Professionals - but not in website security!

polonus · 2017-07-03T17:56:06.000Z

Certification of their site seems OK, neatly installed SSL Com DV CA intermediate cert.
But then the insecurity starts here: 3 vulnerable libraries, folks: http://retire.insecurity.today/#!/scan/278d9105b8a45b8057cfcf5b19cefdc8524a2c8ea6af3bc4974d50474ff2b7f0
and checking SRI: 7 issues F-status: https://sritest.io/#report/a29b7349-5266-4a91-abcc-f5a7d0f43e29
D-status and recommendations: https://observatory.mozilla.org/analyze.html?host=null-byte.wonderhowto.com
Inconsistent and duplicated but google issues: http://www.dnsinspect.com/wonderhowto.com/10144375
See here for sources and sinks alerted: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fnull-byte.wonderhowto.com
Is this being blocked: htxps://ads.servebom.com/tmnhead.js

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-07-03T19:46:56.000Z

Well Chrome blocked atypical code here:
->Results from scanning URL: htxps://img.wonderhowto.com/js/done.min.js?v=0629201700
Number of sources found: 60
Number of sinks found: 64
blocked by XSS_Auditor in that browser, while trying to run a javascript unpacker report.

Nothing flagged here: https://www.virustotal.com/pl/url/4bd9aa0dd822d5685a05ef45aea5427942a1a30a444f94ad79a4c0ee499c9d77/analysis/1499109701/
Script has missing sri-hash generated.

Re: https://urlscan.io/result/b97c456f-916c-4f33-b82c-787db59c0d46/dom/
Alert:

hide linkDummyContainer" style="width:0;height:0; display: none ;

iframe ,ins,isindex,li,map,menu,noframes, noscript,object,ol,p,pre, script

/js/done.min.js?v=0629201700
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string

[[‘</span></span><span class="cur’]]

of length 271 which may point to obfuscation or shellcode. C

One of 4 such detections on this website. Consider: https://www.hybrid-analysis.com/sample/94df9a1172bc654f188d197c5afd2afacb30dafa1c2e17dd88e91e7be398a9dc

agentcallbacklogin abuse - with

invalidHandler%26%26n

polonus

polonus · 2017-07-04T11:14:20.000Z

@ those that like to dive deeper into jQuery code security for the use in websites, read on.

For this particular version of jQuery (jquery - 1.7.2 : (active1))

3rd party $.get()

autoexecutes if content type is text/javascript. * Re: https://bugs.jquery.com/ticket/11290

Sources and sinks in third party code: : https://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.min.js
error report

error: line:3: SyntaxError: missing ) in parenthetical:
error: line:3: :1),i.top<t&&i.bottom>0):!1};this._onLoad=function(){r.bPageFullyLoaded=!0};this._onResize=function(){if(!n||!n.isFullScreen||!n.isFullScreen()){var t=r._winW();r.width!=t&&(r.width=t)}};this._getActivePlacement=function(){var f=t[r.settings.type],u,n,
error: line:3: …^

Also how it relates to olark.code and settings: https://gist.github.com/draft13/9807878 (see bolded - pol).
See for this http://research.insecurelabs.org/jquery/test/
Then consider this: Missing SRI hash in the light of: Results from scanning URL: https://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.min.js
Number of sources found: 38
Number of sinks found: 21

No one buiding websites performs such testing on a regular basis like we do here, but one can easily imagine how scripts are being run, vulnerable to shellcode attacks and XSS exploits, in that case the reason to retire such script versions and retirable script is obvious:

For understanding

cl.write & inner HTML & b.value.a

exploitation, read here: htxp://howcanfix.com/28955/help-me-understand-this-javascript-exploit.
Would be a nice example to be used by TINSEC students as a test case to solve insecurity aspects (test in jslint & jsunpack), and for us here to get further protection against, also is important in general browser protection.

Remember when testing * I first got an unresponsive browser (latest flaw of Iridium, and then it collapsed), so be aware where Shellcode and Javascript can have it’s evil ways.

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-07-04T13:40:55.000Z

This code here is alerted by Google XSS-Auditor, but seems benign:

-img.wonderhowto.com/js/done.min.js?v=0703201700 benign [nothing detected]-img.wonderhowto.com/js/done.min.js?v=0703201700 status: (referer=htxp:/www.ask.com/web?q=puppies)saved 147758 bytes cf6e1e27d15d07be2c037ffb13df53bc4a3040a8 info: [img] -img.wonderhowto.com/js/{1} info: [img] -img.wonderhowto.com/images/ajax-loader.gif info: [img] -img.wonderhowto.com/js/ info: [decodingLevel=0] found JavaScript error: undefined variable jQuery error: undefined variable t.fn error: line:1: SyntaxError: missing ; before statement: error: line:1: var t.fn = 1; error: line:1: ....^

variable overall, with p including no variables strictly earlier in the list. if("undefined"==typeof jQuery)throw new Error.

Results from scanning URL:-https://img.wonderhowto.com/js/done.min.js?v=0703201700
Number of sources found: 437
Number of sinks found: 66

polonus

midnight · 2017-07-04T13:52:41.000Z

http://howcanfix.com/28955/help-me-understand-this-javascript-exploit.

I clicked on the above link and got this.

polonus · 2017-07-04T13:58:48.000Z

Hi -midnight,

Do not panick, the webshield alerted, but you were never really in danger. I would not dare.

Avast alerted here because it found parts of real code (the code in my example is harmless,
but the webshield cannot discriminate between this and the real McCoy).
Well I have broken the link for those that would not understand the alert after clicking that link (meant for code analyzers actually).

You haven’t run any risk whatsoever, but it proves if it had been used in real malicious code, the webshield would have saved you.

polonus

midnight · 2017-07-04T14:09:54.000Z

Hi polonus,

I click on a lot of your links. I didn’t panic but kind of scared me. I didn’t know that it was meant for code analyzers.

-midnight

polonus · 2017-07-04T14:47:05.000Z

Hi -midnight,

You absolutely did not run any risks whatsoever in this instance.
The webshield was just barking up a tree, but there was no tree in sight (no real payload there).

It was just some part of the code that made it show that message and blocking it for you.
So you were secure all the way from the word go and clicking the link.

Remember not to click any links I give in my postings that I have broken,
that means -http(s) or hxtp or hxtps.

polonus

Announcements