Author Topic: Musings about my volunteer website security scan experiences....  (Read 36070 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #30 on: March 15, 2015, 10:50:11 PM »
Canvas Fingerprinting can be stopped by blocking script, test: https://www.browserleaks.com/canvas

So ScriptSafe in Chrome or NoScript in firefox is a good canvas fingerprint blocker as well.
Sites with canvas fingerprinting: https://securehomes.esat.kuleuven.be/~gacar/persistent/canvas_urls.html

Extension that blocks fingerprinting and canvas fingerprinting in Google Chrome: https://chrome.google.com/webstore/detail/stopfingerprinting/kfhlgmfkolojpnmhgggilmillpcokmnb

https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc

polonus
« Last Edit: March 15, 2015, 11:53:43 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #32 on: April 30, 2015, 06:30:11 PM »
My scan routines took me to various issues, I mention below, first a short IP scanner list.

Various IP scan links: Detected: http://www.ipvoid.com/scan/202.137.230.220/
See: http://aliveproxies.com/ipproxy/proxyserver-403275/
See complaints: http://www.liveipmap.com/
See: https://cleantalk.org/blacklists/
See: http://botscout.com/ipcheck.htm?ip=
See: https://www.stopforumspam.com/ipcheck/
See: http://botnet-tracker.blogspot.nl/
See: http://www.reputationauthority.org/lookup.php?ip= &Submit.x=14&Submit.y=3&Submit=Search
See: http://liveipmap.com/
Mail and content-spammer: https://www.projecthoneypot.org/ip_
See: https://www.blockedservers.com/blocked/ipv4/

Sucuri Scans do not always state that PHP software is outdated we should check ourselves.
Grey area malware -> https://forum.avast.com/index.php?topic=170314.0
added the blocklist to adblocker - daily updates provided.
Directory indexing enabled - gross insecurity for CMS! example -> wp-content/uploads/enabled

Certificate trust issues: example - https://forum.avast.com/index.php?topic=170272.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #33 on: May 01, 2015, 01:24:03 PM »
Mozilla will deprecate NON-Secure-HTTP to work towards HTTPS.
But what about HTTPS and Insecure Sources, wrong implementation, etc. etc.
First ensure HTTPS is really secure than get away from HTTP.
Lot of sites have HTTPS encryption, while communication is not encrypted.
Re: https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

polonus
« Last Edit: May 01, 2015, 01:30:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6711
  • Trust only what you test yourself!
Re: Musings about my volunteer website security scan experiences....
« Reply #34 on: May 01, 2015, 04:17:32 PM »
The main problem with some, not all, HTTPS sites is that often times their so-called login screen(s) are not really secure.
I saw an article about this somewhere, now I can't find it.  ???
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #35 on: May 01, 2015, 07:01:50 PM »
You didn't mean this aticle with the POC script: http://www.stealmylogin.com/
Here we enter the First Law of Security: Technology is not a panacea, and TLS/SSL alone can't answer the issues.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #36 on: May 02, 2015, 12:45:44 AM »
Interesting website defacement analysis examples that could be instructive: http://izumino.jp/Security/def_jp.html
See this one: http://izumino.jp/Security/analyze/22768201.html
Compare here: http://killmalware.com/mastergoji.com/#
And here: http://izumino.jp/Security/analyze/24156183.html  see also: http://zrmidia.com.br/v2/shortcodes/
Header and Content matches given. -> http://izumino.jp/Security/analyze/24130080.html

VT results normally do not flag non-malicious defacements. Killmalware has many detections.
Sometimes Quttera flags where Sucuri does not and v.v.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #37 on: May 04, 2015, 02:12:49 PM »
Now I gonna give you some information I have acquired online,
see for instance : http://code.tutsplus.com/tutorials/8-regular-expressions-you-should-know--net-6149
link article author = Vasili.
pattern: /^<([a-z]+)([^<]+)*(?:>(.*)<\/\1>|\s+\/>)$/
Regular expression to detect tags //((\%3c)|<)((\%2F)|/)*
[a-z0-9 \%] + ((\%3E)|>)/ix
//((\%3c)|< will check for opening angle bracket or hex equivalent ('3C')
((\%2F)|\/)* forward slash for a closing tag or the hex equivalent thereof ('2F ')
[a-z0-9 \%]+ checks for an alphanumeric string  inside the tag, or hex representations thereof
(the additional percentage character0 Read: http://stackoverflow.com/questions/28449927/a-z0-9-regexp-matching-square-brackets (posting source: BeNdEr
Regular expression for username: http://stackoverflow.com/questions/18562664/regular-expression-for-username-with-a-z0-9-3-20 and one could use this /^[a-z][a-z0-9_-]{2,19}$/i   info source: Casimir et Hippolyte
((\%3E)|>) checks for closing angle bracket or hex equivalent thereof ('3E') ->
http://stackoverflow.com/questions/10095039/are-the-angle-brackets-or-special-in-a-regular-expression -
info source: Casimir et Hippolyte
Modifiers 'í' and "x" (at the end of the regex after the closing /'are used to match without case sensitivity and to ignore white spaces respectively. All XML/HTML tags should be so checked.
But remember the method is FP prone!

Background Reading Regular Expressions Cookbook by Jan Goyvaerts  (Author), Steven Levithan (Author)

Firewalls cannot block web application attacks. Preventive WAF rules aren't always possible. On HTTP protocol it is easy to steal and spoof identity. We could analyze log files from webservers. NID may not work on HTTPS. No NID available, another zone of attack.
NIDs are to work on TCP/IP level, and are ineffective on the HTTP layer. IDS evasive techniques can be used: HTTP encoding, fragmenting)

Forms of attacks on web applications:
Bots are being used. Google search tool based flaws are being exploited. Directed Attacks, PHBB, Mambo, AWStats are known targets.

will be continued,

polonus
« Last Edit: May 04, 2015, 03:54:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #38 on: May 04, 2015, 02:49:42 PM »
Continued....

Malicious File Execution
CSRF
XSS (cross site scripting) favorite and most common apllication layer hacking technique.
host = the fully qualified domain
name of the client, of the IP address
ident = identity check is enabled & clientmachine runs identd, this is identity information.
authuser = basic HTTP authentication - user name = value of token
date = date and time of request ()
status = HTTP status code
bytes = in object returned, exclusing all HTTP Headers.

The server gives result status : HTTP/1. x 200 OK TimeStamp, Identifier of the Server: Apache, Content-type: text/html, charset = ISO-8859-/(MIME formatted info) document is sent (DOCTYPE etc.).

HTTP Evasion techniques:
where? in request URI portion
           at the HTTP protocol
           other parts of HTTP header
           HTTP body
types? obfuscation-techniques
           inserting additional characters to deceive IDS
           evasion against URL and URL parameter
form    multiple slashes
           traversal attacks
           and infinite combinations      // .  / /.//.

Normalisation
            URL encoding
            Null byte string termination
            Self referencing path /./ and encoded equivalent.
            Path back references /../  and encoded equivalents
            mixed case
            common removal
            conversions of backslash -> forward slash character
            conversion of ISS-specific Unicode encoding (%uXXYY)
            decode HTML entities
Code: [Select]
unction decodeHTMLEntities(text) {
    var entities = [
        ['apos', '\''],
        ['amp', '&'],
        ['lt', '<'],
        ['gt', '>']
    ];

    for (var i = 0, max = entities.length; i < max; ++i)
        text = text.replace(new RegExp('&'+entities[i][0]+';', 'g'), entities[i][1]);

    return text;
}
William Lahti
regular expression matching HTML entities
    var entity = /&(?:#x[a-f0-9]+|#[0-9]+|[a-z0-9]+);?/ig;

polonus
           
« Last Edit: May 04, 2015, 03:10:21 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #39 on: May 04, 2015, 03:51:24 PM »
continued......
hex encoding & UTF-8 Unicode encoding are RFC standard for request URI,
using % to escape a one encoded byte
%43 = 'C'

. GET / under html HTTP/1.1 encodes
. GET ?%69/.6E%6%65%78%.2E%68%74%6D56C HTTP/1.1
-> https://wordpress.org/support/topic/get-your-security-holes-fixed-damn-it
(link article author = spencerp)

Web Applications run on the OS/layer7, the so-called application layer.
Application layer adware detection and relevant traffic detection

                                                       WA logs
                         FW logs
Web Client                        WAFlogs
                                                                             W Appl.      SGL/ DB
                          layer 3/4  FW                               
                                                         WSFW
                                                          WAF
                           NIDS     
                                                                                WA          SQL

The layer 3/4 FW OSI layer 3 = network layer
                                layer 4 = transport layer

TCP/UDP/ICMP/protocol related and corresponding ports.

FW can detect anomalities in protocol traffic - does not detect DATACHECK, HTTP Data, network and transport data.

Other layers higher up are not being detected.
Web Application FWs work on OSI layer 7 (application layer) HTTP(S) and SOAP.

Do: detailed request analysis, rules for allowing POST/PUSH, OPTIONS, etc.,
limits in file transfer size, URL parameter argument length, policy rule execution, request rule blocks.

Web Appl have a framework: PHP, ASP, J2EE.

Best practice is to perform input/output validation - malformed and malicious input should be detected and logged.

Detect abuse/misuse/fraud and gives a reconstruction of user input
(View logged requests extension with Request Maker extension  in Google Chrome)

will be continued....

polonus
« Last Edit: May 04, 2015, 03:53:07 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #40 on: May 06, 2015, 04:23:33 PM »
Online regular expression tester: http://www.freeformatter.com/regex-tester.html
Tested against ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
as a regular expression to check on the validity of a particular URL. Entry tested: 184.149.5.45
Result: "Fully matches the source string!".

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #41 on: May 07, 2015, 05:29:33 PM »
continued...

There are two detection methods: rule based with static rules and anomaly-based with dynamic rules.
Rule based - for pre-known values, e.g. certain input characters and a limit amount of transfer.
Sub-methods for positive security and negative security. The negative model is known as blacklisting, it is easily implemented and less fp-prone. Can be used for known attacks (string, behavior).
The positive model is deny-all, policy of allowed, traffic, whitelist could be banned, manually defined, only legit traffic, FP's will improve whitelisting, a FW will work in this way.

Anomaly-based, the rules are established through a learning phase, through verified clean traffic, all that does not come with the ruleset here is flagged!

XSS flaw detection - Cross Site-Scripting.
embedding script tags in URLs/HTTP requests enticing unaware users to click on them to execute malicious javascript to be executed on the victim's machine (client) through lacks of imput/output validation of the server to rejct active code/javascript/or code characters.

List of possible HTML tags/script inclusions:
javascript, vb script, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, title, base.

The regex to detect keywords goes like /(javascript \ vbscript |expression|applet|script|embed|object|iframe|frame|frameset)/i

but XSS can be hidden inside a javascript code part as infection, it is just inserted js code!

Code injection flaws could be in any type of code: SQL, LDAP, XPath, XSLT, HTML, OS commands.

will be continued....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #42 on: May 13, 2015, 05:59:29 PM »
..continued...

SQL injections should jump out of the original SQL statement.
methods: use of single quote (')
               use of double dash (--)
(') delimiter for a SQL query.
(--) comment character in Oracle/MS SQL.

/(\(')|C\%27)|(\-\-)|(#)|(\%23)/ix(\')|(\%27) the single quite and URL-encoded equivalent.
(\-\-) the double dash
(#)|(\%23) the pound sign in it's URL-encoded equivalent.

So detect hex equivalent of (') single quote itself or the presence of -- at the beginning of a comment., so the rest that follows is ignored.

MS SQL Server should watch out for # or its hex equivalent.

Hex equivalent of -- does not count because it is not a HTML meta character, so %2D fails

will be continued...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #43 on: May 24, 2015, 02:47:42 PM »
Hi folks,

Aren't we landing from a insecure http landscape into an enforced insecure https landscape via https everywhere?
That is the question.
Isn't logjam and it's twin cousin poodle the writing on the wall, the "mene tekel ufarsin" that this protocol also has been downgraded and pn*wed grand time by the forces that be. Just think of you sending post in a sealed enveloppe and it appears to have been read and resealed before arriving at it's destination. How would you feel? From what times do we remember such practices, at least the enveloppes were then Reichs-stamped, remember, so we knew. Now those that do the de-encrypting aren't even to ask questions about how the results they get were acquired and by what method(s). And when we say logjam is only there because there is nation-might, it isn't that only, because we are also at risk sitting in a public Internet cafe. We should be protected against this asap.

But these are just symptoms of underlying factors and let me tell you a bit what I find everyday while doing specific scans.
Whenever you want to be aware of the situation install Recx Security Analyzer v.1.3.0.4 extension inside your browser and have a look at the results at a particular SSL site, the same doing a scan here online: http://cyh.herokuapp.com/cyh

Where and how were those people trained to not know best practices to secure their website servers? They apply all sorts of additional security technology (crap) but the major security hardening has been omitted. Weak certification, encryption that comes offered from the wrong side up (thank you very much goes NSA). Extensive (name) server info proliferation to the world and attackers alike. Do a asafaweb scan at https://asafaweb.com/ and you probably see what I mean from all the errors and warnings you get there. JQuery all sorts installed with alternating vulnerable and non-vurnable versions installed.
Themes that haven't been worked on for over two years, quite secure  :o. WordPress security scans and Joomla scans also deliver the same tragic situation. And this is n't only the situation at amateur sites, there is some big sites that are in a similar sorry state security-wise.

Over 500 Cloud services now found vulnerable to logjam exploitation! All the places that use https but where the log-in data go in clear txt over the wires or want to kick up script from non-https sources. Aren't these guys that have to keep us secure not been trained anymore with security in mind? Are they so dumbed down or only interested in the money that server admins and big hosters aren't interested because the common user won't ask questions anyway. I see this "circus" go past everyday in my scan results, folks, and it isn't getting you in a very optimistic mood. There is left an awful  lot to be done and  there is a lot of awareness to be raised to keep the abusers of our internet security at bay. I hope this posting may help, the "mene tekel ufarsin" is there on the wall but can anyone read what the txt has...((מנא ,מנא, תקל, ופרסין)7)  that the statue has a golden head but is standing on clay feet and may topple over every day now and there is no golem to come to the rescue ;)

polonus
« Last Edit: May 24, 2015, 03:09:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #44 on: July 05, 2015, 02:34:05 PM »
Let us continue our postings about the use of regular expressions and security.
For a good background read go here: http://www.softpanorama.org/Scripting/Javascript/javascript_regular_expressions.shtml
link article info - Copyright © 1996-2015 by Dr. Nikolai Bezroukov.
..continued: /((%3D)|(=)) the equals sign "=" or its URL-encoded equivalents/variants.
[^ \n]* zero or more non-newline characters.
((\%27 | (\')| single quote double dah.
(\-\-) | (\%3B) | (;)) or semi-colon or their URL-encoded versions.

SQL Keyword 'or' attack, regular expression to detect attack:
/ \w*((\%27)| (\')) (\s | \+ | \%20)* (\%6F) | (\%4F)) ((\%72)|/) (%52))/ix
\w* zero or more alphanumeric or underscore characters
(\s | \+ | \%20)* zero or more whitespaces or their HTTP-encoded equivalents
((\%27)| (\')) the singkle quote or its HEX-equivalent.
(\%6F) | (\%4F)) the word 'or' with combinations of its upper case or lower case.
((\%72)|/) (%52))                  or lower case.

UNION keyword attack used by attackers to combine a select statement into a single result set
(note the difference between set and list - my note - pol).
/ ((\%27)|(\'))  (select | union | insert | update | delete | replace | ix    SQL-Keuwords.

(\%27)|(\') the single quote and its hex-equivalents.

will be continued on "dangerous procedures start etc".

polonus (volunteer website security analyst and website error-hunter)

P.S. The use of regular expressions for data validation can be followed here: http://wenku.baidu.com/view/88e25d4d2e3f5727a5e962d0.html
I use the Google Translator Tooltip Extended Script via Tampermonkey to translate the Chinese instructions
from that website on the fly.

达米安 Damian
« Last Edit: July 05, 2015, 03:28:10 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!