Insecurities? -http://shakhvorostova.ru
Detected libraries:
jquery - 1.11.1 : -http://shakhvorostova.ru/media/jui/js/jquery.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/jquery-migrate - 1.2.1 : -http://shakhvorostova.ru/media/jui/js/jquery-migrate.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290http://research.insecurelabs.org/jquery/test/2 vulnerable libraries detected
URLs that redirect found in:
http://shakhvorostova.ru1: hxtp://mc.yandex.ru/metrika/watch.js -> htxps://mc.yandex.ru/metrika/watch.js
Note: The URLs listed above that were found in the page you are checking are redirecting to other URLs. In many cases the redirects are legitmate so it can be tricky to determine whether or not the redirects are causing a problem. Take a look at the URL that is being redirected to -- Does it look suspicious?? Is the domain being redirected to shown on the malware warning (if you are getting one)?
One issue for SRI here: <script src="//mc.yandex dot ru/metrika/watch.js" type="text/javascript"></script> Missing SRI hash
See:
https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fshakhvorostova.ru&ref_sel=GSP2&ua_sel=ff&fs=1Code errors in: htxp://shakhvorostova.ru/plugins/system/jcemediabox/js/jcemediabox.js?version=119
script
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing ) in parenthetical:
error: line:3: .documentElement,p=!f(e),g&&g!==g.top&&(g.addEventListener?g.addEventListener("unload",function(){m()},!1):g.attachEvent&&g.attachEvent("onunload",function(){m()})),c.attributes=ib(function(a){return a.className="i",!a.getAttribute("className")}),c.ge
error: line:3: .........................................^
Echoing two statements is causing this error, for instance Google Analytics inserting code before JSON could cause this.
Unterminated for validating - something javascript detects as unclosed - for instance + missing in some string concatenation that happened inside. Info credits StackOverflow's MikeC.
Also consider the issues flagged here:
https://seomon.com/domain/shakhvorostova.ru/ ->
https://seomon.com/domain/shakhvorostova.ru/html_validator/- (CSRF/Blind SQL Injection) Multiple Vulnerabilities and Clickjacking Vuln. in uServ/3.2.2. ->
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fshakhvorostova.ru Server: nginx-reuseport/1.10.1
Handle case where SO_REUSEPORT may be defined but not supported by
the running kernel.
The update for CVE-2015-3294 caused a regression for the armel and armhf
builds due to a newer linux-libc-dev package installed in the wheezy
chroots used for the build. The libc headers defined SO_REUSEPORT,
whereas the kernel in wheezy does not support it uncovering this
problem. (Closes: #784571)
* Set SO_REUSEADDR as well as SO_REUSEPORT on DHCP sockets when
both are available
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.
polonus (volunteer website security analyst and website error-hunter)
