Sucuri false positive on Battle.net forums?

[REDACTED]

Sucuri shows possible malware report for game developer Blizzard's offical forum. However the script that is being detected seems to be realted to some expansion for their Hearthstone game, so possibly false positive?

https://sitecheck.sucuri.net/results/us.battle.net

[Pondus]

Use The Chat option on sucuri website and report it

[polonus]

Sucuri is often rather accurate with their script detection.
At least we have to go through all of this and look after the undefined variables:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fus.battle.net%2Fhearthstone
The location line in the header above has redirected the request to: -http://us.battle.net/hearthstone/en/
I see

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>8C6AFA5673340162</RequestId>
<HostId>
Qz9XrXbwyCZop6O6xes95LrCSaZy7fvSWjXPV9sL+vosweVBhcLFyYdgWCnjxXamNCLb/LChgUY=
</HostId>
</Error>Certificate transparency   
Signed Certificate Timestamps (SCTs)

Source   Log   Timestamp   Signature Verification
Certificate   Symantec
3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvsw=   2016-07-28 20:05:03   Success
Certificate   Google Pilot
pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=   2016-07-28 20:05:03   Success

polonus

[REDACTED]

Sucuri is often rather accurate with their script detection.
At least we have to go through all of this and look after the undefined variables:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fus.battle.net%2Fhearthstone
The location line in the header above has redirected the request to: -http://us.battle.net/hearthstone/en/
I see

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>8C6AFA5673340162</RequestId>
<HostId>
Qz9XrXbwyCZop6O6xes95LrCSaZy7fvSWjXPV9sL+vosweVBhcLFyYdgWCnjxXamNCLb/LChgUY=
</HostId>
</Error>Certificate transparency   
Signed Certificate Timestamps (SCTs)

Source   Log   Timestamp   Signature Verification
Certificate   Symantec
3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvsw=   2016-07-28 20:05:03   Success
Certificate   Google Pilot
pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=   2016-07-28 20:05:03   Success

polonus

Thanks polonus, but coulld you clarify what those codes tehcnically mean?

Also I believe that the said domain "us.battle.net/heathstone" includes that stuff, though Sucuri tends to give the alert in every us.battle.net domain scan I run.

https://sitecheck.sucuri.net/results/us.battle.net/forums

[REDACTED]

Hey, Pernaman, how's it going?
I checked the reason why SiteCheck is triggering all http://us.battle.net/hearthstone/en/ links and it's due to its anomaly check.
Since malware doesn't have to follow any code styles, there are cases where the malicious code is appended to the header file before the <!DOCTYPE html> bracket (speaking of HTML5 guidelines).
On http://us.battle.net/hearthstone/en/ there's a script tag before the

Code: [Select]

<script>
var expansion = "mean-streets-of-gadgetzan"
</script>

<!DOCTYPE html>This script is causing SiteCheck to trigger the url as potentialy malicious.
It would be great if battle.net guys had this fixed (moving the script tag into the <html> part), I'll try to contact them to report this issue.
If not possible, we'll whitelist it.

Thank you for the report.

Fioravante Souza
Sucuri Malware Research Lead

[polonus]

Hi Pernaman & Pondus,

Yep, Fioravante, is completely right technically speaking, as this issue should trigger an alert
and is to be considered as potentially risky as the redirection link comes before and outside the html header,
which makes it suspicious when you check code,  and indeed the tag should be correctly implemented.

Very kind of Fioravante to come over here and explain this to us so elegantly. 

As users versed in HTML5 should know about such basic design rules, but the unadvanced will not know.

polonus (volunteer website security analyst and website error-hunter)