Hi Jason Xu,
请注意以下几点 (take good notice of the following),
Just covering-nsecsoft dot com infrastructure's security, I like to emphasize:
See 9 detecting files embedding this domain, as we consider:
https://www.virustotal.com/gui/domain/www.nsecsoft.com/relationsFurthermore for your info, this has been found to be insecure:
-http://cloud.nsecsoft.com/ phpinfo()
PHP, headers - 5.6.38
various vulnerabilities. Brings back to us a Win 32 Open SSL header there.
<meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE">
content.js:15 [VULNERS] Match httpd Apache/2.4.34 (Win32) 2.4.34 (Win32)
(anonymous) @ content.js:15
content.js:15 [VULNERS] Match OpenSSL OpenSSL/1.0.2o 1.0.2o
(anonymous) @ content.js:15
content.js:15 [VULNERS] Match cpe:/a:php:php PHP/5.6.38 5.6.38
Also consider the -10 grade results here:
https://webcookies.org/cookies/cloud.nsecsoft.com/30704296?217076The header exposes web server version details. These server no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product. WebCookies.org does offer security design and penetration testing services so we can help!
-1
PHP 5.x is end of life as of 31 December 2018 and no security updates are published after this date
Transport Layer Security (TLS) is not enabled
-2
X-Frame-Options header is missing
-2
X-XSS-Protection header is missing
-1
X-Content-Type-Options header is missing
-1
Privacy Grade = capped at C+ Links -http://www.php.net/ & -http://www.zend.com/
See the hosting party and the various vulnerabilities found there:
https://www.shodan.io/host/182.254.157.201Note: the device may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version. 3389 rdp
Problems Summary
Server certificate is issued for different domain(s) and does NOT cover -cloud.nsecsoft.com!
Server certificate is not trusted by reputable certificate stores!
One or more certificates in the certificate chain has expired!
Server supports one or more weak ciphers suites, including ciphers with weak DH exchange parameters.
Server certificate does NOT cover both domains with and without www.
Self-signed; Not Trusted - validity expired: 2019-11-08 23:48:47 UTC (expires 8 months ago)
Sent by server NOT in TRUST STORE: localhost (self-signed)
b0238c547a905bfa119c4e8baccaeacf36491ff6
RSA 1024 bits / SHA1withRSA
Errors:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Supports Weak Ciphers.
此致,敬礼
polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)