« previous next »
Pages: [1]   Go Down

Author Topic: Big website with so-called replay-script blocked by uOrigin...  (Read 1179 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Big website with so-called replay-script blocked by uOrigin...
« on: November 23, 2017, 11:20:13 PM »
Took a random website from a Princeton university hall of shame list - in this case having the hotjar replay script , name of the domain outbrain dot com.

The overall PrivacyScore score is below par with 53 3rd party embeds, among which we find 29 from known tracking- & ad corporations. mentioned hotjar script being one of those.

No HSTS has been set to protect against insecure requests, also no pre-loading and no public key pinning set.
Last setting has some problems, the waiting is for something more friendly applicable.

Again the server there is open to the Secure-Client-Renegotiation attack vulnerability, also  BREACH, SWEET32 and Lucky13 attacks.

No CSP header set, no XFO-header neither X-Content-Type Options or referrer policy header.

No TLS 1.2 being offered. This according to results here: https://privacyscore.org/site/34920/

Check also here to reach similar conslusions: https://observatory.mozilla.org/analyze.html?host=www.outbrain.com

Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https.

uBlock Origin blocks all ofl outbrain dot com for me.

Re sources and sinks: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.outbrain.com

Also consider the errors appearing in this script: hxtps://www.outbrain.com/script.js?version=f80704f215b146c0d269a38cb085de856f58da30
Code: [Select]
found JavaScript
     error: undefined variable $
     error: undefined function $
Note. Never use 'rusty'script like this here, take care to not use:  $this.functionName() of self.functionName() of $self->functionName()..... or variants thereof, unless you verified the namespace for them and place them at the end of the file to avoid such errors. Credit for this error info goes to StackOverflow's J. Rivero.

Another 14 issues found here(mainly DNS problems): https://mxtoolbox.com/domain/www.outbrain.com/

Privacy wise and security wise we have a long, long way to go to make the global website infrastructure somewhat more secure. The slogan therefore stays: "All hands on deck".

polonus (volunteer website security analyst and website error-hunter)
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »