Author Topic: Musings about my volunteer website security scan experiences....  (Read 42524 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #75 on: April 28, 2016, 11:02:43 PM »
PHP is at the root of many an attack. That is why I come up with this link to check: http://yehg.net/encoding/index1.php
From the same developer as the Malware Script Detector v.v. 1.1. extension that runs under Tampermonkey on Google Chrome for me
and has warned me for many an unobtrusive script threat - BEAST, SQL code. Together with the blocking from Netcraft's Extension it is great protection inside the browser.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #76 on: May 01, 2016, 01:24:30 PM »
What I would not like you to consider and why not is explained here.
Someone (Bart Blaze) was into this...he states...
 
Quote
Before we begin, I’d like to make clear that if you want to test your skills after reading this article or want to test malware in general, you should set up a proper testing environment. Make sure you are using a Virtual Machine if testing on your own machine, or create a machine for the sole use of testing malware and antimalware tools. In either case, it’s a good idea to use a separate network or use a DMZ should you have one. Personally I recommend having the machine connected to the internet, so the malware can do its evil work to its maximum potential and you will be able to carefully study and dissect its workings completely.
Then he contined
Quote
o not use shared folders between VM & host
do use a separate network
do use a pyisical device and no VM
have antivirus solution installed on your physical device, when using a VM
etc. etc.
Read all the particulars of his article, as you translate this link into English: https://www.security.nl/posting/41479/Security+Tip+van+de+Week%3A+onderzoek+malware+in+je+eigen+lab

Now while this set-up is meant for security research on a corporational netrwork and not for the unaware home/hobby user,
it is still rather very problematic. Leave this exploration to the professionals.

Doing this at home is unwise as it could a turn your device into a virtual malware-ridden doorstopper state
or at least make you have serious problems from your Internet provider.
 -
When this happens over the weekend you are in big trouble and out on your own.
Furthermore some malcode is know to break out of a VM or sandbox
and could seriously hamper/tamper with your network surroundings.
Always use a separate lab setting off of the Interwebs and in perfect isolation.

Now all users here may understand why polonus went for third party cold reconnaissance.
Let third party scanners do the work for you, do pre-scanning as well and never visit a suspicious or malicious website itself.
Later I give you my experience with Malzilla but that is another story.
I like to use third party scanners, html validators, javascript unpackers, js beautifiers, php scanners,
looking where code may have access, whether there is inline code,
I look for security related information from seo scanning sites. DNS scanning, SSL scanning etc. etc.
Looking for cloaking, suspicious  iFrame , difference between Google and Googlebot response code.

Whenever I stuble on code errors I read on stackoverflow and also check for the security implications.

Direct malcode access is an unwise idea for anyone without the proper tools and surroundings.
Just a single confrontation with a file infector or malcode that does not obey the VM surrounding
and starts to eat itself through your sandbox and then you are food for the birds.

And where your provider is concerned:
"Do not do the crime, if you cannot pay the time or even worse".

Have a great first of May, ye all...

polonus

« Last Edit: May 01, 2016, 01:28:42 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #77 on: May 22, 2016, 01:22:27 AM »
A lot of developers and javascript coders use ready made examples taken from the Interwebs.
This is a risky practice, whenever the code is buggy or even insecure, you are bound to copy that.
Do not reinvent the wheel but at least test the wheels.
A good free book to start and read: https://addyosmani.com/resources/essentialjsdesignpatterns/book/
free for non-commercial use only.

Enjoy my good friends, enjoy.

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #78 on: May 22, 2016, 04:09:43 PM »
While going over these javascript design vulnerabilities we have to be aware of the top web security vulnerabilities, a nice list is being given here by Gergely Kalman: https://www.toptal.com/security/10-most-common-web-security-vulnerabilities
When you read this you will understand why we do the scans we do. Analyze the HTTP response headers, see where code is same origin, e.g. SRI Hash Website Scan, Safer Chrome Security Report, look for Cloaking and hidden iFrames, Tracker SSL insecure IDs tracking, retirable jQuery scans, CMS insecurity scans, SSL tests, DNS tests, Website and nameserver misconfiguration test (asafaweb scan etc.). DOM XSS vulnerability scan, Javascript Unpacker Scan, and various other scans.
So we have to filter untrusted input, broken authentication and involved threats, input sanitization problem (XSS), store data internally and set session variable (undefined functions and variables always form a threat vector). Security misconfigurations like user enumeration set by default and directory listing, server header info proliferation, excessive services and outdated or even left software running etc. Non-HTTPS content, lack of PFS, requests should not be able to alter the resource requested. Do not use vulnerable components (plug-ins), header injection can be rather bad,

JavaScript sources are functions or DOM properties that can be influenced by the user. Vulnerable JavaScript sources that can be exploited for a DOM-based attack include the following:

Location-based, such as location, location.href, document.URL and so on.
Client-side storage based. For instance, it could be document.cookies, sessionStorage and localStorage.
Navigation-based, such as navigation.referrer, window.name, history et al.
Cross-domain functions. See: http://www.domxssscanner.com/

Quote
Some common exploitable JavaScript sinks:

Execution-based, such as eval(), Function(), setTimeout(), setInterval() and so on.
URL-based, for instance location and location.assign().
HTML-based, such as document.write(), HTML elements and attributes.
XHR calls, postMessage, client-side storage and other JavaScript variables.

postMessage is a JavaScript function under HTML5 that facilitates communication across iframes, i.e. two iframes loaded from separate domains on the same page or between the page and an iframe within it. This communication is entirely client-side. If postMessage restrictions are set loosely, it could result in invalidated malicious data being sent across iframes or a potential data leak scenario making it possible to perform data extraction across sites. The white-list paradigm applies here as well.

With HTML5, client-side storage mechanisms have gone beyond the cookie with newer options such as localStorage, Web SQL and IndexDB. Storage of sensitive data on the client side using these mechanisms fosters a huge security risk, bigger than cookies ever posed.

Quote taken from author: Lavakumar Kuppan on HTML5 security Check using: https://html5.validator.nu/

polonus (volunteer website security analyst and website error-hunter)

P.S. Also learn about Bug Patterns: https://find-sec-bugs.github.io/bugs.htm  Created by Philippe Arteau
and http://alistapart.com/blog/post/pattern-library-security-vulnerability    from Mat  Marquis
blog has a vulnerability by itself: Pattern Library Security Vulnerability · An A L... padlock icon
alistapart.com
Alerts (1)
Insecure login (1)
Password will be transmited in clear to http://alistapart.com/?ACT=159
Infos (1)
Encryption (HTTPS) (1)
Communication is NOT encrypted    Safer Chrome Security Report.

Damian
« Last Edit: May 22, 2016, 04:30:50 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #79 on: May 22, 2016, 10:37:11 PM »
Let us give an example from what I said about copying ready made code from the book
and then maybe also copying the vulnerabilities of that code example. Let us take a ready jQuery code pattern example from the free book I presented earlier in this thread. Let's go.

Example from a txtbook
Code: [Select]
(function( $ ) {
 
   // Pre-compile template and "cache" it using closure
   var resultTemplate = _.template($( "#resultTemplate" ).html());
 
   // Subscribe to the new search tags topic
   $.subscribe( "/search/tags", function( e, tags ) {
       $( "#lastQuery" )
                .html("<p>Searched for:<strong>" + tags + "</strong></p>");
   });
 
   // Subscribe to the new results topic
   $.subscribe( "/search/resultSet", function( e, results ){
 
       $( "#searchResults" ).empty().append(resultTemplate( results ));
 
   });
 
   // Submit a search query and publish tags on the /search/tags topic
   $( "#flickrSearch" ).submit( function( e ) {
 
       e.preventDefault();
       var tags = $(this).find( "#query").val();
 
       if ( !tags ){
        return;
       }
 
       $.publish( "/search/tags", [ $.trim(tags) ]);
 
   });
 
 
   // Subscribe to new tags being published and perform
   // a search query using them. Once data has returned
   // publish this data for the rest of the application
   // to consume
 
   $.subscribe("/search/tags", function( e, tags ) {
 
       $.getJSON( "http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?", {
              tags: tags,
              tagmode: "any",
              format: "json"
            },
 
          function( data ){
 
              if( !data.items.length ) {
                return;
              }
 
              $.publish( "/search/resultSet", { items: data.items } );
       });
 
   });
 
 
})( jQuery );


Tested through an unpacker the results comes up as

Code: [Select]
tested script
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable _
     error: undefined function $
It is working but the error seems in the PHP returning an empty string (pol).
Q.E.D. meaning as what had to be demonstrated to my audience here.

So we find complicating factors because we have to consider intricate code chains, just outside the jQuery "fit to use"
status. code.

All coding is not that easy as it presents itself at first sight, my good friends,

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #80 on: June 21, 2016, 04:21:04 PM »
Sometimes we find the defacement hack example right out on the Interwebs: https://gist.github.com/anonymous/e1a67816dd5956fc8adc
Where was it abused recently, well here: http://killmalware.com/diazepamabuse.com/#
reversed DNS is DROWn vulnerable: -seo217.seoboxes.com -> https://test.drownattack.com/?site=seo217.seoboxes.com
GoDaddy dot com abuse. Outdated WordPress:
WordPress Version
4.1.11
Version does not appear to be latest 4.5.2 - update now.

Warning Directory Indexing Enabled  :o
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #81 on: June 22, 2016, 06:50:26 AM »
Lately I did a scan here: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp
for -www.comcast.com and found Please contact the Certificate Authority for further verification.
Warnings
RC4
This server uses the RC4 cipher algorithm which is not secure. Disable the RC4 cipher suite and update the server software to support the Advanced Encryption Standard (AES) cipher algorithm. Contact your web server vendor for assistance.
Root installed on the server.
For best practices, remove the self-signed root from the server, type  Microsoft-IIS/8.0 443
Read why here: https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/
read also: http://www.ghacks.net/2015/07/19/how-to-block-the-insecure-rc4-cipher-in-firefox-and-chrome/
To test SSL at your end: https://www.howsmyssl.com/   &  https://www.ssllabs.com/ssltest/viewMyClient.html
Seems also DROWn vulnerable.

polonus
« Last Edit: June 22, 2016, 12:44:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
« Last Edit: June 22, 2016, 05:23:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #83 on: July 05, 2016, 02:35:12 PM »
There are quite some users here that use the Disconnect extension in Google Chrome for instance, well worth knowing what comes whitelisted there: https://github.com/mozilla-services/shavar-list-exceptions/blob/master/allow_list
Landed there going over this: https://stackoverflow.com/questions/17360488/malware-infected-sites-listonly-url
and also why developers should benefit from this API https://developers.google.com/safe-browsing/?hl=en
open to a security check here on unmasked parasytes: http://www.unmaskparasites.com/security-report/
https://www.crunchbase.com/organization/unmask-parasites  Sucuri and it's klone SiteGuarding make use of this.
A bookmarklet can be found here: http://iosbookmarklets.com/tutorials/unmask-parasites-bookmarklet/
My favorite adblocker of choice is uBlock origin.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #84 on: July 06, 2016, 06:39:38 PM »
Various script is often developed and produced tested as "fit to use". Often on a second glance over it, many an error can be detected, that may or may not have security implications on a particular website.

Let us take a look at a random script from a random website:  http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwossen.com.ar%2Fmedia%2Fsystem%2Fjs%2Fcaption.js

First we run the code through a beautifier to come up with this
Code: [Select]
var JCaption = new Class({
    initialize: function (a) {
        this.selector = a;
        $$(a).each(function (a) {
            this.createCaption(a)
        }, this)
    },
    createCaption: function (a) {
        var f = document.createTextNode(a.title),
            c = document.createElement("div"),
            d = document.createElement("p"),
            e = a.getAttribute("width"),
            b = a.getAttribute("align");
        if (!e) e = a.width;
        b || (b = a.getStyle("float"));
        if (!b) b = a.style.styleFloat;
        if (b == "" || !b) b = "none";
        d.appendChild(f);
        d.className = this.selector.replace(".", "_");
        a.parentNode.insertBefore(c, a);
        c.appendChild(a);
        a.title != "" && c.appendChild(d);
        c.className = this.selector.replace(".", "_");
        c.className = c.className + " " + b;
        c.setAttribute("style", "float:" + b);
        c.style.width = e + "px"
    }
});

Now we analyze the code and get the following error
Code: [Select]
found JavaScript
     error: undefined variable Class
     error: line:12: TypeError: Class is not a constructor
Class is not a constructor inside the function. Function call is expected, expression is found.

In this case the error is not a real security issue, because of the sri hash A-Status found in this scan:
https://sritest.io/#report/36fb6a47-4160-4160-b8b4-b1a2066bcd28

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: July 06, 2016, 06:42:42 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #85 on: July 07, 2016, 12:52:13 AM »

Some resources on a malicious IP = 218.60.108.138
1. https://cymon.io/218.60.108.138
2. https://www.virustotal.com/en/ip-address/218.60.108.138/information/
3. https://www.threatcrowd.org/ip.php?ip=218.60.108.138
4. https://www.reasoncoresecurity.com/ip-address-218.60.108.138.aspx
5. https://www.threatminer.org/host.php?q=218.60.108.138
6. http://support.clean-mx.com/clean-mx/viruses.php?virusname=Trj/WLT.B&sort=id%20DESC
7. https://www.scumware.org/report/www.zaccl.com.html

There are much more resources to look up specific malicious IP info, like dazzlepod, netcraft, urlquery, but the above mentioned resources
are some that come into a specific similar category.

Enjoy, my friends, enjoy,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!