javascript Security extension.

For the same site:

Retire.js
jquery   1.7.2   Found in -https://www.security.nl/js/jquery/jquery.securitynl.js?1375741299<br>Vulnerability info:
Medium   CVE-2012-6708 11290 Selector interpreted as HTML   
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   

and  DEVCON's info

1   Outdated JavaScript Library
Outdated JavaScript libraries detected. jquery 1.7.2
medium : Selector interpreted as HTML
CVE-2012-6708
medium : 3rd party CORS request may execute
CVE-2015-9251
medium : jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
CVE-2019-11358
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11022
medium : Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11023

reported by retire.js
1   missing-content-security-policy
No Content Security Policy configured for this site.

DEVCOM has added CSP information.

polonus

[polonus]

For developers: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html

I check in developers console with my enhanced Tampermonkey script Malware Script Detector enhanced,
based on a once extension for the firefox browser, now no longer available.
Example

VM181:76 Syntax error @ "Malware Script Detector v 1.1 Enhanced"!
##########################
JSHINT output:
##########################

SyntaxError: Unexpected identifier
    at eval (<anonymous>)
    at <anonymous>:4:80
    at Object.t [as F_c] (<anonymous>:3:191)
    at Object.E_u (<anonymous>:4:244)
    at eval (eval at exec_fn (:2:115), <anonymous>:74:477)
    at Object.create (eval at exec_fn (:2:115), <anonymous>:76:193)
    at c (eval at exec_fn (:2:115), <anonymous>:15:231)
    at <anonymous>:4:80
    at i (eval at exec_fn (:2:115), <anonymous>:13:165)
    at eval (eval at exec_fn (:2:115), <anonymous>:13:292)

See: https://owasp.org/www-community/attacks/DOM_Based_XSS

Checking also using THC Hydra local security. (3rd party cold recon testing) - using malzilla original browser.

polonus

[polonus]

22 alternative search engines: https://kinsta.com/blog/alternative-search-engines/

On deep searching: https://www.searchlore.org/

F.R.A.V.I.A.'s legagcy online: https://www.aronetics.com/searchlores/

polonus

[polonus]

Testing against blocking by Netcraft extension & Site report alerts:
https://gbhackers.com/top-500-important-xss-cheat-sheet/  (also using kitploit tampermonkey detection script)..
Also consider and see the naughty list: https://gist.github.com/richardevcom/c81c59f693b5c3c5de0445bdd2a73c47
Example, so see:
https://xss.cx/2011/10/22/ghdb/xss-http-header-location-response-splitting-javascript-injection-example-poc-report-01.html

Example: Netcraft Logo
Suspected XSS Attack

This page has been blocked by the Netcraft Extension.

Blocked URL: hxxp://bla-di-bla-news dot net/%3C!%20foo=%22%3E%3Cscript%3Ejavascript:alert(1)%3C/script%3E%22%3E

Kicking up a Rails exemption, app vulnerable? Well at least indicates a dangerous or potentially negative action

In most cases we will get a scan fail situation, or we get somewhat the wiser here:

jquery   3.2.1   Found in https://qmod.quotemedia.com/static/v1.3.0/dayyearrange,detailedquotetab,quotehead.js _____Vulnerability info:
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   1
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Errors:

SyntaxError: Unexpected string
  eval ()()
  :4:80()
  Object.t [as F_c] (:3:191)()
  Object.E_u (:4:244)()
  eval (eval at exec_fn (:2:115), :74:477)()
  Object.create (eval at exec_fn (:2:115), :76:193)()
  c (eval at exec_fn (:2:115), :15:231)()
  :4:80()
  i (eval at exec_fn (:2:115), :13:165)()
  eval (eval at exec_fn (:2:115), :13:292)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :4:80()
  Object.t [as F_c] (:3:191)()
  Object.E_u (:4:244)()
  eval (eval at exec_fn (:2:115), :74:477)()
  Object.create (eval at exec_fn (:2:115), :76:193)()
  c (eval at exec_fn (:2:115), :15:231)()
  :4:80()
  i (eval at exec_fn (:2:115), :13:165)()
  eval (eval at exec_fn (:2:115), :13:292)()

Also see: -https://d1io3yog0oux5.cloudfront.net/_5abd5b5da664e1a491be32c4849e7435/vfc/files/theme/js/_js/all.js

Surroundings: https://sitereport.netcraft.com/netblock?q=AMAZO-CF,13.224.0.0,13.227.255.255

But anyhow is seems this host is not vulnerable. No secure cookie attributes found.

However, SSL not supported -> https://sitereport.netcraft.com/?url=https://www.vfc.com

polonus

[polonus]

Additional layer of protection against XSS attacks offers a Content Security Policy:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Check: https://cspvalidator.org/#url=https://cspvalidator.org/
and https://cspscanner.com/

polonus

[polonus]

Interesting resources: http://write.flossmanuals.net/basic-internet-security/introduction/

We have already lost and will loose a lot of fine online resources over time,
because maintainers struggle to pay for server services.

Recent examples: https://geeksta.net/domxssscanner/  is now history.
Almost history and shutting down: https://retire.insecurity.today/

Now we have to work extensions, developer tools,
but we do not always want to visit particular suspicious of payload laden malicious websites, do we, folks?
So I use my own tweaked version of Bobby's sand-boxed malzilla browser (preferably on a stand-alone comp).

Also time to read here: https://riseup.net/en/security/resources
(this in the light of the tails website that is down at the moment)
also: https://www.reddit.com/r/tails/comments/n22ymd/is_tails_website_down/gwhr47k/

When the going gets narrow, keep an eye on the sparrow, the song says,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

But for a website we have security issues for that particular website - ->
https://awesometechstack.com/analysis/website/aeiou.pt/
See also scan results at: https://urlscan.io/result/ef728587-3b9d-40ca-aea2-32a6c4c5f67b/
And also do we have to consider the vulnerabilities on the hosting party nginx driven - webserver:
https://www.shodan.io/host/195.170.168.62 e.g. for -http://ajuda.aeiou.pt/xmlrpc.php
and https://www.shodan.io/host/172.217.164.134 *

We should not have access to for instance "/bla/index_deafaultpage.html" & blog/idem
or xekmail/_index_defaultpage.html or GET "/xmlrpc.php? rsd  on that nginx server with wp-content and wp includes.

We also should check: -http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js
See TLS recommendations: https://sitecheck.sucuri.net/results/www.aeiou.pt

See the complete scan info: https://retire.insecurity.today/#!/scan/e1369956b7a8dc3e43e3066331308ee19372ec97b6b79f6f529659d8a199c9e1
See for instance: -https://s0.2mdn.net/ads/studio/Enabler.js * etc.   
Issued by Google Trust Services.. (no vulnerable libraries detected).

Thanks go out to Erlend Oftedal from Norway for his continuous resources on Retire.JS,
and the resources at retire insecurity to-day.
He helped a lot of people here and website admins through his scan results, reported on these forums.
We owe him a lot,

polonus a.k.a. Damian (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Compare to the F-grade scan results here: https://observatory.mozilla.org/analyze/ajuda.aeiou.pt
This site uses an untrusted or invalid certificate.

The following results ignore this error:
https://observatory.mozilla.org/analyze/ajuda.aeiou.pt#tls

F-grade and x-results: https://observatory.mozilla.org/analyze/ajuda.aeiou.pt#third-party

T-rating: https://www.ssllabs.com/ssltest/analyze?d=ajuda.aeiou.pt

CSP scan results:

URL
-http://ajuda.aeiou.pt/

No CSP
F
Result
CSP Protection None
CSP Reporting  Missing
CSP Validity     Invalid
XSS                 No CSP Protection
Clickjacking      No CSP Protection
Formjacking      No CSP Protection
General            No CSP Protection
Summary
13 Fatal Errors
16 Warnings
5 Info
0 Valid
Content Security Policy (CSP)

Probably blocked by user: JavaScript error message: File not found:
-http://d3uvwl4wtkgzo1.cloudfront.net/e8af8301-45e2-41c6-9212-9421ce1b1dc7.js

TypeError: Cannot read property 'fn' of undefined
 chrome-extension://lcmaikahgebmdmnckjbaikfllpmgabei/detection/script.js:28 patch()
 chrome-extension://lcmaikahgebmdmnckjbaikfllpmgabei/detection/script.js:64
 chrome-extension://lcmaikahgebmdmnckjbaikfllpmgabei/detection/script.js:65

Otto extension gives 4 issues for weak security:

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
Medium Severity
: CVE-2019-11358
Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium Severity
: CVE-2020-11022
Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium Severity
: CVE-2020-11023
Content Security Policy
No Content Security Policy configured for this site. Create one now

SSL Tracking security:

This website is insecure.
66% of the trackers on this site could be protecting you from NSA snooping. Tell -aeiou.pt to fix it.

 All trackers
At least 3 third parties know you are on this webpage.

 -Google
 -Google
-ajuda.aeiou.pt -ajuda.aeiou.pt

Good thing site kicks up 100% content.

polonus

[polonus]

Public scan report IP's (however now no longer online) could lead to abuse reports.

Let us strat from one random example at urlscan.io ->
https://urlscan.io/result/720315e3-d0b9-4d51-8647-3c5f317dafa1/

and then we stumble at abuse mentioned here: https://www.abuseipdb.com/check/185.199.108.153
also re: https://www.shodan.io/host/185.199.108.153

before we lang here at this abuse report: https://ip-46.com/185.199.108.153
Comodo is the one to confirm here: https://www.virustotal.com/gui/url/94073c941a6785806789528369b19c49bead1cc054443bf07273894ef7925ceb/detection

See Fastly abuse: https://www.virustotal.com/gui/ip-address/185.199.108.153/relations

polonus

[polonus]

Going through a long list of tor abusers, well, see the index here: http://www.kilitary.ru/tor.db/

Then check here: https://www.abuseipdb.com/check/104.244.73.43 &  here: https://ip-46.com/193.31.24.154

Experiences can be "mixed": https://community.torproject.org/relay/community-resources/good-bad-isps/
Also use this checker: https://www.getipintel.net/free-proxy-vpn-tor-ip-lookup/#web
and
https://www.ipqualityscore.com/tor-ip-address-check

Bad high risk IP address: https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/193.31.24.154

Interesting -> https://iplists.firehol.org/?ipset=stopforumspam_365d

polonus

[polonus]

Abuse and insecurity often will go hand in hand.

Banned as a web forum spammer: https://ip-46.com/185.32.221.247  (with 2 distinct reports and banned here as well),
Now see the many vulnerabilities at the base of this IP: Swiss ISP - Xelon AG: https://www.shodan.io/host/185.32.221.247
-> https://www.ip-tracker.org/locator/ip-lookup.php?ip=185.32.221.247

Executables detected coming from this IP - 2 flags: https://www.virustotal.com/gui/ip-address/185.32.221.247/relations

Lists: https://fspamlist.com/  &  https://github.com/kambrium/apache-referrer-spam-blacklist  &
random example: https://ip-46.com/27.68.13.2

polonus

[polonus]

Tor Project has started a consensus statuspage for tor users. Downtimes will now be published.

Nice to compare: http://128.31.0.13/tor/status-vote/current/consensus
to Ukranian resource: https://kilitary.ru/tor.db/128.31.0.13/1932848058.txt

polonus (volunteer 3rd party cold reconnaissance website security-analyst and website error-hunter)

[polonus]

While this IP was reported top be a wbeforum spam address, it still has not entered here:
https://scamalytics.com/ip/203.192.236.2  score: 3

Similar story and a 5 score: https://scamalytics.com/ip/157.46.210.58
This tor-exit-node missed alltogether: https://scamalytics.com/ip/185.200.100.255

So we have to test online services first before we recommend to use them.
Re: https://sitereport.netcraft.com/?url=https://scamalytics.com
But given the all green here: https://www.site24x7.com/tools/public/t/results-1609429926193.html

polonus

[polonus]

Resources next to URLHaus -> https://urlhaus.abuse.ch/
ThreatFox Indicators of Compromise -> https://threatfox.abuse.ch/
Most seen malware is Dridex
There is even a trend-tracker for it at: https://any.run/malware-trends/dridex

Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.

 Type        Trojan
 Origin       ex-USSR territory
 First seen  1 January, 2014

  See example: https://ip-46.com/178.175.47.124#ip-feeds
See: https://www.virustotal.com/gui/file/2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6/relations  and Malicious URL - -http://178.175.84.253:34009/Mozi.a (and relations when you click it in VT) - avast detects this as Other:Malware-gen [Trj]

Number of malicious IPs given per AS: https://abuse.ch/blog/how-to-takedown-100000-malware-sites/
which we do not find here: https://ipinfo.io/AS60144 nor here: https://dnslytics.com/bgp/as60144

Additionally Malware URLs per AS: https://www.malwareurl.com/ns_listing.php?as=as13335  (nr. 9 in the 10 worst's list).
And another resource on bots: http://botscout.com/countrycheck.htm?cc=eu
And other resources: https://tria.ge/210104-ypkaw5zann

polonus

[polonus]

Two other resources that will produce interesting results when combined...

Started here: https://scanurl.net/u/about-me-tracy-vox
and checked also here:

Then analyzed here: https://www.convertcsv.com/url-extractor.htm
producing

-http://www.w3.org/2000/svg
-https://4e376b84dfa54d438285936f87ce3cfe@o477720.ingest.sentry.io/5525987
-https://about.me
-https://about.me/cdn-cgi/image/q=40,dpr=2,f=auto,fit=cover,w=120,h=120,gravity=auto/
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg);background-size:cover;border-radius:50%;background-repeat:no-repeat;background-position:center
-https://about.me/cdn-cgi/image/q=80,dpr=1,f=auto,fit=cover,w=1024,h=512,gravity=auto/
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg
-https://about.me/cdn-cgi/image/q=80,dpr=1,f=auto,fit=cover,w=1200,h=630,gravity=auto/
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg
-https://about.me/s3/h/f0747898.bundle.js
-https://about.me/s3/h/favicon/favicon_150.d261ba02.png
-https://about.me/s3/h/favicon/favicon_180.dc2f5125.png
-https://about.me/s3/h/favicon/favicon_192.ff6ea21d.png
-https://about.me/s3/h/favicon/favicon_310.ea4f99c7.png
-https://about.me/s3/h/favicon/favicon_48.d67d3678.png
-https://about.me/s3/h/favicon/favicon_70.28088041.png
-https://about.me/s3/h/favicon/favicon_pad_310.577553f3.png
-https://about.me/s3/h/favicon/favicon_wide_310.fc8d8a1c.png
-https://about.me/s3/h/fonts/0de1fd16/proximanova-light-webfont.woff2)
-https://about.me/s3/h/fonts/18840092/proximanova-bold-webfont.woff)
-https://about.me/s3/h/fonts/1c4bdc94/proxima_nova_bold-punc.woff)
-https://about.me/s3/h/fonts/3162eabc/proximanova-light-webfont.woff)
-https://about.me/s3/h/fonts/446a8655/proximanova-regular-webfont.eot);src:url(
-https://about.me/s3/h/fonts/446a8655/proximanova-regular-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/446d87b2/proximanova-regularit-webfont.woff2)
-https://about.me/s3/h/fonts/4e689305/proximanova-boldit-webfont.woff)
-https://about.me/s3/h/fonts/55d97647/proxima_nova_reg-latin-a.woff)
-https://about.me/s3/h/fonts/5f8a9596/proximanova-light-webfont.ttf)
-https://about.me/s3/h/fonts/67ff3116/proximanova-regular-webfont.woff2)
-https://about.me/s3/h/fonts/6afe9cab/proxima_nova_bold-punc.woff2)
-https://about.me/s3/h/fonts/6bc63717/proxima_nova_reg-latin-a.ttf)
-https://about.me/s3/h/fonts/78ff1c44/proxima_nova_bold-latin-a.woff)
-https://about.me/s3/h/fonts/7a3ae241/aboutme-glyphs.eot);src:url(
-https://about.me/s3/h/fonts/7a3ae241/aboutme-glyphs.eot?#iefix)
-https://about.me/s3/h/fonts/878abefb/proxima_nova_reg-punc.woff)
-https://about.me/s3/h/fonts/8865257a/proximanova-boldit-webfont.woff2)
-https://about.me/s3/h/fonts/89ad90f5/aboutme-glyphs.svg#aboutme-glyphs)
-https://about.me/s3/h/fonts/8d2eb294/proxima_nova_reg-punc.eot);src:url(
-https://about.me/s3/h/fonts/8d2eb294/proxima_nova_reg-punc.eot?#iefix)
-https://about.me/s3/h/fonts/90614a27/aboutme-glyphs.woff2)
-https://about.me/s3/h/fonts/98a24a02/proximanova-boldit-webfont.ttf)
-https://about.me/s3/h/fonts/9a6f654a/aboutme-glyphs.ttf)
-https://about.me/s3/h/fonts/9f33e797/proximanova-regularit-webfont.ttf)
-https://about.me/s3/h/fonts/a58c0527/proximanova-regular-webfont.woff)
-https://about.me/s3/h/fonts/a8b3a2fe/proxima_nova_reg-punc.ttf)
-https://about.me/s3/h/fonts/a9081ae3/proxima_nova_bold-punc.eot);src:url(-
-https://about.me/s3/h/fonts/a9081ae3/proxima_nova_bold-punc.eot?#iefix)
-https://about.me/s3/h/fonts/ac72b622/proximanova-regularit-webfont.woff)
-https://about.me/s3/h/fonts/b2fe8d73/proxima_nova_bold-latin-a.eot);src:url(
-https://about.me/s3/h/fonts/b2fe8d73/proxima_nova_bold-latin-a.eot?#iefix)
-https://about.me/s3/h/fonts/bdda97d2/aboutme-glyphs.woff)
-https://about.me/s3/h/fonts/c9531d96/proximanova-regular-webfont.ttf)
-https://about.me/s3/h/fonts/cacc884f/proximanova-bold-webfont.ttf)
-https://about.me/s3/h/fonts/cc630a6d/proximanova-light-webfont.eot);src:url(
-https://about.me/s3/h/fonts/cc630a6d/proximanova-light-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/cd155566/proximanova-bold-webfont.woff2)
-https://about.me/s3/h/fonts/ce68a1f3/proxima_nova_bold-latin-a.ttf)
-https://about.me/s3/h/fonts/d532abe1/proxima_nova_reg-latin-a.eot);src:url(
-https://about.me/s3/h/fonts/d532abe1/proxima_nova_reg-latin-a.eot?#iefix)
-https://about.me/s3/h/fonts/d816599b/proxima_nova_bold-punc.ttf)
-https://about.me/s3/h/fonts/df54612c/proximanova-boldit-webfont.eot);src:url(
-https://about.me/s3/h/fonts/df54612c/proximanova-boldit-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/e058ee6c/proximanova-regularit-webfont.eot);src:url(
-https://about.me/s3/h/fonts/e058ee6c/proximanova-regularit-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/e5377b0e/proxima_nova_bold-latin-a.woff2)
-https://about.me/s3/h/fonts/f14f1eb6/proximanova-bold-webfont.eot);src:url(
-https://about.me/s3/h/fonts/f14f1eb6/proximanova-bold-webfont.eot?#iefix)
-https://about.me/s3/h/fonts/f46468a1/proxima_nova_reg-latin-a.woff2)
-https://about.me/s3/h/fonts/fea9be33/proxima_nova_reg-punc.woff2)
-https://about.me/s3/h/z/proxima_nova_bold-latin-a.827d4bfb.svg#proxima_novabold)
-https://about.me/s3/h/z/proxima_nova_reg-latin-a.30bcf879.svg#proxima_novaregular)
-https://about.me/s3/h/z/proximanova-bold-webfont.e99b8cdf.svg#proxima_novabold)
-https://about.me/s3/h/z/proximanova-boldit-webfont.d4eed10d.svg#proxima_novabold_italic)
-https://about.me/s3/h/z/proximanova-light-webfont.083d8df5.svg#proxima_novalight)
-https://about.me/s3/h/z/proximanova-regular-webfont.f142eece.svg#proxima_novaregular)
-https://about.me/s3/h/z/proximanova-regularit-webfont.767b818c.svg#proxima_novaitalic)
-https://about.me/tracy.vox
-https://api.about.me
-https://assets.about.me/background/users/t/r/a/tracy.vox_1620422403_437.jpg
-https://dw.about.me
-https://images.about.me
-https://jwqebx.shewantyou.net/c/da57dc555e50572d?s1=99832&amp;s2=1186447&amp;s3=Inst&amp;click_id=Inst&amp;j1=1&amp;j3=1
-https://use.typekit.net/geu7rrs.css
-https://www.google-analytics.com/analytics.js
-https://www.google.com/recaptcha/api.js

Results true: https://transparencyreport.google.com/safe-browsing/search?url=lmwll.shewantyou.net
While DrWeb flags IP: https://www.virustotal.com/gui/ip-address/54.205.191.137/detection
Amazonaws abuse: see Google results, a.o. https://www.google.com/url?client=internal-element-cse&cx=003414466004237966221:dgg7iftvryo&q=https://www.abuseipdb.com/check/54.205.191.137&sa=U&ved=2ahUKEwjimY-AlLrwAhUgwQIHHUOyC5EQFjAAegQIAxAB&usg=AOvVaw2nP5AHavAX-cyqKpwj489R

polonus