Checking backupspider.com.html on Zonemaster creates critical errors, this scan however is fine:
https://zonemaster.iis.se/?resultid=a9edfa238f0b5f9b
Results supported by these results: https://intodns.com/backupspider.com
3 issues here: https://mxtoolbox.com/domain/backupspider.com/
Risk rating 1 red out of 10: https://toolbar.netcraft.com/site_report?url=backupspider.com
polonus (volunteer website security analyst & website error-hunter)
One knows polonus checks for retirable jquery libraries, including node js, using online retire js scanner,
There is also a way to check node.js for insecurety: snyk open source .
One can do a test for azure (azure@2.2.1-preview) and test e.g. “tunnel agent” in for instance Brave browser on android and we will get 9 issues, “do not use callbacks” for one.
Install → npm install -g snyk d -/projects/myproj/
snyk test
Enjoy,
polonus
Hi security minded friends,
Polonus was away for the week to central Poland, temp now minus 8 Celsius.
While not much online here last week on these here forums,
polonus is as always continuously on the look-out for script-security improvement of any sort.
I and a younger IT friend of mine stumbled onto this super script from the renowed resource engineer
& open source security researcher, zx2c4, from Paris, France.
His is the innovative secure.js script. To enjpoy this script, go to this link,
and see this javascript to prevent HTTPS leaks: https://git.zx2c4.com/secure.js/tree/secure.js
As we find in his to do list inside the code there is still some work to be done on detecting async scripts,
and through going over StackOverflow’s solutions, and thnx to Cookie_Monster there, we stumbled upon:
document.querySelectorAll ( 'script') ;
< script async src= "jquery.js"onload = "jqueryloaded ( )"
var script = document. create Element ("script") ; script.src = jquery.js' ;
script.onload = jqueryloaded ;
document.body.appendChild(script) ;
head.load ("jQuery.js)" ,
function ( ) {
console.log
}) ;
Could there be a possibility secure.js could be adopted & enhanced in such a way?
Still waiting from a response from Jason Donenfeld (aka zx2c4) accordingly,
polonus (volunteer website security analyst and website error-hunter)
Unique identifiers can protect you and also can give you away when you violate online laws.
Think of Verizon’s Precison ID? (re: http://www2.ca3.uscourts.gov/opinarch/163588p.pdf )
and re: https://readwrite.com/2015/01/31/verizon-tracking-perma-cookies-supercookies-uidh-precisionid-opt-out/
also perma-cookies while on tor and afterwards can identify you.
Tor will not anonymize you, in combination with tails also not fully anonymize ye, recorded is the size of your browser window open for instance, and other unique identifiers like typing habits/speed/anomalities, websites visited etc.
Using tails in combination with a VM is a bad idea, it can unveil your OS identification. Using tot and tails and a vpn a la default is always a bad idea for hackers and cybercriminals alike. You get caught period.
Also be aware of correlation attacks, targeted malware injection, and time-based attacks.Also never share privacy related data online or break your online habits. These mistakes has caused many a perpetrator quite some jailtime.
So better do not do the crime, if you cannot do the time.
polonus (volunteer website security analyst and website error-hunter)
A fine AI-driven PHISHing-IP checker:
(example IP): https://checkphish.ai/ip/94.23.220.38
Enjoy, my good friends, enjoy,
polonus
An example of what we can detect starting to use this service:
https://checkphish.ai/ip/94.23.220.38 and then checked: https://checkphish.ai/domain/poufmarocain.com
and then https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=poufmarocain.com&ref_sel=GSP2&ua_sel=ff&fs=1
and also two detections here: https://retire.insecurity.today/#!/scan/8daed221f8bde319f1f93ab73c4d2578663ae7ee4fdd039823c1c35b578c47bf
moreover this:
poufmarocain.com/js/jquery/jquery-migrate-1.2.1.min.js benign
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function e
polonus (volunteer website security analyst and website error-hunter)
To keep everything tested and secure: http://seclist.us/category/security-tools
polonus
Are you out on a spoofable AS?
Test and help fight against InfoSpoofing:
polonus
Info credits also: https://www.caida.org/projects/spoofer/
Important as an anti-spoof protection for sub-domains etc is to have a dmarc record,
Read background info: https://fraudwatchinternational.com/expert-explanations/dmarc-protecting-domains/
test here (free trial 14 days): https://dmarcian.com/dmarc-inspector/rug.nl
Or check here: https://mxtoolbox.com/dmarc.aspx
Free check tool: https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
polonus (volunteer website security analyst and website error-hunter)
Proxies and VPN’s may leak your IP-address through WebRTC.
This can be done via so-called stun-server logs.
Read about it here: https://voidsec.com/vpn-leak/
Protect against it with this extension: https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia
Check your vulnerability: http://ip.voidsec.com/
How to disable WebRTC in Firefox?Quiote source: : https://www.privacytools.io/#webrtcIn short: Set “media.peerconnection.enabled” to “false” in “about:config”.
Explained:
Enter “about:config” in the firefox address bar and press enter.
Press the button “I’ll be careful, I promise!”
Search for “media.peerconnection.enabled”
Double click the entry, the column “Value” should now be “false”
Done. Do the WebRTC leak test again.If you want to make sure every single WebRTC related setting is really disabled change these settings:
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.identity.timeout = 1Now you can be 100% sure WebRTC is disabled.
You will be astounded when you check here: https://www.dnsleaktest.com/
and for further tests: https://www.grc.com/dns/dns.htm
No more leaks via a IPVanish with this extension:
https://addons.mozilla.org/nl/firefox/addon/happy-bonobo-disable-webrtc/
In privacy badger you can set prevent WebRTC to leak the internal IP address.
This could cause some slowness on Google Hangout.
Palemoon browser blocks this leaking as per default.
Info credits go to posters here: -https://www.security.nl/posting/555923
polonus (volunteer website security analyst and website error-hunter)
In the light of re-appearing security issues with websites with PHP driven Word Press CMS
(CMS short for Content Management Software).
Start to scan for a really quick and dirty here: http://hackertarget.com/wordpress-security-scan/
Also at: https://sitecheck.sucuri.net/
and https://www.quttera.com scans.
Furthermore for retirable jQuery libraries scan here: https://retire.insecurity.today/#
Also: https://observatory.mozilla.org/?
Together with a scan here: https://cryptoreport.websecurity.symantec.com/checker/en
Furthermore scan at: http://www.domxssscanner.com/
All scans are just meant for obtain benevolent research info.
Never use any info so gained against a certain AS, domain, IP range or IP etc.
For a json and api info scan: https://urlscan.io/domain
More scan suggestions via : https://geekflare.com/online-scan-website-security-vulnerabilities/
Interesting results may also be obtrained here via a scan here:
https://www.eff.org/https-everywhere/atlas/
Also via http://rips-scanner.sourceforge.net/
and
https://app.upguard.com/webscan#/
Enjoy my friends, enjoy. Info credits luntrus (@security dot nl)
With questions or issues come to the virus and worms section of these avast forums,
polonus (volunteer website security analyst and website error hunter)
This is a POC - DO NOT use it for a production environment Info credits goes to thecker at Github Today
Checking this POC code against facebook’s proxygen-bolt → https://github.com/lhecker/libnodecc
Do not use libnodecc in a developer’s production environment, just for research experiments only.
See: https://urlscan.io/result/3b26405e-cc14-49fb-ba92-e2e2f8be0368/jsonview/
and https://urlquery.net/report/c85aceb0-5456-4363-ad7f-b9bb3e960636
proxygen-bolt unrecognized despite returning data
There always should be room for PHP (in)security testing: Security Checks for -static.xx.fbcdn.net
Verdict of insecurity:
(2) Susceptible to man-in-the-middle attacks
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
Vulnerable to cross-site attacks
HttpOnly cookies not used
error to go onto
-static.xx.fbcdn.net/rsrc.php/v3iCvN4/yt/l/DE/iNEySX6agJT.js benignnested undefined variable error, when you try to grab, but you do not see what is run…(pol).
info: [decodingLevel=0] found JavaScript
error: undefined variable __d
error: undefined function __d
polonus (volunteer website security analyst and website error-hunter)
Babel, a strict VM driven javascript compiler on the client (browser) to tight-test javascript security!
What we tested? Well javascript taken from this scan: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fyandex.ru
Tested against babel here: https://babeljs.io/repl#?babili=false&browsers=&build=&builtIns=false&code_lz=BQMwrgdgxgLglgewsA5gGgBZoDIEoDe408SABAG7ACGaARmlAQE4CmMYTEpRsiyBMJgE98rdp1JUAdFQAOsgDZDgMDHA
Do not think out of the box, think strict and exact. Go to the next phase with Rust and Babel.
Another check of this code: -mc.yandex.ru/metrika/watch.js benign
DOM-XSS vuln.
Number of sources found: 77
Number of sinks found: 14
For instance
repl: Unexpected token, expected ; (1:17)1 | [“\x3c/form\x3e”]);h.innerHTML=k.join(“”)
| ^
Enjoy, my research developer friends, enjoy,
Example
import codeFrame from ‘babel-code-frame’;const rawLines =
class Foo { constructor() };
const lineNumber = 2;
const colNumber = 16;const result = codeFrame(rawLines, lineNumber, colNumber, { /* options */ });
console.log(result);
var jsTokens = require(“js-tokens”).defaultvar jsString = “var foo=opts.foo;\n…”
jsString.match(jsTokens)
// [“var”, " ", “foo”, “=”, “opts”, “.”, “foo”, “;”, “\n”, …]
import {matchToToken} from “js-tokens”
// or:
var g = 9.82
var number = bar / 2/g
polonus
Checking the privacy status of a certain website to a certain degree (cookies, advice, privacy, mozilla recommendations):
Re: https://webcookies.org/scan/15218489
Re: https://www.scamadviser.com/check-website/borneonews.co.id
Re: https://observatory.mozilla.org/analyze/www.borneonews.co.id
Re: https://privacyscore.org/site/96307/
This website is secured 100% of the trackers on this site are helping protect you from NSA snooping. Why not thank borneonews.co.id for being secure?All trackers
At least 7 third parties know you are on this webpage.
-www.borneonews.co.id
-www.google-analytics.com Google
-api.borneonews.co.idInfo Tracker SSL extension report for wXw.borneonews.co.id
Also consider (1 red out of 10 netcraft risk given):
https://toolbar.netcraft.com/site_report?url=https%3A%2F%2Fwww.borneonews.co.id%2F
and insecurity reported here: https://app.upguard.com/webscan#/borneonews.co.id
polonus (volunteer website security analyst and website error-hunter)
L.S.
DNS Record Viewer and another fine collection of handy dandy tools here:
http://dns-record-viewer.online-domain-tools.com/
Good to be used in combination with my Shodan extension in the browser - example:
https://www.shodan.io/host/52.2.58.67 → http://ec2-52-2-58-67.compute-1.amazonaws.com/
PTR - pdns1.ultradns.net x4.amazonaws.org x2.amazonaws.com x1.amazonaws.com x3.amazonaws.org
polonus (volunteer website security analyst and website error-hunter)
For Word Press website admins and maintanance:
Looking for retirable jQuery libraries: https://retire.insecurity.today/#
Scan for Word Press issues (a quick and dirty) scan at https://hackertarget.com/wordpress-security-scan/
For developers in the audience:
With Word Press plug-ins there is a possibility to get errors wih a certain plug-in that overwrites, Press F 12 and inspect in the browser console what file causes this. First thing to do now is to de-activate the plug-in, and a second solution is to remove the code, but in that case you have to know your javascript a bit.[b]
Quote info credits and thanks for the instruction goes out to Jasminder Pal Singh [/b],
who instructed this method to me via an online video.
polonus (volunteer website security analyst and website error-hunter)
Going over an error after a PTR request for 165.38.101.151.in-addr.arpa , it said I got a name error.
After reading on how to setup Reverse DNS & PTR records, I stumbled on this nice online interface website:
Not much to go by here: https://toolbar.netcraft.com/site_report?url=165.38.101.151.in-addr.arpa
Above link for IT specialists and researchers only.
We also checked it here and found out why it failed: DNSsy Report Results
Results for 165.38.101.151.in-addr.arpa
Test Results Status
Checking domain format: Hostname looks good. Pass
Checking for parent nameservers: Found 6 parent nameservers. Pass
Checking for parent glue: Found glue from root nameservers to parent nameservers. Info
NS records at parent nameserver: Your NS records at your parent nameserver are:
Provided by e.in-addr-servers.arpa → pri.authdns.ripe.net Info
Nameservers listed at parent: No nameservers found at parent nameserver. Fail
Another tool for web admins in this line: http://www.subnet-calculator.com/cidr.php
and for dns: https://www.dnscolos.com/dnsreport.php
Enjoy, my good friends, enjoy,
polonus (volunteer website security analyst and website error-hunter)
More on the dig web interface -
h@8.8.4.4 (Default): Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} {global-d-opt} host [@local-server] {local-d-opt} [ host [@local-server] {local-d-opt} [...]] Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] (Use ixfr=version for type ixfr) q-opt is one of: -x dot-notation (shortcut for reverse lookups) -i (use IP6.INT for IPv6 reverse lookups) -f filename (batch mode) -b address[#port] (bind to source address/port) -p port (specify port number) -q name (specify query name) -t type (specify query type) -c class (specify query class) -k keyfile (specify tsig key file) -y [hmac:]name:key (specify named base64 tsig key) -4 (use IPv4 query transport only) -6 (use IPv6 query transport only) -m (enable memory usage debugging) d-opt is of the form +keyword[=value], where keyword is: +[no]vc (TCP mode) +[no]tcp (TCP mode, alternate syntax) +time=### (Set query timeout) [5] +tries=### (Set number of UDP attempts) [3] +retry=### (Set number of UDP retries) [2] +domain=### (Set default domainname) +bufsize=### (Set EDNS0 Max UDP packet size) +ndots=### (Set NDOTS value) +edns=### (Set EDNS version) +[no]search (Set whether to use searchlist) +[no]showsearch (Search with intermediate results) +[no]defname (Ditto) +[no]recurse (Recursive mode) +[no]ignore (Don't revert to TCP for TC responses.) +[no]fail (Don't try next server on SERVFAIL) +[no]besteffort (Try to parse even illegal messages) +[no]aaonly (Set AA flag in query (+[no]aaflag)) +[no]adflag (Set AD flag in query) +[no]cdflag (Set CD flag in query) +[no]cl (Control display of class in records) +[no]cmd (Control display of command line) +[no]comments (Control display of comment lines) +[no]question (Control display of question) +[no]answer (Control display of answer) +[no]authority (Control display of authority) +[no]additional (Control display of additional) +[no]stats (Control display of statistics) +[no]short (Disable everything except short form of answer) +[no]ttlid (Control display of ttls in records) +[no]all (Set or clear all display flags) +[no]qr (Print question before sending) +[no]nssearch (Search all authoritative nameservers) +[no]identify (ID responders in short answers) +[no]trace (Trace delegation down from root) +[no]dnssec (Request DNSSEC records) +[no]nsid (Request Name Server ID) +[no]sigchase (Chase DNSSEC signatures) +trusted-key=#### (Trusted Key when chasing DNSSEC sigs) +[no]topdown (Do DNSSEC validation top down mode) +[no]multiline (Print records in an expanded format) +[no]onesoa (AXFR prints only one soa record) global d-opts and servers (before host name) affect all queries. local d-opts and servers (after host name) affect only that lookup. -h (print help and exit) -v (print version and exit)Example output:
nimbus.bitdefender.net@8.8.4.4 (Default): nimbus.bitdefender.net. 21599 IN CNAME elb-nvi-amz.nimbus.bitdefender.net. elb-nvi-amz.nimbus.bitdefender.net. 21599 IN CNAME kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.204.39.25 kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.203.98.12 kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.203.77.162 kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.205.81.93 kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.45.231.34 kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.45.221.142 kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.44.27.79 kube-nimbus-1671728955.us-east-1.elb.amazonaws.com. 20 IN A 52.21.175.100
pol
Just some further additional sources: https://www.crunchbase.com/organization/securolytics#section-overview
Scam scanning sites: http://www.scamfoo.com/ & https://www.islegitsite.com/check
So many ways to establish what a website is all about without actually clicking that website link
polonus (volunteer website security analyzer and website error-hunter)
