Interesting diuscussion why we see so many defacements on WP websites lately. Read: http://wordpress.stackexchange.com/questions/28548/wordpress-hacks-defacing
Partly I agree where they point at sloppy and insecure hosting. Furthermore there is no excuse for folks that do not fully patch or update their CMS, plug-ins and themes and even worse code that have been left by developers - or those that have User Enumeration available or Directory Indexing or can be abused via linked Javascript or linked iFrames. Where the hosting is considered I just remind you of excessive server header info proliferation, and various warnings etc - server misconfigurations, security header fails, PHP weaknesses and other exploitable code etc. etc.

I have reported many a defacement and especially those with malicious code in the “virus and worms” in the hope it may inspire some to do something about insecure websites and enhance pro-active secure hosting in some form. Often one feels like preaching for the choir and the message falling on deaf ears. See for instance here: http://killmalware.com/michaeldechiara.com/ Outdated CMS there, not the latest version of WP. A 01 type of defacement: https://sitecheck.sucuri.net/results/michaeldechiara.com#sitecheck-details
For the code and the hack: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmichaeldechiara.com

For more general details on how websites get hacked and defaced: https://www.quora.com/How-are-websites-hacked-to-have-their-content-defaced-How-can-I-prevent-such-attacks-on-my-website

polonus

At the moment SSL security is gaining momentum through the big campaign driven by Google and others to change http to https - we know this as the “https everywhere campaign”. It only can be a big step forward when everything is implemented in the right way, encryption without (export) restrictions, served up from the right angle and not from the wrong insecure side up, etc. etc.
Right server and security header configurations and off-course certification should be O.K. and properly implemented.

And until now a lot is (still) going wrong, too many sites where log-in still goes on unencrypted and log-in data go straight over the wires.

Safer Chrome Security Report extension will set these insecure sites out. Also we get sites reported as insecure where certificates are concerned at Comodo Site report.

To-day I got an question about a certificate flagged in the Virus and Worms: https://forum.avast.com/index.php?topic=177190.0
Andrey, pro was so friendly as to translate my reply there into Russian.

A new link I give here for users to check revocation with can be found here: https://certificate.revocationcheck.com
enjoy and when issues of the report aren’t clear do not hesitate to report in the virus and worms.

A couple of other links to put your queries into are:
https://www.bluessl.com/en/ssltest
http://cyh.herokuapp.com/cyh
https://www.ultratools.com/tools/zoneFileDumpResult
http://dnscheck.iis.se/
https://certlogik.com/ssl-checker/www.reddit.com/
https://www.wormly.com/test_ssl
https://www.digicert.com/help/
https://www.ssllabs.com/ssltest/
https://sslbl.abuse.ch/intel/11c94f0bf7c5f512ddf3b016c206674a6f630dd0
http://codefromthe70s.org/certcheck.aspx
https://ssl.trustwave.com/support/support-certificate-analyzer.php?address=

enjoy,

polonus

Dear followers of this thread,

Finding far too many insecurities during my scanning is really discouraging.
Normal IT staff is not up to it, and technical IT cannot make the difference somehow,
also pro-active hosting is too few and too far in between.

Here an excample where 1600 attempts at canvas fingerprinting were blocked by my chrome extension, read the full story here: https://forum.avast.com/index.php?topic=177229.0

Now theory on best practices and actual practice isn’t often in balance.
Here I have a site author that discusses ways to block canvas fingerprinting,
but that very article site breaches your privacy with a so-called Facebook Likebutton
we find tracking us now from many, many a webpage (together with his AddThis friend and Google+ pal).

The Facebook Like-button was neatly replaced by my PrivacyBadger extension inside Google Chrome,
but one sees what experts are preaching and what they actually do online are two different things.
Here is the link to find that button (if you have an extension to set it out).
[i]http://gizmodo.com/what-you-need-to-know-about-the-sneakiest-new-online-tr-1608455771[/i]

There is also a SPOF report for that site:
Possible Frontend SPOF from:

-kinja.com - Whitelist
(100%) -
-html5shiv.googlecode.com - Whitelist
(97%) -
-pagead2.googlesyndication.com - Whitelist
(44%) -
-www.googletagservices.com - Whitelist
(7%) -
-c.amazon-adsystem.com - Whitelist
(7%) -

Not blocking these could also make that website load quite a bit slower.

Privacy is a non-existant animal to-day and that should be our conclusion. We could make it a bit more difficult for the trackers and profilers and those that dragnet us, but at the end we haven’t enough defenses.
Script and request blocking are still our best bets, but you cannot win where others forget about the security of their online visitors - outdated (server) software, outdated CMS, use of left software, misconfigurations, bad hosting, incompetence and disinterest are hard devils to fight.

polonus (volunteer website security analyst and website error-hunter)

Let us continue now with the reg ex snippets series - continued - Dangerous procedures start with ‘sp’ or ‘xp’ -‘xp_cmdshell’
allows execuring to a windows shell command through the SQL server.
access rights gained so is loadsystem/exec(\s|+)+(s|x)p\w+/ix
exec keyword to run the stored or extended procedure.
(\s|+)+ one or more white spaces or their HTTP encoded equivalents
\w+ one or more alphanumeric or underscorecharacters to complete the name of the procedure.

OS command injection flaw /(||% 00|system(|eval(|'|\)/i
| pipe symbol,word in commands to pipe, the stdout of one program into stdin of another.
%00 The null character (dex & hex 0) used in C/C++ based programs as a string delimiter -Tricked to be treated as last char to abuse PHP to read further past the NULL character.
systen( System() is a function in programming languages like PERL and PHP will execute additional external program and will display the output.
eval ( Eval() is a function in PHP. Perl and other languages which evaluates a string as PHP (Perl)–code
’ The blacktickoperation is similar to the system () function in that respect that it executes an external program.
\ The backlash is used for escaping characters. If the escaping backlash can be escaped, attackers may junp out of the escaped sequence.
Will be continued with Malicious File Execurion and reg ex…

polonus (volunteer website security analyst and website error hunter)

Continued -
Malicious File Execution
Appl. that allows users to provide a filename or part of a filename are often vulnerable if input validation is not very accurate. Manipulation of filename may cause the appl. to open up an external URL or execute a system program.

PHP has the weakness to allow URLs in include and require statements. This is cause of the most dangerous vulnerabilities in PHP applications, include “php://input”; POST include “data; base64, PDgwaH?–”
/(https?\ftp\php|data):/i protocols follwed by colon

Insecure Direct Object Reference

Internal - Files or Directories
Objects - URLs
may -Database keys (acct_no, group_id
include - Other database object names in table name

/(.|C%|:25)2E)'|(%|%25)2E)(|(%|%25)2F|\|(%|%25)5c)/i(.|(%|%25)2E)
two dots and their URL encoded equivalents & the slash and backslash and their URL-encoded equivalents
%25)5c) "but also “/”.

will be continued…

polonus

Now you can start to apreciate this Privoxy filter survey:
http://downyours.org/?filters_484a7c06c4b8474f8853a42eb790a0ded3c310d37b994e29896e4fde1ee0c668
I used this in user scripts in Tampermonkey in the Google Chrome browser.

polonus

For those in volunteer website security analysis, this passive scanning report for 1380 business websites in the Netherlands is exemplary how third party cold reconnaisance scanning could be performed. Read the pdf on results and methodology.

In the scanning there was also scanned for ftp-banners (this could be performed through a dazzlepod ip scan (banner.nse), but there we cannot share the results),for those that want to test their ftp server: https://ftptest.net/

Here you can perform various tests online: https://pentest-tools.com/network-vulnerability-scanning/openssl-heartbleed-scanner

polonus

@ polonus

Please make the results/reports clickable.
But keep the possible infectious sites non-clickable.

Still a very intersting link on security risks: https://www.owasp.org/index.php/Top_10_2010-Main
Also look here for vulnerability scanning of javascript libraries.
From working them inside sandboxes to test then as fit to use as a 100% security guarantee probably never coulkd get handed out, the interaction with other code etc. is too darned complicated.
Using strict mode. Time to retire some code libraries as vulnerable.
Also read here: http://www.educatedguesswork.org/2011/08/guest_post_adam_barth_on_three.html
It is striking that defacers code with XSS threats in mind, there you find minimal sources and sinks.
Also read here for content security policies: https://mikewest.org/2011/10/content-security-policy-a-primer
Javascript security it ain’t easy folks, it ain’t easy at all,

polonus

10 gigantic security fails from the real IT world, read here in English - by Fahmida Y. Rashid, the link goes here: → http://computerworld.nl/security/90318-10-enorme-beveiligingsblunders-van-systeembeheerders
English txt starts from line 6.

polonus

For website admins and developers that use jQuery.

While checking website for jQuery libraries to be retired at: http://retire.insecurity.today/#
polonus also went over a nice publication by Stefano di Paola on jQuery security.

This mindedsecurity.com article author came to the conslusion that jQuery has all the characteristics of a sink.
A sink, that is a function or method that can be considered as insecure, when one of its arguments
comes from untrusted input and is not correctly being validated according to the layer
the function is communicating to. So jQuery.html is a sink and no one will complain.

jQuery has also been designed to perform different operations based on argument type and content.
Using the same interface for query and executing may be a very bad idea.

jQuery as selector? Never use jQuery() or $() with a non-validated argument. No matter of what
version is being used. Check and read the code!

jQuery developers should retire all old versions (zip them all for reference).
Change and lock the jQuery do-everything behavior.
Do not allow Client side into HPP.
encodeURIComponent
Do not use $.html()with untrusted input.
Check whether it will work as expected. <.*?> :o
Please, test your RegExps.! because Client Request Proxy is frameable by design.
An unfriendly header can be attached/added X-Ms-Origin: -http://cyber.at.at.tacker
XMLHttpRequest.attr = val will make this work.
IE will see some code as valid JSON and you canb still be left with an unvalidated object!

Be cautious and shy using 3rd party services as they could produce 3rd party surprises.
HTML Injection Vulnerabilities, so test and audit all your 3rd party code!

Check using http://www.domxssscanner.com/

polonus (volunteer website security analyst and website error-hunter)

For a list of sinks in jQuery, see: https://code.google.com/p/domxsswiki/wiki/jQuery
jQuery Methods That Directly Update the DOM:
.after() .prependTo()
.append() .replaceALL()
.before() .replaceWith()
.html() .Unwrap()
.insertAfter() .wrap()
.insertBefore() .wrapAll(0
.prepend() .wrapInner()
Note text() updated DOM but it is safe.
Do not send unvalidated data to these methods or properly escape before doing so.

More danger: jQuery or $(danger) immedeately evaluates the input,
e.g. $(“”).on(),.add(html),

Further research of these 300 methods is needed to identify all the safe versus unsafe methods:
https://coderwall.com/p/h5lqla/safe-vs-unsafe-jquery-methods
http://stackoverflow.com/questions/9735045/is-jquery-text-method-xss-safe
https://blog.csnc.ch/2013/01/dom-based-xss-unsafe-javascript-functions/

polonus (volunteer website security analyst and website error-hunter)

Seems that many a nameserver and hosting or whatever server is still vulnerable to the so/called DROWn attack. One could test here:
https://test.drownattack.com/?site= Mind you that all underlaying servers and services thereof should be secure.
Checked this and it fits the Hall of Shame: https://securityheaders.io/?q=https%3A%2F%2Fbing.com
Results for bing.com
Sites that use the certificates below are vulnerable to eavesdropping. Attackers may be able to decrypt recorded traffic and steal data.
Update server software at all IP addresses shown, and ensure SSLv2 is disabled.
Would you believe these results?
https://test.drownattack.com/?site=bing.com supports SSLv2 export ciphers

polonus

@developers and code analysts,

Just read a still very actual article about the disadvantages of inline CSS and Javascript code.
Robert Nyman writes on the subject here:
https://robertnyman.com/2008/11/20/why-inline-css-and-javascript-code-is-such-a-bad-thing/
I just added a userscript, called Obtrusive Javascript Checker to the browser via Tampermonkey extension.
While I type this message I experience 25 inline events - onsubmit 1, onchange 2, onselect 1, onclick 20 and onkeyup 1
When I click the post button I enable this action:

onclick(return submitThisonce(this);

.
Nice to have this under the hood for those that analyze Javascript code every day.
For all others it Obtrusive JS Checker will mean a lot of unnecessairy clutter.

On the consequenses for Content Security Policy and CSP Violation Fixing, read here: http://www.cspplayground.com/compliant_examples

Most uses of inline scripts that would break when using CSP can be fixed by factoring the javascript out to an external .js file, and making the location of that file a CSP-approved source.

Here a CSP generator: http://cspisawesome.com/

polonus (volunteer website security analyst and website error-hunter)

While those scanning here still find many an insecurity: https://securityheaders.io/
We have online mitigating tools like this Content-Security-Policy header generator at http://cspisawesome.com/

And while we find many an insecurity here as well: https://sritest.io/
we have a SRI hash generator online here: https://www.srihash.org/

Enjoy and secure,

polonus

PHP is at the root of many an attack. That is why I come up with this link to check: http://yehg.net/encoding/index1.php
From the same developer as the Malware Script Detector v.v. 1.1. extension that runs under Tampermonkey on Google Chrome for me
and has warned me for many an unobtrusive script threat - BEAST, SQL code. Together with the blocking from Netcraft’s Extension it is great protection inside the browser.

polonus

What I would not like you to consider and why not is explained here.
Someone (Bart Blaze) was into this…he states…

Before we begin, I’d like to make clear that if you want to test your skills after reading this article or want to test malware in general, you should set up a proper testing environment. Make sure you are using a Virtual Machine if testing on your own machine, or create a machine for the sole use of testing malware and antimalware tools. In either case, it’s a good idea to use a separate network or use a DMZ should you have one. Personally I recommend having the machine connected to the internet, so the malware can do its evil work to its maximum potential and you will be able to carefully study and dissect its workings completely.

o not use shared folders between VM & host do use a separate network do use a pyisical device and no VM have antivirus solution installed on your physical device, when using a VM

Now while this set-up is meant for security research on a corporational netrwork and not for the unaware home/hobby user,
it is still rather very problematic. Leave this exploration to the professionals.

Doing this at home is unwise as it could a turn your device into a virtual malware-ridden doorstopper state
or at least make you have serious problems from your Internet provider.

When this happens over the weekend you are in big trouble and out on your own.
Furthermore some malcode is know to break out of a VM or sandbox
and could seriously hamper/tamper with your network surroundings.
Always use a separate lab setting off of the Interwebs and in perfect isolation.

Now all users here may understand why polonus went for third party cold reconnaissance.
Let third party scanners do the work for you, do pre-scanning as well and never visit a suspicious or malicious website itself.
Later I give you my experience with Malzilla but that is another story.
I like to use third party scanners, html validators, javascript unpackers, js beautifiers, php scanners,
looking where code may have access, whether there is inline code,
I look for security related information from seo scanning sites. DNS scanning, SSL scanning etc. etc.
Looking for cloaking, suspicious iFrame , difference between Google and Googlebot response code.

Whenever I stuble on code errors I read on stackoverflow and also check for the security implications.

Direct malcode access is an unwise idea for anyone without the proper tools and surroundings.
Just a single confrontation with a file infector or malcode that does not obey the VM surrounding
and starts to eat itself through your sandbox and then you are food for the birds.

And where your provider is concerned:
“Do not do the crime, if you cannot pay the time or even worse”.

Have a great first of May, ye all…

polonus

A lot of developers and javascript coders use ready made examples taken from the Interwebs.
This is a risky practice, whenever the code is buggy or even insecure, you are bound to copy that.
Do not reinvent the wheel but at least test the wheels.
A good free book to start and read: https://addyosmani.com/resources/essentialjsdesignpatterns/book/
free for non-commercial use only.

Enjoy my good friends, enjoy.

polonus

While going over these javascript design vulnerabilities we have to be aware of the top web security vulnerabilities, a nice list is being given here by Gergely Kalman: https://www.toptal.com/security/10-most-common-web-security-vulnerabilities
When you read this you will understand why we do the scans we do. Analyze the HTTP response headers, see where code is same origin, e.g. SRI Hash Website Scan, Safer Chrome Security Report, look for Cloaking and hidden iFrames, Tracker SSL insecure IDs tracking, retirable jQuery scans, CMS insecurity scans, SSL tests, DNS tests, Website and nameserver misconfiguration test (asafaweb scan etc.). DOM XSS vulnerability scan, Javascript Unpacker Scan, and various other scans.
So we have to filter untrusted input, broken authentication and involved threats, input sanitization problem (XSS), store data internally and set session variable (undefined functions and variables always form a threat vector). Security misconfigurations like user enumeration set by default and directory listing, server header info proliferation, excessive services and outdated or even left software running etc. Non-HTTPS content, lack of PFS, requests should not be able to alter the resource requested. Do not use vulnerable components (plug-ins), header injection can be rather bad,

JavaScript sources are functions or DOM properties that can be influenced by the user. Vulnerable JavaScript sources that can be exploited for a DOM-based attack include the following:

Location-based, such as location, location.href, document.URL and so on.
Client-side storage based. For instance, it could be document.cookies, sessionStorage and localStorage.
Navigation-based, such as navigation.referrer, window.name, history et al.
Cross-domain functions. See: http://www.domxssscanner.com/

Some common exploitable JavaScript sinks:

Execution-based, such as eval(), Function(), setTimeout(), setInterval() and so on.
URL-based, for instance location and location.assign().
HTML-based, such as document.write(), HTML elements and attributes.
XHR calls, postMessage, client-side storage and other JavaScript variables.

postMessage is a JavaScript function under HTML5 that facilitates communication across iframes, i.e. two iframes loaded from separate domains on the same page or between the page and an iframe within it. This communication is entirely client-side. If postMessage restrictions are set loosely, it could result in invalidated malicious data being sent across iframes or a potential data leak scenario making it possible to perform data extraction across sites. The white-list paradigm applies here as well.

With HTML5, client-side storage mechanisms have gone beyond the cookie with newer options such as localStorage, Web SQL and IndexDB. Storage of sensitive data on the client side using these mechanisms fosters a huge security risk, bigger than cookies ever posed.

Quote taken from author: Lavakumar Kuppan on HTML5 security Check using: https://html5.validator.nu/

polonus (volunteer website security analyst and website error-hunter)

P.S. Also learn about Bug Patterns: https://find-sec-bugs.github.io/bugs.htm Created by Philippe Arteau
and http://alistapart.com/blog/post/pattern-library-security-vulnerability from Mat Marquis
blog has a vulnerability by itself: Pattern Library Security Vulnerability · An A L… padlock icon
alistapart.com
Alerts (1)
Insecure login (1)
Password will be transmited in clear to http://alistapart.com/?ACT=159
Infos (1)
Encryption (HTTPS) (1)
Communication is NOT encrypted Safer Chrome Security Report.

Damian

Let us give an example from what I said about copying ready made code from the book
and then maybe also copying the vulnerabilities of that code example. Let us take a ready jQuery code pattern example from the free book I presented earlier in this thread. Let’s go.

Example from a txtbook

(function( $ ) {
 
   // Pre-compile template and "cache" it using closure
   var resultTemplate = _.template($( "#resultTemplate" ).html());
 
   // Subscribe to the new search tags topic
   $.subscribe( "/search/tags", function( e, tags ) {
       $( "#lastQuery" )
                .html("<p>Searched for:<strong>" + tags + "</strong></p>");
   });
 
   // Subscribe to the new results topic
   $.subscribe( "/search/resultSet", function( e, results ){
 
       $( "#searchResults" ).empty().append(resultTemplate( results ));
 
   });
 
   // Submit a search query and publish tags on the /search/tags topic
   $( "#flickrSearch" ).submit( function( e ) {
 
       e.preventDefault();
       var tags = $(this).find( "#query").val();
 
       if ( !tags ){
        return;
       }
 
       $.publish( "/search/tags", [ $.trim(tags) ]);
 
   });
 
 
   // Subscribe to new tags being published and perform
   // a search query using them. Once data has returned
   // publish this data for the rest of the application
   // to consume
 
   $.subscribe("/search/tags", function( e, tags ) {
 
       $.getJSON( "http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?", {
              tags: tags,
              tagmode: "any",
              format: "json"
            },
 
          function( data ){
 
              if( !data.items.length ) {
                return;
              }
 
              $.publish( "/search/resultSet", { items: data.items } );
       });
 
   });
 
 
})( jQuery );

Tested through an unpacker the results comes up as

tested script
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable _
     error: undefined function $

It is working but the error seems in the PHP returning an empty string (pol).
Q.E.D. meaning as what had to be demonstrated to my audience here.

So we find complicating factors because we have to consider intricate code chains, just outside the jQuery “fit to use”
status. code.

All coding is not that easy as it presents itself at first sight, my good friends,

polonus (volunteer website security analyst and website error-hunter)