Sucuri false positive on Battle.net forums?

Sucuri shows possible malware report for game developer Blizzard’s offical forum. However the script that is being detected seems to be realted to some expansion for their Hearthstone game, so possibly false positive?

https://sitecheck.sucuri.net/results/us.battle.net

Use The Chat option on sucuri website and report it

Sucuri is often rather accurate with their script detection.
At least we have to go through all of this and look after the undefined variables:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fus.battle.net%2Fhearthstone
The location line in the header above has redirected the request to: -http://us.battle.net/hearthstone/en/
I see


AccessDenied
Access Denied
8C6AFA5673340162

Qz9XrXbwyCZop6O6xes95LrCSaZy7fvSWjXPV9sL+vosweVBhcLFyYdgWCnjxXamNCLb/LChgUY=

Certificate transparency
Signed Certificate Timestamps (SCTs)

Source Log Timestamp Signature Verification
Certificate Symantec
3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvsw= 2016-07-28 20:05:03 Success
Certificate Google Pilot
pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA= 2016-07-28 20:05:03 Success

polonus

Thanks polonus, but coulld you clarify what those codes tehcnically mean?

Also I believe that the said domain “us.battle.net/heathstone” includes that stuff, though Sucuri tends to give the alert in every us.battle.net domain scan I run.

https://sitecheck.sucuri.net/results/us.battle.net/forums

Hey, Pernaman, how’s it going?
I checked the reason why SiteCheck is triggering all http://us.battle.net/hearthstone/en/ links and it’s due to its anomaly check.
Since malware doesn’t have to follow any code styles, there are cases where the malicious code is appended to the header file before the bracket (speaking of HTML5 guidelines).
On http://us.battle.net/hearthstone/en/ there’s a script tag before the

	<script>
		var expansion = "mean-streets-of-gadgetzan"
	</script>

<!DOCTYPE html>

This script is causing SiteCheck to trigger the url as potentialy malicious.
It would be great if battle.net guys had this fixed (moving the script tag into the part), I’ll try to contact them to report this issue.
If not possible, we’ll whitelist it.

Thank you for the report.

Fioravante Souza
Sucuri Malware Research Lead

Hi Pernaman & Pondus,

Yep, Fioravante, is completely right technically speaking, as this issue should trigger an alert
and is to be considered as potentially risky as the redirection link comes before and outside the html header,
which makes it suspicious when you check code, and indeed the tag should be correctly implemented.

Very kind of Fioravante to come over here and explain this to us so elegantly. :wink:

As users versed in HTML5 should know about such basic design rules, but the unadvanced will not know.

polonus (volunteer website security analyst and website error-hunter)