Author Topic: Musings about my volunteer website security scan experiences....  (Read 42507 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #45 on: July 05, 2015, 11:21:50 PM »
Has the overal server security situation, especially seen to server security header implementation, improved since 5 years ago:
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
Personally from what I see on the Internet I do not think so.
Just look here: https://forum.avast.com/index.php?topic=173228.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #46 on: August 22, 2015, 08:05:09 PM »
Para-Noid pointed me on the additional info we get via the Netcraft Report info like here in this thread:
-https://forum.avast.com/index.php?topic=175440.msg1245377#msg1245377
Recently I have been using a low level sie explorer - it keeps us informed about the received data, links, scripts and frames found for a specific site. Then a benifit is that avast online security nor the shields will alert like they often do on other scans tghat reveal too much of the detection at hand (code, url, IP etc.). And it "sees"more than for instance Releg's fileviewer, where I saw a toggle coding and where the low level scan rewarded me with the suspicious IP that came out of the toggle code.
That is why I tried it on the website that was scanned in the above thread.
Quite different scanner here: -http-sniffer.find-my-search.com/en/web-sniff-of/www.htyzs.cn/

polonus

Important Update, see why bob3160 was right after all in his reaction to this posting: https://forum.avast.com/index.php?topic=176080.msg1249559#new

Thanks, bob3160, for alerting me and breaking all result urls.

Damian
« Last Edit: September 06, 2015, 12:35:56 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #47 on: August 22, 2015, 08:08:12 PM »
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #48 on: August 22, 2015, 08:18:22 PM »
Hi bob3160,

I broke all links, how this can be alerted, no warning for me  by Avast.

polonus

Update While bob3160 warning was a valid one, all of the links to the low level scan explorer has been taken out (while they were already broken), both in the virus and worms postings and also in my WOT ratings as "luntrus". I have already thanked bob3160 for his attentiveness there. Good we always help each other out here in the forums.  ;)

Damian
« Last Edit: September 06, 2015, 02:05:37 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #49 on: August 22, 2015, 08:22:01 PM »
The warning came from gmail. That's also why none of the links in that email are clickable.
I'm not the expert so am simply passing this along. :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #50 on: August 22, 2015, 08:29:06 PM »
So this has/had nothing to do with Avast. As I have no live links in the message there I gather all is OK now.
Why GMail warned for you I am not aware, my webmail from Avast had no alerts.
Anyway there is nothing malicious in the posting now, cannot be.

polonus
« Last Edit: August 22, 2015, 08:32:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Musings about my volunteer website security scan experiences....
« Reply #51 on: August 22, 2015, 08:54:15 PM »
As it say  contain link to websites hosting malware

And that may mean code samples at display    ;)


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #52 on: August 22, 2015, 09:21:08 PM »
Hi Pondus,

After bob3160 posted that alert I made all links non-clickable, so now there is txt only in the posting.
Those that wanna reconstruct (for the samples to go to) now have to do so themselves. This teaches me to better break all links,
as it does not demand rocket technology to revive a particular link. No live links and no links coming to bite after we provided added detection.  ;D

So this also could be a policy for the virus and worms to break all links with -http etc.
Another safe way to present anything without risks is as an image.

polonus

Update all links to the so-called low level website explorer scans have been removed now.

D
« Last Edit: September 06, 2015, 02:07:18 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6700
  • Trust only what you test yourself!
Re: Musings about my volunteer website security scan experiences....
« Reply #53 on: August 25, 2015, 09:58:57 PM »
That is why when I do cold research I always use copy/paste then run the online scan.
That way I never, ever go to the actual website.

This one is safe (at least it better be) https://forum.avast.com
I then copy/paste forum.avast.com into either netcraft.com or virustotal and go from there.
I use netcraft.com as a starting point. I use the information provided there to look deeper. Sometimes the lack of
information can send up a red flag in a hurry as seen here https://forum.avast.com/index.php?topic=175440.msg1245377#msg1245377
see http://toolbar.netcraft.com/site_report?url=htyzs.cn%2F there is some information missing...red flag.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #54 on: August 25, 2015, 10:23:20 PM »
At this san you see what is insecure there: -https://asafaweb.com/Scan?Url=htyzs.cn

Custom errors: Fail

Requested URL: -http://htyzs.cn/trace.axd | Response URL: -http://htyzs.cn/trace.axd | Page title: XXXXXXXX | HTTP status code: 403 (Forbidden) | Response size: 1,867 bytes | Duration: 264 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.
Excessive headers: Warning

Requested URL: -http://htyzs.cn/ | Response URL: -http://htyzs.cn/ | Page title: | HTTP status code: 200 (OK) | Response size: 22,057 bytes (gzip'd) | Duration: 2,473 ms
Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Microsoft-IIS/7.5
X-Powered-By: UrlRewriter.NET 2.0.0, ASP.NET
X-AspNet-Version: 2.0.50727


Result
It looks like custom errors are not correctly configured as the requested URL contains the heading "Server Error in".

Custom errors are easy to enable, just configure the web.config to ensure the mode is either "On" or "RemoteOnly" and ensure there is a valid "defaultRedirect" defined for a custom error page as follows:

<customErrors mode="RemoteOnly" defaultRedirect="~/Error" />
Clickjacking: Warning

Requested URL: -http://htyzs.cn/ | Response URL: -http://htyzs.cn/ | Page title: | HTTP status code: 200 (OK) | Response size: 22,057 bytes (gzip'd) | Duration: 2,473 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #55 on: August 30, 2015, 01:09:09 PM »
We always should be aware of malicious  obfuscated code injections.
Read: http://security.stackexchange.com/questions/34271/how-can-you-inject-malicious-code-into-an-innocent-looking-url 
and  example: http://stackoverflow.com/questions/3115204/unicode-mirror-character
For some further background info: http://www.casaba.com/products/UCAPI/

So always valdate these uri's and see where they actually will take you!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #56 on: September 04, 2015, 04:27:58 PM »
@Damien,
Wonder if this may interest you:

Not a tool for the faint of heart and not a tool I'd ever use.
https://github.com/10se1ucgo/DisableWinTracking
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #57 on: September 04, 2015, 04:38:15 PM »
Hi bob3160,

Seems like overkill, just want to kill some insecure tracking and with the add-ons in Google Chrome I have apt posibilty.
AOS has this. DrWeb's, and uMatrix is so versatile you can almost kill all on a particular website.
Then there is Ghostery, so what more do I want. I am not paranoid about this and very selective.
For instance this one, a weird clicker like HeroFW app that circumvents ad-blockers: http://t130210.security-ids-snort-emerging-sigs.securityupdate.info/herofw-app-crew-and-this-looks-like-some-weirdclick-tracking-crap-t130210.html
Anyway, thanks for the heads-up and I will skim through that code there,

Damian

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #58 on: September 10, 2015, 02:41:18 PM »
What users of WP CMS should read: http://codex.wordpress.org/Hardening_WordPress
and this http://www.woothemes.com/2013/09/improve-your-wordpress-security-with-these-10-tips/
They could take a scan at Sucuri's and check their WP here: https://hackertarget.com/wordpress-security-scan/

Still seeing too much outdated CMS, CMS themes,  plug-ins, USER inumeration and directory indexing enabled warnings,
excessive server info proliferation, clickjacking and other warnings, etc. etc. the insecurities of bulk hosting and eventual evolving general IP blocks, use of left software (developers will not maintain, bugs, vulnerabilities and exploits are not being patched).

Don't be a trained monkey  ;) but educate yourself about the dangers you could be for your visitors.
Remember milions visit WP driven websites every day and could get infested by malware driven sites.
Be responsible and act accordingly as webmaster, website admin and hosting staff!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #59 on: September 11, 2015, 10:46:43 PM »
In the light of the new growing mal-ad injection threat, the following.
Insecure javascript inclusion. Using the -src attribute of a <script> tag to directly or indirectly include a JS-file
from an external domain into the top-level document of a webpage.

Keeping JS separate from HTML markings is a good practice. Good is including JS from the same host or domain,
could be excluded from evaluation with insecure inclusion techniques. Sites run the risk their homepages come under the control of the included javascript code and even higher risk from multiple sources.

Some advertisers provide nothing on their root URLs but point just to some stored JS file using URL-paths. A single compromised JS-file could directly cause security breaches on thousands of sites.

Now one can understand why using a decent adblocker is not a luxury or use an adblocking browser on Android for that matter.
Google Safebrowsing is a last resort line of defense!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!