Non-malicious but still a gigantic amount of sites with vulnerable old software!

The following extensive analysis report by polunus tries to demonstrate the overall alarmingly bad security status of website software and configurations of the Interwebs. I hoped I could report anything else, but I still see not much development to make me less pessimistic, rather the situation is getting worse & worse, as the average security education level becomes further dumbed down except where technical trained IT staff is concerned.

See: http://9292.nl/reisadvies/ a very popular and much used public transport reference site for use in the Netherlands…
On this website we detect:
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.
The latest stable version is 1.11.4 and mentioned site in our example has version 1.8.14
The site also has a retireable jQuery code library. It is a vulnerable older version of the library that should be retired, that means zipped for later reference, taken off and then updated with an actual version. Often websites have jQuery all sorts, just like licorice all sorts, often from the day the jQuery script was put on that site and then they have forgotten about it, alas hackers and attackers do not!
The problems for mentioned site: http://9292.nl/
Detected libraries:
jquery - 1.7.2 : (active1) -http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery-ui-dialog - 1.8.16 : (active1) -http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js * & **
Info: Severity: medium
http://bugs.jqueryui.com/ticket/6016
jquery-ui-autocomplete - 1.8.16 : -http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js
(active) - the library was also found to be active by running code
2 vulnerable libraries detected
Then we have vulnerable code here: http://www.domxssscanner.com/scan?url=http%3A%2F%2F9292.nl%2Fstatic%2Fscripts.js%3F1.15.5.14 with
Results from scanning URL: -http://9292.nl/static/scripts.js?1.15.5.14
Number of sources found: 133
Number of sinks found: 115 going to a cache-ams4138-AMS 1452427687 1037318833 on a varnish cache server →
Results from scanning URL: -http://www.i.cdn.cnn.com/.a/1.231.2/js/cnn-header-first.min.js (Pop-up Player code)
Number of sources found: 66
Number of sinks found: 19
&
Results from scanning URL: //-cdn.optimizely.com/js/131788053.js
Number of sources found: 1
Number of sinks found: 2

This external link becomes blocked by Adguard for me: -https://reisinformatiegroep.piwikpro.com/piwik.js
and flagged at VT: https://www.virustotal.com/en/domain/reisinformatiegroep.piwikpro.com/information/
Again illustrating that one cannot go onto the Internet without a decent adblocker of sorts and that is evident now.
Because all of the Internet became poisoned by such crap, but user surveillance is the main product here.

Then we have the tracking problem connected with this surveillance: 88% of the trackers on this site could be protecting you from NSA snooping. Tell -9292.nl to fix it. Tracking ID’s: Unique IDs about your web browsing habits have been insecurely sent to third parties.

-www.google.com nid
d5fb79cbXXXXXXXXXXX42d9651ae2ac1a1445965753 local.adguard.com __cfduid (secure according to Adguard’s)

Then the site can be slowed down by this:
Possible Frontend SPOF from:

html5shiv.googlecode.com - Whitelist
(93%) -
(93%) -
ajax.googleapis.com - Whitelist
(93%) - *
(93%) - **
cdn.adnxs.com - Whitelist
(89%) -
(1%) -
www.google.com - Whitelist
(71%) -

Then we have security header insecurity: (better than the 97% average, but still open to great improvement)
We detected 4 Happy Findings on 9292.nl. According to the data we have gathered 9292.nl scores better than 97% of sites out there. Even though your site is better than many others, you probably have not implemented any of our HTTP header recommendations for security. The good news is that many of these fixes take very little time to implement and have a big impact! X-Frame-Options does not appear to be found in the site’s HTTP header, increasing the likelihood of successful clickjacking attacks. Strict-Transport-Security does not appear to be found in the site’s HTTP header, so browsers will not try to access your pages over SSL first. nosniff does not appear to be found in the site’s HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type. nosniff does not appear to be found in the site’s HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type. We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site’s HTTP header, making XSS attacks more likely to succeed.

Conclusion a lot of website admin staff has not been trained specifically with security in mind.
This situation should improve, but very often I feel just like the proverbial voice in the wilderness,

polonus (volunteer website security analyst and website error hunter)

To give another example of a website that is not with malware now, but could be again attacked and infested any minute from now
is htxp://brono.net. Non-malign: http://killmalware.com/brono.net/
Detected retirable jQuery:
Detected libraries:
jquery-migrate - 1.2.1 : -http://brono.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=efd250c4ec2d22827d0a38ff24d80a73
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://brono.net/wp-includes/js/jquery/jquery.js?ver=efd250c4ec2d22827d0a38ff24d80a73
(active) - the library was also found to be active by running code
1 vulnerable library detected

Site supports http://gmpg.org/xfn/ Xhtml Friends Network.
See: http://zulu.zscaler.com/submission/show/ab2fcfa7db8e4844065ef7fb73ca343e-1452439516

Vulnerable: Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

SPOF issues: Possible Frontend SPOF from:

fonts.googleapis.com - Whitelist
(85%) -
(82%) -

Site is on Dreamhost. Some issues: http://www.dnsinspect.com/brono.net/1452440267
tions

Header not returned Insecure x-xss-protection

Header not returned Insecure x-frame-options

Header not returned Insecure content-security-policy

Header not returned Insecure gstatic.code

The ‘Autocomplete’ property is used to control if the browser is permitted to autocomplete certain forms or specific form fields. Using this property to turn autocomplete off can provide enhanced privacy and security. This is generally considered a low risk issue except for username and other highly sensitive fields (marked with an information icon for insecure connections). In Internet Explorer if a page is retrieved over a secure connection and the ‘cache-control’ HTTP or meta headers are set to ‘not-store’ then autocomplete will automatically be disabled. No best policy configuration detected.

Secure Configuration
Use the autocomplete property to disable the autocomplete feature on sensitive forms or specific input fields sent over secure connections. No best policy configuration detected.

Now also consider: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fbrono.net%2Fwp-includes%2Fjs%2Fjquery%2Fjquery-migrate.min.js%3Fver%3Defd250c4ec2d22827d0a38ff24d80a73
landing at: -http://designerswallpaper.zohosites.com/js/bootstrap.js
Number of sources found: 17
Number of sinks found: 8 re: http://toolbar.netcraft.com/site_report?url=http://designerswallpaper.zohosites.com

Now to make the evaluation somewhat more complete the technigues being used on this website:
brono.net
Web Servers
Apache
Usage Statistics · Websites using Apache
Apache has been the most popular web server on the Internet since April 1996.
Email Hosting Providers
DreamHost
Email hosting with domain purchases.
Name Server
Dreamhost DNS
Usage Statistics · Websites using Dreamhost DNS
DNS services provided by Dreamhost.
Content Management System
WordPress
Usage Statistics · Websites using WordPress
WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability.
Wordpress 4.3
Usage Statistics · Websites using Wordpress 4.3
Ecommerce
WooCommerce
Usage Statistics · Websites using WooCommerce
Transforms your WordPress website into an online store.
Frameworks
PHP
Usage Statistics · Websites using PHP
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
Analytics and Tracking
Google Analytics
Usage Statistics · Websites using Google Analytics
Google Analytics offers a host of compelling features and benefits for everyone from senior executives and advertising and marketing professionals to site owners and content developers.
JavaScript Libraries and Functions
jQuery
Usage Statistics · Websites using jQuery
JQuery is a fast, concise, JavaScript Library that simplifies how you traverse HTML documents, handle events, perform animations, and add Ajax interactions to your web pages. jQuery is designed to change the way that you write JavaScript.
jQuery Cookie
Usage Statistics · Websites using jQuery Cookie
A simple, lightweight jQuery plugin for reading, writing and deleting cookies.
Nivo Slider
Usage Statistics · Websites using Nivo Slider
A polished JQuery Slider plugin.
jQuery BlockUI
Usage Statistics · Websites using jQuery BlockUI
jQuery BlockUI Plugin lets you simulate synchronous behavior when using AJAX, without locking the browser.
jQuery Form
Usage Statistics · Websites using jQuery Form
jQuery Form Plugin allows you to easily and unobtrusively upgrade HTML forms to use AJAX.
Widgets
Google Font API
Usage Statistics · Websites using Google Font API
The Google Font API helps you add web fonts to any web page.
Wordpress Plugins
Usage Statistics · Websites using Wordpress Plugins
Plugins are tools to extend the functionality of WordPress. The website uses various plugins from WordPress to provide additional functionality. Some of them may be listed here.
Yoast Plugins
Usage Statistics · Websites using Yoast Plugins
SEO based plugins from Yoast.
Yoast WordPress SEO Plugin
Usage Statistics · Websites using Yoast WordPress SEO Plugin
Wordfence
Usage Statistics · Websites using Wordfence
Wordfence Security is a free enterprise class security and performance plugin for WordPress.
Contact Form 7
Usage Statistics · Websites using Contact Form 7
Specifically designed for wordpress blogs. Contact Form 7 can manage multiple contact forms, plus you can customize the form and the mail contents flexibly with simple markup.
Sitelinks Search Box
Usage Statistics · Websites using Sitelinks Search Box
With Google sitelinks search box, people can reach your content more quickly from search results.
Mobile
Viewport Meta
Usage Statistics · Websites using Viewport Meta
This page uses the viewport meta tag which means the content may be optimized for mobile content.
Syndication Techniques
Really Simple Discovery
Usage Statistics · Websites using Really Simple Discovery
Really Simple Discovery is a way to help client software find the services needed to read, edit, or “work with” weblogging software.
RSS
Usage Statistics · Websites using RSS
A family of web feed formats used to publish frequently updated content such as blog entries, news headlines or podcasts.
Live Writer Support
Usage Statistics · Websites using Live Writer Support
Windows Live Writer Tagging Support Schema
Pingback Support
Usage Statistics · Websites using Pingback Support
A Pingback is one of three types of Linkbacks, methods for Web authors to request notification when somebody links to one of their documents. (data info via BuiltWith)

polonus