Author Topic: We would expect a somewhat more secure website here...even alert!  (Read 193 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
We would expect a somewhat more secure website here...even alert!
« on: September 15, 2020, 05:11:49 PM »
See the 294 improvement recommendations here: https://webhint.io/scanner/56f7a082-abac-4e07-9b1a-5aa195ccb9f6
Consider the retitable jQuery here:
Quote
Retire.js
jquery   2.2.4.min   Found in -https://brightcloud.com/static/js/jquery-2.2.4.min.js<br>Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   1
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS


JavaScript React Framework - errors in JS:
Quote
SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

Google Maps JavaScript API error: RefererNotAllowedMapError https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error Your site URL to be authorized: /tools/url-ip-lookup.php
 https://maps.google.com/maps/api/js?key=AIzaSyBblrddW748tBmgjwBDeaOmAbcNwaAK_S4:70 Object._.me()
 https://maps.google.com/maps-api-v3/api/js/42/4/intl/pl_ALL/common.js:92
 https://maps.google.com/maps-api-v3/api/js/42/4/intl/pl_ALL/common.js:154 Us.o()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

ReferenceError: ga is not defined
 /static/js/url-ip-lookup-page.js:110 search()
 /tools/url-ip-lookup.php:3818 HTMLButtonElement.onclick()

SecurityError: Blocked a frame with origin "/" from accessing a cross-origin frame.
  injectIframes (:31:26)()
  HTMLDocument.value [as getElementsByTagName] (:47:10)()
 /static/js/jquery-2.2.4.min.js:2 Object.g.nodeType.g.documentElement.d.find.TAG()
 /static/js/jquery-2.2.4.min.js:2 f()
 /static/js/jquery-2.2.4.min.js:2 fa.select()
 /static/js/jquery-2.2.4.min.js:2 Function.fa [as find]()
 /static/js/jquery-2.2.4.min.js:2 n.fn.init.find()
 /static/js/jquery-2.2.4.min.js:2 new n.fn.init()
 /static/js/jquery-2.2.4.min.js:2 n()
 /tools/url-ip-lookup.php:817 HTMLDocument.clearMenus()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

TypeError: Invalid property descriptor. Cannot both specify accessors and a value or writable attribute, #<Object>
  Function.defineProperty ()()
  doUpdateProp (:19:12)()
  :29:5()
  Array.forEach ()()
  :24:44()
  self.tp_wkBbivbickh_func (:40:5)()
  HTMLIFrameElement.get (:62:46)()
  HTMLIFrameElement.get (:72:25)()
  HTMLIFrameElement.get (:55:25)()
  HTMLIFrameElement.get [as contentWindow] (:83:25)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

ReferenceError: ga is not defined
 /static/js/url-ip-lookup-page.js:110 search()
 /tools/url-ip-lookup.php:3818 HTMLButtonElement.onclick()

SecurityError: Blocked a frame with origin "/" from accessing a cross-origin frame.
  injectIframes (:31:26)()
  HTMLDocument.value [as getElementsByTagName] (:47:10)()
 /static/js/jquery-2.2.4.min.js:2 Object.g.nodeType.g.documentElement.d.find.TAG()
 /static/js/jquery-2.2.4.min.js:2 f()
 /static/js/jquery-2.2.4.min.js:2 fa.select()
 /static/js/jquery-2.2.4.min.js:2 Function.fa [as find]()
 /static/js/jquery-2.2.4.min.js:2 n.fn.init.find()
 /static/js/jquery-2.2.4.min.js:2 new n.fn.init()
 /static/js/jquery-2.2.4.min.js:2 n()
 /tools/url-ip-lookup.php:817 HTMLDocument.clearMenus()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

TypeError: Invalid property descriptor. Cannot both specify accessors and a value or writable attribute, #<Object>
  Function.defineProperty ()()
  doUpdateProp (:19:12)()
  :29:5()
  Array.forEach ()()
  :24:44()
  self.tp_UKHqJnLpEku_func (:40:5)()
  HTMLIFrameElement.get (:62:46)()
  HTMLIFrameElement.get (:72:25)()
  HTMLIFrameElement.get (:55:25)()
  HTMLIFrameElement.get [as contentWindow] (:83:25)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

ReferenceError: ga is not defined
 /static/js/url-ip-lookup-page.js:535 toggleClassification()
 /tools/url-ip-lookup.php:1 HTMLAnchorElement.onclick()

SecurityError: Blocked a frame with origin "/" from accessing a cross-origin frame.
  injectIframes (:31:26)()
  HTMLDocument.value [as getElementsByTagName] (:47:10)()
 /static/js/jquery-2.2.4.min.js:2 Object.g.nodeType.g.documentElement.d.find.TAG()
 /static/js/jquery-2.2.4.min.js:2 f()
 /static/js/jquery-2.2.4.min.js:2 fa.select()
 /static/js/jquery-2.2.4.min.js:2 Function.fa [as find]()
 /static/js/jquery-2.2.4.min.js:2 n.fn.init.find()
 /static/js/jquery-2.2.4.min.js:2 new n.fn.init()
 /static/js/jquery-2.2.4.min.js:2 n()
 /tools/url-ip-lookup.php:817 HTMLDocument.clearMenus() [/quote]

Quick Source Review:
Quote
HTML
-brightcloud.com/tools/url-ip-lookup.php#
59,294 bytes, 655 nodes

Javascript 31   (external 16, inline 15)
-www.gstatic.com/recaptcha/releases/6TWYOsKNtRFaLeFqv5xN42-l/​recaptcha__pl.js
INLINE: self['tp_bPQfGWwlFwv_func'] = function(frame){ if (frame === null) { co
3,872 bytes

INLINE: self['tp_SxXThpOlmRp_func'] = function(frame){ if (frame === null) { co
2,226 bytes

INLINE: self['tp_SvPAmnWKouz_func'] = function(frame){ if (frame === null) { co
2,614 bytes

INLINE: self['tp_mWeUFfVrVQe_func'] = function(frame){ if (frame === null) { co
2,424 bytes

INLINE: self['tp_RjnKdVNEwKA_func'] = function(frame){ if (frame === null) { co
5,433 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
34,624 bytes

-brightcloud.com/static/js/​jquery-2.2.4.min.js
INLINE: (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(
349 bytes

-maps.google.com/maps-api-v3/api/js/42/4/intl/pl_ALL/​common.js
INJECTED

maps.google.com/maps-api-v3/api/js/42/4/intl/pl_ALL/​util.js
INJECTED

-www.gstatic.com/charts/49/​loader.js
INJECTED

-www.gstatic.com/charts/49/js/​jsapi_compiled_default_module.js
INJECTED

-www.gstatic.com/charts/49/js/​jsapi_compiled_graphics_module.js
INJECTED

-www.gstatic.com/charts/49/js/​jsapi_compiled_ui_module.js
INJECTED

-www.gstatic.com/charts/49/js/​jsapi_compiled_corechart_module.js
INJECTED

-maps.google.com/maps-api-v3/api/js/42/4/intl/pl_ALL/​map.js
INJECTED

-maps.google.com/maps-api-v3/api/js/42/4/intl/pl_ALL/​marker.js
INJECTED

INLINE: /*! * Bootstrap v3.3.6 (-http://getbootstrap.com) * Copyright 2011-2015 Twitter
68,954 bytes

INLINE: /*! * Responsive Bootstrap Toolkit * Author: Maciej Gurban * License: MI
7,471 bytes

INLINE: var ResponsiveDetection = { foundSize: false, interval: 500, size
1,014 bytes

INLINE: (function (window, $, undefined) { "use strict"; $(document).ready(func
1,555 bytes

INLINE: var changeRequestCaptcha; var searchCaptcha; var onloadCallback = f
623 bytes

INLINE: //------------------------------------------------------------------------ // P
989 bytes

-www.gstatic.com/charts/​loader.js
-maps.google.com/maps/api/​js?key=AIzaSyBblrddW748tBmgjwBDeaOmAbcNwaAK_S4
-www.google.com/recaptcha/​api.js?onload=onloadCallback&render=explicit
-brightcloud.com/static/js/​change-request-form.js
INLINE:
4 bytes

-brightcloud.com/static/js/​url-ip-lookup-page.js
INLINE: (function (window, $, undefined) { "use strict"; $(document).ready(func
750 bytes

CSS 14   (external 3, inline 11)
brightcloud.com/static/css/​font-awesome.css
INJECTED

INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

INLINE: .BDTLL_icon_ok { background-image: url(data:image/png;base64,iVBORw0KGgoAAAA
26,787 bytes INJECTED

INLINE: .BDTLL_status { cursor: pointer; display: inline; margin-right: 3px;
276 bytes INJECTED

-www.gstatic.com/charts/49/css/core/​tooltip.css
INJECTED

-www.gstatic.com/charts/49/css/util/​util.css
INJECTED

INLINE: .BDTLL_icon_ok { background-image: url(data:image/png;base64,iVBORw0KGgoAAAA
26,787 bytes INJECTED

INLINE: .BDTLL_status { cursor: pointer; display: inline; margin-right: 3px;
276 bytes INJECTED

INLINE: /*! * Bootstrap v3.3.7 (-http://getbootstrap.com) * Copyright 2011-2017 Twitter
118,033 bytes INJECTED

INLINE: .block.header_brightcloud { z-index: 100; background: #fff; top: 0; tran
20,597 bytes INJECTED

INLINE: /* push footer to bottom */ html, body { height: 100%; } body { display: flex
1,370 bytes INJECTED

INLINE: table td { vertical-align: middle; margin: 0; } #suggestCategory td{ pad
307 bytes INJECTED

INLINE: .block.footer_brightcloud { color: #fff; background: #32353B; } .block.foote
7,277 bytes INJECTED

F-grade scan results: https://observatory.mozilla.org/analyze/brightcloud.com

Outdated software dectected - Security Header issues:
https://sitecheck.sucuri.net/results/https/brightcloud.com/tools/url-ip-lookup.php#
Confirmed by IP detection: https://www.virustotal.com/gui/ip-address/192.124.249.7/detection

See: https://www.virustotal.com/gui/ip-address/192.124.249.7/relations

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

« Last Edit: September 15, 2020, 05:14:34 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Similar with a blog that treats subjects like powershell.exe execution policy restrict command write etc.
One would expect the server side website client security to be optimal there.

Not that the site is malicious or suspicous in any form or way, but it has errors and the security cannot be called optimal.
Let's analyze.

2 vulnerable retirable jQuery libraries detected: https://retire.insecurity.today/#!/scan/5c79708cad51d90cb957ab60092f278fce9fbd5a2e4406d1805f6e22d69b1241

JavaScript errors on page:
Quote
TypeError: Cannot read property 'appendChild' of null
  g (:1:615)()
  HTMLCanvasElement.c (:1:324)()
  HTMLCanvasElement.e.toDataURL (:1:1110)()
 /:117 c()
 /:117 l()
 /:117
 /:117

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

ReferenceError: pardot is not defined
 -https://pardot.netspi.com/l/427532/2018-05-02/23wvr5:185
 -https://pardot.netspi.com/l/427532/2018-05-02/23wvr5:193

ReferenceError: pardot is not defined
 -https://pardot.netspi.com/l/427532/2019-05-22/2fps86:94
 -https://pardot.netspi.com/l/427532/2019-05-22/2fps86:102

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147), :71:325)()
  d (eval at exec_fn (:1:147), :13:89)()

SyntaxError: Invalid regular expression flags
  eval ()()
  :3:98()
  Object.c [as F_c] (:2:146)()
  Object.E_u (:3:267)()
  la (eval at exec_fn (:1:147), :60:53)()
  Object.create (eval at exec_fn (:1:147),

Avast leaves me to block Clicky and Google Analytics on that blog website.

ZenMate has 42% of the site blocked for me of which 17% is tracking and 25% ads.

3 issues with Word Press CMS security: outdated plug-in flagged:    enlighter 4.3.0   Warning   latest release (4.3.1)
https://enlighterjs.org

Excessive info proliferation detected:  User Enumeration
The first two user ID's were tested to determine if user enumeration is possible.

Username   Name
ID: 1   karl-fosaaen   
ID: 2   scott-sutherland   
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Externally linked hosts given the all green:
Externally Linked Host   Hosting / Company Netblock   Country   
     -www.netspi.com   GOOGLE         
     -sqlwiki.netspi.com   FASTLY         
     -twitter.com           TWITTER         
     -www.linkedin.com   MICROSOFT-CORP-MSN-AS-BLOCK         
     -correlatedvm.netspi.com   XO-AS15         
     -resolve.netspi.com   AMAZON-AES         
     -www.facebook.com   FACEBOOK

DOM-XSS scan results from scanning URL: -http://blog.netspi.com
Number of sources found: 5
Number of sinks found: 319

Results from scanning URL:
-https://blog.netspi.com/wp-content/plugins/google-analytics-for-wordpress/assets/js/frontend.min.js?ver=7.12.2
Number of sources found: 16
Number of sinks found: 2

Results from scanning URL: -https://blog.netspi.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Number of sources found: 115
Number of sinks found: 78

Also consider the improvement recommendations, especially those towards security here:
https://webhint.io/scanner/c2f7c5b2-b27d-4b24-bc4f-672a8f8ac1fe

Quick Source review:
Quote
HTML
-blog.netspi.com/
62,124 bytes, 647 nodes

Javascript 31   (external 16, inline 15)
-lftracker.leadfeeder.com/​lftracker_v1_4lZPGEjjaJyELpBk.js
INJECTED

INLINE: self['tp_RsfYHjEmXif_func'] = function(frame){ if (frame === null) { co
3,872 bytes

INLINE: self['tp_fOKyRBQWEBx_func'] = function(frame){ if (frame === null) { co
2,226 bytes

INLINE: self['tp_qKAQGIwevvn_func'] = function(frame){ if (frame === null) { co
2,614 bytes

INLINE: self['tp_EsFFuhyKQgg_func'] = function(frame){ if (frame === null) { co
2,424 bytes

INLINE: self['tp_jgLPhYOhXiD_func'] = function(frame){ if (frame === null) { co
5,433 bytes

-www.google-analytics.com/​analytics.js
INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
34,624 bytes

INLINE: var mi_version = '7.12.2'; var mi_track_user = true; var mi_no_
2,296 bytes

INLINE: window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji
2,132 bytes

INLINE: /* <![CDATA[ */ var monsterinsights_frontend = {"js_events_tracking":"true","do
232 bytes

-blog.netspi.com/wp-content/plugins/google-analytics-for-wordpress/assets/js/​frontend.min.js?ver=7.12.2
-blog.netspi.com/wp-content/plugins/pdf-print/js/​html2canvas.js?ver=5.5.1
-blog.netspi.com/wp-content/plugins/pdf-print/js/​jspdf.js?ver=5.5.1
INLINE: /* <![CDATA[ */ var pdfprnt_file_settings = {"margin_left":"15","margin_right":
231 bytes

-blog.netspi.com/wp-content/plugins/pdf-print/js/​front-script.js?ver=5.5.1
-blog.netspi.com/wp-includes/js/jquery/​jquery.js?ver=1.12.4-wp
-blog.netspi.com/wp-content/plugins/responsive-lightbox/assets/featherlight/​featherlight.min.js?ver=2.2.3
-blog.netspi.com/wp-content/plugins/responsive-lightbox/assets/featherlight/​featherlight.gallery.min.js?ver=2.2.3
-blog.netspi.com/wp-content/plugins/responsive-lightbox/assets/infinitescroll/​infinite-scroll.pkgd.min.js?ver=5.5.1
INLINE: /* <![CDATA[ */ var rlArgs = {"script":"featherlight","selector":"lightbox","cu
363 bytes

-blog.netspi.com/wp-content/plugins/responsive-lightbox/js/​front.js?ver=2.2.3
-blog.netspi.com/wp-content/plugins/wordpress-popular-posts/assets/js/​wpp.min.js?ver=5.2.4
INLINE: function clicky_gc(name) { var ca = document.cookie.split(';'); for (var i
372 bytes

INLINE: var clicky_site_ids = clicky_site_ids || []; clicky_site_ids.push("10080917
85 bytes

-static.getclicky.com/​js
-blog.netspi.com/wp-content/themes/netspi2018-6/dist/js/​app.min.js?ver=1586550443
-blog.netspi.com/wp-content/plugins/enlighter/cache/​enlighterjs.min.js?ver=UEhwWol3EuTw5lB
INLINE: !function(e,n){if("undefined"!=typeof EnlighterJS){var o={"selectors":{"block":
650 bytes

-blog.netspi.com/wp-includes/js/​wp-embed.min.js?ver=5.5.1
INLINE: (function(){ window.ldfdr = window.ldfdr || {}; (function(d, s, ss, fs){ fs = d
341 bytes

CSS 16   (external 11, inline 5)
INLINE: img.wp-smiley, img.emoji { display: inline !important; border: none !importan
283 bytes INJECTED

-blog.netspi.com/wp-includes/css/dist/block-library/​style.min.css?ver=5.5.1
INJECTED

-blog.netspi.com/wp-content/plugins/pdf-print/css/​frontend.css?ver=2.2.2
INJECTED

-blog.netspi.com/wp-content/plugins/responsive-lightbox/assets/featherlight/​featherlight.min.css?ver=2.2.3
INJECTED

-blog.netspi.com/wp-content/plugins/responsive-lightbox/assets/featherlight/​featherlight.gallery.min.css?ver=2.2.3
INJECTED

-blog.netspi.com/wp-content/plugins/wp-pagenavi/​pagenavi-css.css?ver=2.70
INJECTED

-blog.netspi.com/wp-content/plugins/wordpress-popular-posts/assets/css/​wpp.css?ver=5.2.4
INJECTED

-blog.netspi.com/wp-content/themes/netspi2018-6/dist/vendor/​font-awesome.min.css?ver=1.0.0
INJECTED

-use.typekit.net/​vxi4zbo.css?ver=1.0.0
INJECTED

-blog.netspi.com/wp-content/themes/netspi2018-6/dist/css/​styles.min.css?ver=1586550443
INJECTED

-blog.netspi.com/wp-content/​tablepress-combined.min.css?ver=11
INJECTED

-blog.netspi.com/wp-content/plugins/enlighter/cache/​enlighterjs.min.css?ver=UEhwWol3EuTw5lB
INJECTED

INLINE: ul li:before, .content ul li:before, .custom-content ul li:before, .page-con
144 bytes INJECTED

INLINE: -a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

INLINE: .BDTLL_icon_ok { background-image: url(data:image/png;base64,iVBORw0KGgoAAAA
26,787 bytes INJECTED

INLINE: .BDTLL_status { cursor: pointer; display: inline; margin-right: 3px;
276 bytes INJECTED

(source Quick Source viewer, compare to Shift-Ctrl+I)

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

« Last Edit: September 16, 2020, 03:20:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!