Tests and other Media topics

[polonus]

Security grade of this search engine webpage: https://www.qwant.com/
Re: https://www.shodan.io/host/194.187.168.100
See: https://webhint.io/scanner/47f3776f-d541-49f3-93c0-a8d2dfb3c168
Cookie & Security Scan report: https://webcookies.org/cookies/www.qwant.com/1128157?673125
Re: B-grade: https://observatory.mozilla.org/analyze/www.qwant.com

Errors in browser console: Refused to load the image 'hxtps://lite.qwant.com/img/v4/header/header-bg-tablet.svg?redirect=OperaMobi13.04&1539938515=' because it violates the following Content Security Policy directive: "img-src blob: 'self' s1.qwant.com s2.qwant.com s.qwant.com data: s-boards.qwant.com s-lite.qwant.com www.qwant.com".

/undefined:1 GET -https://www.qwant.com/undefined 404
Image (async)
replaceInnerHTML @ app.js?1576502819736:3
constructor @ app.js?1576502819736:3
startApplication @ bootstrap.js?1576502819736:196
(anonymous) @ bootstrap.js?1576502819736:140
b.then @ app.js?1576502819736:1
initApplication @ bootstrap.js?1576502819736:139
languageFileLoad @ bootstrap.js?1576502819736:254
load (async)
(anonymous) @ bootstrap.js?1576502819736:224

DOM-XSS issues: Results from scanning URL: -https://www.qwant.com/
Number of sources found: 2
Number of sinks found: 38

and results from scanning URL: -https://www.qwant.com/js/app.js?1576502819736
Number of sources found: 302
Number of sinks found: 1037

and results from scanning URL: -https://www.qwant.com/js/app.js?1576502819736
Number of sources found: 609
Number of sinks found: 291

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Domain name cert checks.

Combine tests here, for instance: https://www.immuniweb.com/radar/?id=v4BmqgTP
and https://www.immuniweb.com/ssl/ & https://www.immuniweb.com/websec/
also https://www.immuniweb.com/websec/?id=U3EpLj3f (example)
and at https://moz.com/learn/seo/domain

Check: crt.sh for certificate transparancy scans.

polonus

[polonus]

Next to testing with Retire.JS extension inside the browser or https://retire.insecurity.today/
developed by Erlend Oftedal, we can also test at DomStorm's class selector XSS at
-> https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
Other modules also available.. handy for DOM-XSS searches for sinks and sources.
Other example test: https://domstorm.skepticfx.com/modules?id=559b066c34473500003d257b

Enjoy, my friends, enjoy,

polonus

[polonus]

To make the theoretical ideas stand out more practically - when we combine retire.JS -
domstorm repository, SNYK vulners etc., is to know how to protect against this,
especially against abuse combined with payload injectors. (XSSight abuse etc.).

In general: Defenses against XSS
What input do we trust? (browser- and client-side validation)
Does it adhere to expected patterns?
Never simply reflect untrusted data.
Applies to data within our database too.
Encoding of context(Java/attribute/HTML/CSS

polonus

[polonus]

Re: http://research.insecurelabs.org/jquery/test/

Let us take a particular example with known abuse and analyse retirable jQuery library there.
Re: https://www.abuseipdb.com/check/195.62.29.11 *
Check that particular IP for "vulners": https://www.shodan.io/host/195.62.29.11 common OpenSSH abuse...
Site report: https://sitereport.netcraft.com/?url=http%3A%2F%2Fparagon.net.uk
We see an outdated Word Press CMS version there: WordPress Version 4.9.13
We see it has passed various reputation checks (questionable in the light of the abuse report, see above *)
Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK

External hosts also Google Safe Browsing approved:
Externally Linked Host   Hosting Provider   Country   
    -www.godaddy.com   GTT Communications Inc.   United States    
    -www.heg.com   Host Europe GmbH   United Kingdom    
    -domains.meshdigital.com   Host Europe GmbH   United Kingdom    
    -www.domainbox.com   Host Europe GmbH   United Kingdom    
    -aboutus.godaddy.net   Dosarrest Internet Security LTD   United States   

For the DOM we go here: https://urlscan.io/result/4c8d465b-1577-496b-9b0c-3c768c8c3dd0

1 Retirable jQuery library: https://retire.insecurity.today/#!/scan/608243a0f733be6600ab4c37808b81dd7dfbaccd646f3cbc5fc5251850d95bfc

DOM-XSS Sinks and Sources there: Results from scanning URL: -https://www.heg.com/wp-includes/js/jquery/jquery.js?ver=1.12.4
Number of sources found: 41
Number of sinks found: 17

Sources, output that could be controlled - .top! .innerHTML= [name= .location. .name write( opener| .parent .open( .op= =top+ "top"
sinks, methods to do so, .value href= data= .src=

The SNYK results from webhint - hint #1: 'jQuery@1.12.4' has 2 known vulnerabilities (2 medium). See 'https://snyk.io/vuln/npm:jquery' for more information@ https://webhint.io/scanner/9d38081f-16c8-4085-a918-baedbc3e3c9c#category-security

We find two requests with regular content  on -https://www.heg.com/wp-includes/js/jquery/jquery.js?ver=1.12.4

Read: https://github.com/jquery/jquery/issues/2432

Also valuable info from: https://webcookies.org/cookies/www.heg.com/28887761?484748
about outdated PHP and excessive server info proliferation; X-Powered-By: PHP/5.4.44
The header exposes web server version details. These serves no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product - Server: Apache/2.2.15 (CentOS)
-> https://www.centos.org/forums/viewtopic.php?t=65285

Results of vulners webscanner extension for/on HEG website:

wXw.heg.com
Apache, headers
Not vulnerable
PHP, headers - 5.4.44 vulnerable
7.5
jQuery, headers - 1.3
Not vulnerable
jQuery, script
Not vulnerable
jQuery Migrate, script
Not vulnerable
Bootstrap, script
Not vulnerable
Font Awesome, html
Not vulnerable
Yoast SEO, html - 4.5
Not vulnerable
Wordpress - 4.9.13
Not vulnerable
2017 -Vulners.comvulners.com

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Compare malicious IP scans.

Re: https://urlhaus.abuse.ch/url/294136/
IP server info: https://www.shodan.io/host/108.58.8.186
together with Netcraft's site report: https://sitereport.netcraft.com/?url=ool-6c3a08ba.static.optonline.net
Confirmation of scanning and Mirai-like infestations: https://viz.greynoise.io/ip/108.58.8.186

pol

[polonus]

Testing PHP - http://evuln.com/tools/php-security/
There are also free apllications, so I won't give that address for we don't wanna break those 
Also: https://phpstan.org/  as an online tool.
Example test on index.php: https://phpstan.org/r/2976723a-53b1-4698-8984-ccbbdee9b292

https://www.quora.com/How-do-I-view-a-PHP-source-code-of-a-website-just-like-we-see-the-HTML-and-other-codes

Sucuri also has resources: https://wordpress.org/support/topic/sucuri-auditqueue-php-and-other-files/
Re: https://www.unphp.net/decode/788b15af31089576dfcc553a4eddedd0/

Vulners extension for this site -forum.avast.com gives vuln. PHP.headers 5.4.49   7.5
-> https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/opbyp-1/PHP-PHP.html

Often PHP could mean a "can of worms", specifically outside the kernel source of PHP based CMS like Word Press etc.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)