The following extensive analysis report by polunus tries to demonstrate the overall alarmingly bad security status of website software and configurations of the Interwebs. I hoped I could report anything else, but I still see not much development to make me less pessimistic, rather the situation is getting worse & worse, as the average security education level becomes further dumbed down except where technical trained IT staff is concerned.
See: http://9292.nl/reisadvies/ a very popular and much used public transport reference site for use in the Netherlands…
On this website we detect:
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.
The latest stable version is 1.11.4 and mentioned site in our example has version 1.8.14
The site also has a retireable jQuery code library. It is a vulnerable older version of the library that should be retired, that means zipped for later reference, taken off and then updated with an actual version. Often websites have jQuery all sorts, just like licorice all sorts, often from the day the jQuery script was put on that site and then they have forgotten about it, alas hackers and attackers do not!
The problems for mentioned site: http://9292.nl/
Detected libraries:
jquery - 1.7.2 : (active1) -http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery-ui-dialog - 1.8.16 : (active1) -http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js * & **
Info: Severity: medium
http://bugs.jqueryui.com/ticket/6016
jquery-ui-autocomplete - 1.8.16 : -http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js
(active) - the library was also found to be active by running code
2 vulnerable libraries detected
Then we have vulnerable code here: http://www.domxssscanner.com/scan?url=http%3A%2F%2F9292.nl%2Fstatic%2Fscripts.js%3F1.15.5.14 with
Results from scanning URL: -http://9292.nl/static/scripts.js?1.15.5.14
Number of sources found: 133
Number of sinks found: 115 going to a cache-ams4138-AMS 1452427687 1037318833 on a varnish cache server →
Results from scanning URL: -http://www.i.cdn.cnn.com/.a/1.231.2/js/cnn-header-first.min.js (Pop-up Player code)
Number of sources found: 66
Number of sinks found: 19
&
Results from scanning URL: //-cdn.optimizely.com/js/131788053.js
Number of sources found: 1
Number of sinks found: 2
This external link becomes blocked by Adguard for me: -https://reisinformatiegroep.piwikpro.com/piwik.js
and flagged at VT: https://www.virustotal.com/en/domain/reisinformatiegroep.piwikpro.com/information/
Again illustrating that one cannot go onto the Internet without a decent adblocker of sorts and that is evident now.
Because all of the Internet became poisoned by such crap, but user surveillance is the main product here.
Then we have the tracking problem connected with this surveillance: 88% of the trackers on this site could be protecting you from NSA snooping. Tell -9292.nl to fix it. Tracking ID’s: Unique IDs about your web browsing habits have been insecurely sent to third parties.
-www.google.com nid
d5fb79cbXXXXXXXXXXX42d9651ae2ac1a1445965753 local.adguard.com __cfduid (secure according to Adguard’s)
Then the site can be slowed down by this:
Possible Frontend SPOF from:
html5shiv.googlecode.com - Whitelist
(93%) -
(93%) -
ajax.googleapis.com - Whitelist
(93%) - *
(93%) - **
cdn.adnxs.com - Whitelist
(89%) -
(1%) -
www.google.com - Whitelist
(71%) -
Then we have security header insecurity: (better than the 97% average, but still open to great improvement)
We detected 4 Happy Findings on 9292.nl. According to the data we have gathered 9292.nl scores better than 97% of sites out there. Even though your site is better than many others, you probably have not implemented any of our HTTP header recommendations for security. The good news is that many of these fixes take very little time to implement and have a big impact! X-Frame-Options does not appear to be found in the site’s HTTP header, increasing the likelihood of successful clickjacking attacks. Strict-Transport-Security does not appear to be found in the site’s HTTP header, so browsers will not try to access your pages over SSL first. nosniff does not appear to be found in the site’s HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type. nosniff does not appear to be found in the site’s HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type. We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site’s HTTP header, making XSS attacks more likely to succeed.
Conclusion a lot of website admin staff has not been trained specifically with security in mind.
This situation should improve, but very often I feel just like the proverbial voice in the wilderness,
polonus (volunteer website security analyst and website error hunter)