501

Test website for SSL and the use of latest security techniques:

Re: http://toolbar.netcraft.com/site_report?url=https://voordebuurt.nl
21% https://en.internet.nl/domain/voordebuurt.nl/92003/

check on certification: https://cryptoreport.websecurity.symantec.com/checker/ & https://www.digicert.com/help/

See complete results: https://observatory.mozilla.org/analyze.html?host=voordebuurt.nl#third

sub-results: https://www.htbridge.com/ssl/?id=rU3dptL3 & https://hstspreload.org/?domain=voordebuurt.nl (failed here)…

polonus

502

Ransomeware IP trackers:

https://ransomwaretracker.abuse.ch/tracker/

http://vxvault.net/ViriList.php?IP=207.58.143.135

https://www.scumware.org/report/207.58.143.135.html

https://tracker.h3x.eu/download/400 re: https://tracker.h3x.eu/about/400 (with more public tracker lists)

https://github.com/firehol/blocklist-ipsets/blob/master/hphosts_emd.ipset

http://6ca08333.fingerprinted.domains/

enjoy, my good friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)

503

Various best known URL Scan Resources:

Google Safe Browsing Diagnostic See malware diagnostics: https://transparencyreport.google.com/safe-browsing/search#url=
McAfee Threat Intelligence Instant lookup http://www.mcafee.com/threat-intelligence/domain/?domain=
McAfee SiteAdvisor Instant lookup http://www.siteadvisor.com/sites/
Norton Safe Web Instant lookup https://safeweb.norton.com/report/show?url=
AVG ThreatLabs Instant lookup http://www.avgthreatlabs.com/sitereports/domain/
SpamHaus Domain Block List Instant lookup https://www.spamhaus.org/query/dbl?domain=
Web of Trust (WOT) Instant reputation lookup https://www.mywot.com/en/scorecard/freeflightoffers.com
(WOT scan resource lost trust once)
Alexa Website ranking/statistics http://www.alexa.com/siteinfo/
DomainTools Review domain Whois data http://whois.domaintools.com/ (validation required)
Recommended SecureBrain Gred Real-time URL/links scan http://check.gred.jp/?url=
Unmask Parasites Real-time URL quick scan http://www.unmaskparasites.com/security-report/?page=
VirusTotal Lookup website risk https://www.virustotal.com/en/#url
F-Secure Browsing Protection Lookup website risk https://www.f-secure.com/pl_PL/welcome
Trend Micro Site Safety Lookup website risk https://global.sitesafety.trendmicro.com/
URL Void Lookup website risk http://www.urlvoid.com/
PhishTank Search website/URL phishing reports http://www.phishtank.com/
ScumWare.org Search website/URL malware reports http://www.scumware.org/search.scumware
StopBadware.org Clearinghouse Search website malware reports https://www.stopbadware.org/clearinghouse/search
MalwareURL Search website malware reports http://www.malwareurl.com/listing-urls.php
urlQuery Run a real-time scan of a specific URL http://urlquery.net/
Sucuri SiteCheck Run a real-time scan of a specific URL http://sitecheck.sucuri.net/
Comodo Site Inspector Run a real-time scan of a specific URL http://siteinspector.comodo.com/
Zscaler Zulu URL Risk Analyzer Run a real-time scan of a specific URL https://zulu.zscaler.com/
Quttera Run a real-time scan of a specific URL or website https://www.quttera.com/#online url malware scanner

Enjoy, my good friends, enjoy…

504

A specific Scientology critical resource: https://umbraxenu.no-ip.biz/mediawiki/index.php/Anonymous_and_critic_sites

A good (re)searcher can beat any hacker any time all of the time.

polonus

505

How to track url recirects in the browser: https://superuser.com/questions/242138/how-to-track-url-redirects-in-the-browser

and to see where they end up: http://redirectdetective.com/

Enjoy, my good avast friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)

Oh, Firebug Light, nice extension…

506

JQuery is a sink!

Read: http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html
and https://ttmm.io/tech/jquery-xss/

Understand while polonus continously scans here: http://retire.insecurity.today/ and here: http://www.domxssscanner.com/

A function or method that can be sonsidered as insecure, when one of its arguments comes from untrusted input

(check at https://observatory.mozilla.org/ whether content is being protected properly CORS

  • same origine - SRI hashes generated)

and is not correctly being validated according to the layer the function is communicating to.

jQuery.html is a sink and no one so far complains.

jQuery is also designed to perform different operations based on argument type and content.

Using the same interface for query and executing is a “bad idea”.

jQuery as selector?

Never use jQuery() or $() with an unvalidated argument. No matter what version is being used. Read the code!

jQuery developers retire old version (zip all for reference). What one acquires, one also should retire!
Change and lock jQuery do-everything behaviour.

Not allow client side into Http encode URI Component. Do not use $.html() with untrusted input.
Check they work as expected <.*?>
Test your RegExps.
Client Request Proxy is Frameable by design!
unfriendly header added
x-Ms-Origin: http://cyber.at.track.er
XMLHttpRequest.attr=val
IE sees some code as valid JSON you can still be left with an unvalidated object!
Be shy using 3rd party services that produces 3rd party surprises.
HTML Injection Vuln.
Test an’ Audit all 3rd party code (jsunpack)
Angular.JS has interesting injections.

Info credits go to stafano di paola of minded security dot com.

jQuery methods that directly update the DOM

.after() same with append, before, htm,l insert After, insert Before, prepend, prependTo, replaceAl,l replaceWith, unWrap, wrap, wrapAll, wrapInner, all like .method() text() updates DOM but is safe.

Do not send unvalidated data to these methods or properly escape before doing so.

More danger from or $danger immedeately evaluates the input e.g. $(“”)

jQuery.globalEval()

All event handlers: bind(events), bind (type, [,data], handlers ()], .0n(), add(html).

More research is needed to identify all the safe versus unsafe methods.

polonus (volunteer website security analyst and website error-hunter)

P.S. Interesting interesting read on the dangers of 3rd party scripts:
https://css-tricks.com/potential-dangers-of-third-party-javascript/

and https://hackcabin.com/post/managing-async-dependencies-javascript/

Damian

507

All you wanna know on javascript: http://exploringjs.com/
The latest developments Async functions: http://exploringjs.com/es2016-es2017/ch_async-functions.html#ch_async-functions

Recent news: https://www.theregister.co.uk/2017/09/26/allen_wirfs_brock_interview/

Security issues: https://docstore.mik.ua/orelly/webprog/jscript/ch21_01.htm and many, many more…

polonus

508

Checking on PHP code → http://evuln.com/tools/php-security/

Example see attached txt… (this for security reasons, as the security savvy will understand why code as txt file)

polonus

P.S. consider exploits like these: https://www.exploit-db.com/exploits/35743/
Then you like to get such a reaction of the server: "Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.".

D

509

How to check on blocklist - added this one to uBlock 0 - http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt
Checked this IP 1.180.235.36 → https://www.abuseipdb.com/check/1.180.235.36
reported there 23 times → also here: https://cleantalk.org/blacklists/1.180.235.36

pol

510

uBlock Origin found a way against this, but initially this malvertising campaign overcame adblockers:

https://www.technibble.com/forums/threads/malvertising-campaign-finds-a-way-around-ad-blockers.75220/

N.B. Disable "Non Proxied UDP (WebRTC) in your browser!
How to in various browsers: https://whoer.net/blog/article/how-to-disable-webrtc-in-various-browsers/

Check your browser: https://panopticlick.eff.org/

Remember every added extension makes it easier to uniquely make your browser stand out for profiling,
but there actually is no (easy nor hard) way to escape Big Brother to-day…

polonus

511

Some resources to check malware sites on.
This website no longer found active, was reported here as with generic malware:

https://otx.alienvault.com/indicator/hostname/www.stocktagfiles.com/

https://www.scumware.org/report/52.48.70.144.html

https://sitecheck.sucuri.net/results/www.stocktagfiles.com

https://www.securityhome.eu/malware/malware.php?mal_id=18398464835769f37b8669a6.43334630

https://minotr.net/detail?md5=1700ed9864bf36f580fd6efbaf1e40b0

https://www.threatcrowd.org/ip.php?ip=52.42.20.109

polonus

512

In firefox we have the beautiful Calomel extension.
But how to check beyond the green padlock inside Google Chrome,
we find the source via Control+Shift+I

How to check certificates under Google Chrome:

  1. Go to the website you wanna check the certificate for
  2. Push the F12 button
  3. Within the window that has opened up, go to the small tab “Security”
  4. Click then the button to View Certificate (info credits go to Vixen).

Later you can check additonally:
https://cryptoreport.websecurity.symantec.com/checker/
and/or https://www.ssllabs.com/ssltest/
and https://www.digicert.com/help/
or here https://threatintelligenceplatform.com/

polonus

513

Where is your Internet connected out?

Where does the cloud take your packets?

See: https://www.peeringdb.com/asn/63949 (example for FOSCAM etc.)

Interesting background read from Chris Baker: https://dyn.com/blog/who-controls-the-internet/

polonus

514

Actual security related info.

Nonces that eventually aren’t real “number onces”. Such nonces seems to be a risk.
So time to implement additional security header security and check on https sites for “nonces”.

An example of secure nonces we see here for example: https://gcm.tlsfun.de/check.php?host=www.terracotta.org

Collected 3 GCM nonces from www.terracotta.org

aa0015c9df6c8a46
aa0015c9df6c8a47
aa0015c9df6c8a48

NOT VULNERABLE

This host uses a counter starting with a random value (probably OpenSSL). This is secure.

For a detailed background read our paper: Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. More supplemental information is in our Github repository.

Enjoy, my good friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)

515

Certificate transparency for avast webforum according to the netcraft report:

Certificate transparency Signed Certificate Timestamps (SCTs)

Source Log Timestamp Signature Verification
Certificate Google Pilot
pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA= 2015-03-10 16:54:10 Success
Certificate Google Aviator
aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8Q= 2015-03-10 16:54:10 Success
Certificate DigiCert 1
VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0= 2015-03-10 16:54:10 Success

Verify here: https://www.chromium.org/Home/chromium-security/certificate-transparency

polonus (volunteer website security analyst and website error-hunter)

516

In part experimental and results should be taken cum grano salis (with a grain of salt):
mozilla ssh_scan api reults in a dockerized way (all other forms are too abuse-prone, so you risk to become blocked),

Scan a sites privacy score (beta) here: https://privacyscore.org/site/33642/ (as an example we took avast forum site scan).
source code → https://github.com/mozilla/ssh_scan_api
Avast forum site results as json: https://privacyscore.org/site/33642/json/

3rd party embeds, 3rd party trackers,
4 issues on unreliable encryption - HSTS and HSTS pre-loading not installed, not using Public Key pinning.
No check on mixed content and no check for CSS attempts and ticketbleed (experimental).
No protection found against LOGJAM attacks. More unreliable checks issues…

Another lesson to be learned about optimal website security,

polonus (volunteer website security analyst and website error-hunter)

517

Recent research has established that working a feature rich browser will set you out uniquely,
and this means an enhanced privacy risk.
Read: https://today.uic.edu/bloated-browser-functionality-presents-unnecessary-security-privacy-risks
Info source: Peter Snyder.

You can check the uniqueness of your browser here: https://amiunique.org and https://amiunique.org/fp

If we break up the identifying factors, just a tiny bit of profiling is given off by my browser user agent.
Over 30% comes because of the browser header, that I send to the server.
Another 14% leaks through the way my browser processes decoded content.
A tiny bit of what I give away is through the language(s) I use (Dutch and Polish).
0,22% comes from used plug-ins and that is contradictory to above findings,
but detail of the individual plug-ins speak loudly with over 75% to set me out uniquely against all other browsers.
And do not forget the 33% by the adblocker I use.

Therefore the much liked uBlock Origin adblocker by our forum users,
is still “in it’s teens” and needs further development. It will break a lot of sites.

By far the best plug-in that works to the contrary and makes you less unique by heaps is good old “Request Policy”,
and here our good forum member, DavidR, was right all the way. You need not convince us any further, DavidR!

Well the use of NoScript or uMatrix is also advisable, allthough not always the unsavvy know what and how to toggle properly.

In these days of dwindling privacy or as Americans say: “Privacy that no longer exists” you have less unique browsers,
one is the Brave browser, developed by the inventor of javascript, without plug-ins and all in the browser
with a one profile for all (except for canvas and other fingerprinting). Brave as browser app a must on android!

On the other site of the scope we have the nonsensical gimmick Browzar browser, I would not recommendate.

Finally to be less outstanding withing the big browser monoculture of Big Blue, firefox and Google’s chrome,
I would go for a Japanese browser like Sleipnir as one with this browser has a lesser attack surface on the Western Hemisphere.

polonus (volunteer website security analyst and website error-hunter)

518

Well it was able to tell what virtually every browser gives, which browser and version you are using, your OS and version, plus your language, but that isn’t going to get them very far in identifying the user.

EDIT: Whilst this is all well and good, you do have to selectively allow certain sites or you won’t see all content.

519

Reported by Lukasz Olejnik this privacy threat: https://blog.lukaszolejnik.com/privacy-of-web-request-api/
Source: https://www.theregister.co.uk/2017/10/06/another_w3c_api_exposing_users_to_browser_snitching/

Info credits for reporting go to Bitwiper.

A scala of browser privacy scanners: http://www.malwarehelp.org/online_browser_security_and_privacy_scanners.html
like for instance: https://www.leader.ru/secure/who.html and extended: https://do-know.com/privacy-proxy-test.html?

Even explains I am in a FVEY country - the Netherlands, also extra private internal IPs are given. 2 CPU cores detected.

polonus

520

L.S.

All hope’s not gone - the answer towards a totall loss of privacy
and against centralised snooping on all of your Interwebs interactions =
Decentralised VPN powered by blockchain,
an innovative development, read here: https://mysterium.network/

The clock is solwly ticking the last remnants of your Internet data integrity away,
with Google now also phasing out their public key pinning policy,
who will be making up the logs to check certs transparancy against?

polonus