Author Topic: Musings about my volunteer website security scan experiences....  (Read 36292 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #60 on: September 23, 2015, 12:22:28 AM »
Interesting diuscussion why we see so many defacements on WP websites lately. Read: http://wordpress.stackexchange.com/questions/28548/wordpress-hacks-defacing
Partly I agree where they point at sloppy and insecure hosting. Furthermore there is no excuse for folks that do not fully patch or update their CMS, plug-ins and themes and even worse code that have been left by developers - or those that have User Enumeration available or Directory Indexing or can be abused via linked Javascript or linked iFrames. Where the hosting is considered I just remind you of excessive server header info proliferation, and various warnings etc - server misconfigurations, security header fails, PHP weaknesses and other exploitable code etc. etc.

I have reported many a defacement and especially those with malicious code in the "virus and worms" in the hope it may inspire some to do something about insecure websites and enhance pro-active secure hosting in some form. Often one feels like preaching for the choir and the message falling on deaf ears. See for instance here: http://killmalware.com/michaeldechiara.com/  Outdated CMS there, not the latest version of WP. A 01 type of defacement: https://sitecheck.sucuri.net/results/michaeldechiara.com#sitecheck-details
For the code and the hack: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmichaeldechiara.com

For more general details on how websites get hacked and defaced: https://www.quora.com/How-are-websites-hacked-to-have-their-content-defaced-How-can-I-prevent-such-attacks-on-my-website

polonus
« Last Edit: September 23, 2015, 01:15:54 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #61 on: October 03, 2015, 10:11:25 PM »
At the moment SSL security is gaining momentum through the big campaign driven by Google and others to change http to https - we know this as the "https everywhere campaign". It only can be a big step forward when everything is implemented in the right way, encryption without (export)  restrictions, served up from the right angle and not from the wrong insecure side up, etc. etc.
Right server and security header configurations and off-course certification should be O.K. and properly implemented.

And until now a lot is (still) going wrong, too many sites where log-in still goes on unencrypted and log-in data go straight over the wires.

Safer Chrome Security Report extension will set these insecure sites out. Also we get sites reported as insecure where certificates are concerned at Comodo Site report.

To-day I got an question about a certificate flagged in the Virus and Worms: https://forum.avast.com/index.php?topic=177190.0 
Andrey, pro was so friendly as to translate my reply there into Russian.

A new link I give here for users to check revocation with can be found here:  https://certificate.revocationcheck.com
enjoy and when issues of the report aren't clear do not hesitate to report in the virus and worms.

A couple of other links to put your queries into are:
https://www.bluessl.com/en/ssltest
http://cyh.herokuapp.com/cyh
https://www.ultratools.com/tools/zoneFileDumpResult
http://dnscheck.iis.se/
https://certlogik.com/ssl-checker/www.reddit.com/
https://www.wormly.com/test_ssl
https://www.digicert.com/help/
https://www.ssllabs.com/ssltest/
https://sslbl.abuse.ch/intel/11c94f0bf7c5f512ddf3b016c206674a6f630dd0
http://codefromthe70s.org/certcheck.aspx
https://ssl.trustwave.com/support/support-certificate-analyzer.php?address=

enjoy,

polonus
« Last Edit: October 03, 2015, 10:14:22 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #62 on: October 05, 2015, 12:09:08 AM »
Dear followers of this thread,

Finding far too many insecurities during my scanning is really discouraging.
Normal IT staff is not up to it, and technical IT cannot make the difference somehow,
also pro-active hosting is too few and too far in between.  :(

Here an excample where 1600 attempts at canvas fingerprinting were blocked by my chrome extension, read the full story here: https://forum.avast.com/index.php?topic=177229.0

Now theory on best practices and actual practice isn't often in balance.
Here I have a site author that discusses ways to block canvas fingerprinting,
but that very article site breaches your privacy with a so-called Facebook Likebutton
we find tracking us now from many, many a webpage (together with his AddThis friend and Google+ pal).

The Facebook Like-button  was neatly replaced by my PrivacyBadger extension inside Google Chrome,
but one sees what experts are  preaching and what they actually do online are two different things.   :D
Here is the link to find that button (if you have an extension to set it out).
http://gizmodo.com/what-you-need-to-know-about-the-sneakiest-new-online-tr-1608455771

There is also a SPOF report for that site:
Possible Frontend SPOF from:

-kinja.com - Whitelist
(100%) - <script async type="text/javascript" src="//kinja.com/api/profile/assets/javascripts/sso.js">
-html5shiv.googlecode.com - Whitelist
(97%) - <script src="//html5shiv.googlecode.com/svn/trunk/html5.js">
-pagead2.googlesyndication.com - Whitelist
(44%) - <script type="text/javascript" src="-http://pagead2.googlesyndication.com/pagead/show_ads.js">
-www.googletagservices.com - Whitelist
(7%) - <script type="text/javascript" src="//-www.googletagservices.com/tag/js/gpt.js" async>
-c.amazon-adsystem.com - Whitelist
(7%) - <script type="text/javascript" src="//-c.amazon-adsystem.com/aax2/amzn_ads.js" async>

Not blocking these could also make that website load quite a bit slower.

Privacy is a non-existant animal to-day and that should be our conclusion. We could make it a bit more difficult for the trackers and profilers and those that dragnet us, but at the end we haven't enough defenses.
Script and request blocking are still our best bets, but you cannot win where others forget about the security of their online visitors - outdated (server) software, outdated CMS, use of left software, misconfigurations, bad hosting, incompetence and disinterest are hard devils to fight. 

polonus (volunteer website security analyst and website error-hunter)

« Last Edit: October 05, 2015, 12:54:56 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #63 on: November 02, 2015, 02:07:47 PM »
Let us continue now with the reg ex snippets series - continued - Dangerous procedures start with 'sp' or 'xp' -'xp_cmdshell'
allows execuring to a windows shell command through the SQL server.
access rights gained so is loadsystem/exec(\s|\+)+(s|x)p\w+/ix
exec keyword to run the stored or extended procedure.
(\s|\+)+ one or more white spaces or their HTTP encoded equivalents
\w+ one or more alphanumeric or underscorecharacters to complete the name of the procedure.

OS command injection flaw   /(\||% 00|system\(|eval\(|'|\\)/i
\| pipe symbol,word in commands to pipe, the stdout of one program into stdin of another.
%00 The null character (dex & hex 0) used in C/C++ based programs as a string delimiter -Tricked to be treated as last char to abuse PHP to read further past the NULL character.
systen\( System() is a function in programming languages like PERL and PHP will execute additional external program and will display the output.
eval ( Eval() is a function in PHP. Perl and other languages which evaluates a string as PHP (Perl)--code
' The blacktickoperation is similar to the system () function in that respect that it executes an external program.
\\ The backlash is used for escaping characters. If the escaping backlash can be escaped, attackers may junp out of the escaped sequence.
Will be continued with Malicious File Execurion and reg ex...

polonus (volunteer website security analyst and website error hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #64 on: November 02, 2015, 02:40:05 PM »
Continued -
Malicious File Execution
Appl. that allows users to provide a filename or part of a filename are often vulnerable if input validation is not very accurate. Manipulation of filename may cause the appl. to open up an external URL or execute a system program.

PHP has the weakness to allow URLs in include and require statements. This is cause of the most dangerous vulnerabilities in PHP applications, include "php://input"; POST include "data; base64, PDgwaH?--"
/(https?\ftp\php|data):/i protocols follwed by colon

Insecure Direct Object Reference

Internal - Files or Directories
Objects - URLs
may -Database keys (acct_no, group_id
include - Other database object names in table name

/(\.|C%|:25)2E)\'|(%|%25)2E)(\|(%|%25)2F|\\|(%|%25)5c)/i(\.|(%|%25)2E)
two dots and their URL encoded equivalents & the slash and backslash and their URL-encoded equivalents
%25)5c) "but also "/".

will be continued...


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #65 on: November 02, 2015, 02:50:52 PM »
Now you can start to apreciate this Privoxy filter survey:
http://downyours.org/?filters_484a7c06c4b8474f8853a42eb790a0ded3c310d37b994e29896e4fde1ee0c668
I used this in user scripts in Tampermonkey in the Google Chrome browser.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #66 on: November 18, 2015, 07:26:22 PM »
For those in volunteer website security analysis, this passive scanning report for 1380 business websites in the Netherlands is exemplary how third party cold reconnaisance scanning could be performed. Read the pdf on results and methodology.

In the scanning there was also scanned for ftp-banners (this could be performed through a dazzlepod ip scan (banner.nse), but there we cannot share the results),for those that want to test their ftp server: https://ftptest.net/

Here you can perform various tests online: https://pentest-tools.com/network-vulnerability-scanning/openssl-heartbleed-scanner

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6711
  • Trust only what you test yourself!
Re: Musings about my volunteer website security scan experiences....
« Reply #67 on: November 18, 2015, 07:51:51 PM »
@ polonus 

Please make the results/reports clickable.
But keep the possible infectious sites non-clickable.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #68 on: November 22, 2015, 12:41:39 AM »
Still a very intersting link on security risks: https://www.owasp.org/index.php/Top_10_2010-Main
Also look here for vulnerability scanning of javascript libraries.
From working them inside sandboxes to test then as fit to use as a 100% security guarantee probably never coulkd get handed out, the interaction with other code etc. is too darned complicated.
Using strict mode. Time to retire some code libraries as vulnerable.
Also read here: http://www.educatedguesswork.org/2011/08/guest_post_adam_barth_on_three.html
It is striking that defacers code with XSS threats in mind, there you find minimal sources and sinks.
Also read here for content security policies: https://mikewest.org/2011/10/content-security-policy-a-primer
Javascript security it ain't easy folks, it ain't easy at all,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #69 on: November 22, 2015, 11:12:30 PM »
10 gigantic security fails from the real IT world, read here in English - by Fahmida Y. Rashid, the link goes here: -> http://computerworld.nl/security/90318-10-enorme-beveiligingsblunders-van-systeembeheerders
English txt starts from line 6.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #70 on: December 26, 2015, 12:42:53 PM »
For website admins and developers that use jQuery.

While checking website for jQuery libraries to be retired at: http://retire.insecurity.today/#
polonus also went over a nice publication by Stefano di Paola on jQuery security.

This mindedsecurity.com article author came to the conslusion that jQuery has all the characteristics of a sink.
A sink, that is a function or method that can be considered as insecure, when one of its arguments
comes from untrusted input and is not correctly being validated according to the layer
the function is communicating to. So jQuery.html is a sink and no one will complain.

jQuery has also been designed to perform different operations based on argument type and content.
Using the same interface for query and executing may be a very bad idea.

jQuery as selector? Never use jQuery() or $() with a non-validated argument. No matter of what
version is being used. Check and read the code!

jQuery developers should retire all old versions (zip them all for reference).
Change and lock the jQuery do-everything behavior.
Do not allow Client side into HPP.
encodeURIComponent
Do not use $.html()with untrusted input.
Check whether it will work as expected. <.*\?>  :o
Please, test your RegExps.! because Client Request Proxy is frameable by design.
An unfriendly header can be attached/added X-Ms-Origin: -http://cyber.at.at.tacker
XMLHttpRequest.attr = val  will make this work.
IE will see some code as valid JSON and you canb still be left with an unvalidated object!

Be cautious and shy using 3rd party services as they could produce 3rd party surprises.
HTML Injection Vulnerabilities, so test and audit all your 3rd party code!

Check using http://www.domxssscanner.com/

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: December 26, 2015, 12:55:51 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #71 on: December 27, 2015, 02:06:15 PM »
For a list of sinks in jQuery, see: https://code.google.com/p/domxsswiki/wiki/jQuery
jQuery Methods That Directly Update the DOM:
.after()                       .prependTo()
.append()                   .replaceALL()
.before()                     .replaceWith()
.html()                        .Unwrap()
.insertAfter()               .wrap()
.insertBefore()            .wrapAll(0
.prepend()                  .wrapInner()
Note text() updated DOM but it is safe.
Do not send unvalidated data to these methods or properly escape before doing so.

More danger: jQuery or $(danger) immedeately evaluates the input,
e.g. $("<img src=x onerror=alert(1)>").on(),.add(html),

Further research of these 300 methods is needed to identify all the safe versus unsafe methods:
https://coderwall.com/p/h5lqla/safe-vs-unsafe-jquery-methods
http://stackoverflow.com/questions/9735045/is-jquery-text-method-xss-safe
https://blog.csnc.ch/2013/01/dom-based-xss-unsafe-javascript-functions/

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #72 on: March 28, 2016, 04:14:41 PM »
Seems that many a nameserver and hosting or whatever server is still vulnerable to the so/called DROWn attack. One could test here:
https://test.drownattack.com/?site=  Mind you that all underlaying servers and services thereof should be secure.
Checked this and it fits the Hall of Shame: https://securityheaders.io/?q=https%3A%2F%2Fbing.com
Results for bing.com
Sites that use the certificates below are vulnerable to eavesdropping. Attackers may be able to decrypt recorded traffic and steal data.
Update server software at all IP addresses shown, and ensure SSLv2 is disabled.
Would you believe these results?
https://test.drownattack.com/?site=bing.com supports SSLv2 export ciphers

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #73 on: April 16, 2016, 08:46:45 PM »
@developers and code analysts,

Just read a still very actual article about the disadvantages of inline CSS and Javascript code.
Robert Nyman writes on the subject here:
https://robertnyman.com/2008/11/20/why-inline-css-and-javascript-code-is-such-a-bad-thing/
I just added a userscript, called Obtrusive Javascript Checker to the browser via Tampermonkey extension.
While I type this message I experience 25 inline events - onsubmit 1, onchange 2, onselect 1, onclick 20 and onkeyup 1
When I click the post button I enable this action:
Code: [Select]
onclick(return submitThisonce(this);.
Nice to have this under the hood for those that analyze Javascript code every day.
For all others it  Obtrusive JS Checker will mean a lot of unnecessairy clutter.

On the consequenses for Content Security Policy and CSP Violation Fixing, read here: http://www.cspplayground.com/compliant_examples
Quote
Most uses of inline scripts that would break when using CSP can be fixed by factoring the javascript out to an external .js file, and making the location of that file a CSP-approved source.

Here a CSP generator: http://cspisawesome.com/

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: April 17, 2016, 06:19:22 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33442
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #74 on: April 28, 2016, 10:32:04 PM »
While those scanning here still find many an insecurity: https://securityheaders.io/
We have online mitigating tools like this Content-Security-Policy header generator at http://cspisawesome.com/

And while we find many an insecurity here as well: https://sritest.io/
we have a SRI hash generator online here: https://www.srihash.org/

Enjoy and secure,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!