A low risk Magento website, but all is not rosy.....

See: https://www.magereport.com/scan/?s=https://www.omegawatches.com/
See: https://toolbar.netcraft.com/site_report?url=www.omegawatches.com
C+ status and recommendations: https://observatory.mozilla.org/analyze/www.omegawatches.com

But there is certainly some room for improvement here with 3 retirable jQuery libraries detected.
Re: https://retire.insecurity.today/#!/scan/dcbc8d353a6caf738b93fc5708f8e58c74caa7921ea46d2aafcd2cc90719f3d5 **

Also watch out here with all sources and sinks flagged: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.omegawatches.com

Cert.: This server uses an Organizationally Validated (OV) certificate.
Information about the site owner has been validated by DigiCert Inc to help secure personal and financial information. GeoTRUST RSA CA 2018 Intermediate Certificate and a Tested Certificate in that chain.

Re: https://urlscan.io/result/9bb48b5e-5339-45f0-a219-789a393243d2 & https://webcookies.org/scan/16558326

But here we detect a front-end script issue: https://aw-snap.info/file-viewer/?protocol=secure&tgt=www.omegawatches.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
at -1 → /static/version1524733074/frontend/Omega/default/en_US/js/bundle/bundle2.min.js
See: https://aw-snap.info/file-viewer/?tgt=www.omegawatches.com/static/version1524733074/frontend/Omega/default/en_US/js/bundle/bundle2.min.js&ref_sel=GSP2&ua_sel=ff&fs=0&protocol=secure
errors on analysis:

wXw.omegawatches.com/static/version1524733074/frontend/Omega/default/US/js/bundle/bundle2.min.js
status: saved 741262 bytes c27d288f72d756fb437279ad180440ecc7277f99
info: [img] wXw.omegawatches.com/static/version1524733074/frontend/Omega/default/US/js/bundle/
info: [decodingLevel=0] found JavaScript
error: undefined variable require
error: undefined function require.config
file: c27d288f72d756fb437279ad180440ecc7277f99: 741262 bytes
Cause: undefined object being passed via Require.js (info credits go to Stack Overflow)
error in the module’s code? - pol.

strict-transport-security - max-age=300 - no best policy followed.
Page meta security headers not set secure - secure attributes not set with cookie security options, see scan above **.
HTML forms not being set secure…

Host details: https://www.shodan.io/host/23.193.182.31 Akamai, Cambridge, USA.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Hi pol!

Not knowing, what you’re writing about, but your theme ‘Magento …’ should contain a lot of explosives, hoping you know what I mean.
What you can’t is, that I’m on a flat in summertime, which (area=big camping!) was develloped by ‘telekom’! So, you have no chance to change your internet-provider!
During the last month, I had to go to through some curiosities, that I didn’t understand. Maybe, you know more about.
:wink:
=Snake= aka HDW38

Hi you =Snake=,

The Magento frontend code abacadabra has to do with a website developer that interchanged two code words probably or missed something out to define in advance, so we met with the error.

Non-professionals that create websites with Drupal, Word Press and Magento for webshops etc. can easily misconfigure or use retirable jQuery library code with vulnerabilities or older plug-ins or left code, where the developer has left it.

That is what I write about. Have been a proctor on a Higher Educational Insitute this week, exam was on cryptography. Interesting but an answer like the issuer of a certificate is a script kiddy in stead of a Certificate Authority in my view is kind of a give away.

Damian aka polonus (the old scan-tiger)

Just a short overview of the main security issues for above mentioned Magento website:
-wxw.omegawatches.com

(5) Domain at risk of being hijacked

Domain registrar deletion protection not enabled
Domain registrar update protection not enabled
Domain registry deletion protection not enabled
Domain registry transfer protection not enabled
Domain registry update protection not enabled

(2) Susceptible to man-in-the-middle attacks

HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion

(2) Emails can be fraudulently sent

SPF not enabled
DMARC not enabled

DNS is susceptible to man-in-the-middle attacks

DNSSEC not enabled (FOUND SET TO FALSE)

scan result credits go to free UpGuard Cloud Scanner

polonus