A still very actual article: https://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/
Test: http://research.insecurelabs.org/jquery/test/
For jquery on websites: https://retire.insecurity.today/
and https://dojotoolkit.org/api/?qs=1.8/dojox/validate/web
Test your code: https://snyk.io/test/
polonus
How to check your website will live up to EU cookie regulations?
Disclaimer: The results presented might not be 100 % correct. This tool is meant to be used by site owners as a starting point for improvements, not as a rigorous analysis.
https://www.cookiemetrix.com/ free analysis of just the homepage of the website,
for a full analysis create an account. (info credits go to Choi)
You could also compare it here with a privacy and security test: random example https://webcookies.org/cookies/media.reklamaizer.ru/2468946 (best checker i.m.h.o.)
Various checkers: https://www.cookiechecker.nl/ & https://sitechecker.pro/cookie-checker/
Another Dutch one: https://www.browserchecker.nl/cookiewet
Interesting: http://www.whatarecookies.com/view.asp
Cleanse your cookies with Cookienator → -https://cookienator.software.informer.com/2.6/
polonus
Watch that CMS that is nearing end of service time!
200.000 Magento-webshops without any patches next year for Magento version 1 - no more security updates to come.
So with that CMS urgent advice is to change to Magento 2 (but that upgrade is not an easy one, so start now).
Read: https://hostingtribunal.com/blog/magento-statistics/
and https://trends.builtwith.com/websitelist/Magento
and https://w3techs.com/technologies/details/cm-magento/all/all
If you want to avoid Magento webshops that did not perform the upgrade to version 2,
then one could find out the version (only when settings allow).
By putting /magento_version behind the domain address.
Example:
$ curl https://www.horecaxl.com/magento_version
Magento/2.1 (Community) or scan at shodan.io for instance.
Another method is to scan with the tool available from here: https://whatcms.org/
polonus (volunteer 3rd party cold recon security website analyst and website error-hunter)
Here an example of a website still on Magento 1
Scanner of choice: https://www.magereport.com/scan/?s=https://www.shopdutyfree.com/
39 recommendations found through linting: https://webhint.io/scanner/13bf4595-6f35-4107-bdf3-807df5f7cdff
of which following are security related: https://webhint.io/scanner/13bf4595-6f35-4107-bdf3-807df5f7cdff#category-security
Security check for immediate threats: https://webscan.upguard.com/#/https://www.shopdutyfree.com/ (10 detected)
34 checks passed.
Site issue: https://sitecheck.sucuri.net/results/www.shopdutyfree.com
DOM-XSS flaws: Results from scanning URL: -https://www.shopdutyfree.com
Number of sources found: 28
Number of sinks found: 257
Results from scanning URL:
-https://www.shopdutyfree.com/static/version1572656038/_cache/merged/0e2010fc837637e2d987804478c1f47e.min.js
Number of sources found: 34
Number of sinks found: 14
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Linting is also a form of testing. So I tried to lint a static CMS Tilda built website, running on Qrator server here:
It resulted in 507 recommendations for the website: https://webhint.io/scanner/8be58bd9-04cb-4f5d-8903-1a4fd36aaf5b
DOM-XSS flaws: Results from scanning URL: -https://tilda.cc/ru/
Number of sources found: 7
Number of sinks found: 564
&
Results from scanning URL: -https://static.tildacdn.com/js/tilda-menusub-1.0.min.js
Number of sources found: 3
Number of sinks found: 7
Results from scanning URL: -https://use.typekit.net/gwk7uku.js (external link)
Number of sources found: 5
Number of sinks found: 3
Another site built with Tilda: https://urlscan.io/result/f81ba6bd-10f2-426c-b2d7-06497c76bfae/
polonus
Searching "network_suricata_alert.description on Maltiverse,
then later pinpointing detections via VirusTotal IP-relations detections.
Where we searched: https://www.virustotal.com/gui/url/c6e7f4508f12cb5c621d1d6a120b153c17352231f251526a089d8e978ce18eb3/details
And eventually what we did find op IP relations:
https://www.virustotal.com/gui/ip-address/80.78.250.103/relations
This PHISHing was flagged by 13 engines: http://www.nmosina.ru/alibaba/ALIBABA/89b43fb1ee59109c36ecd0929cec07ae
polonus
Working over header implementation and quieting other headers to get additional website security layers…
Security header scan: (random example): https://securityheaders.com/?q=http%3A%2F%2Fcraft2cart.com&followRedirects=on
Another one https://observatory.mozilla.org/analyze/craft2cart.com
where header scan is part of.
Then we can have results from the security scan on webhint:
where it is alo important for certain headers not to talk too loud, or rather not talk at all (PHP version for instance).
136 recommendations security wise: https://webhint.io/scanner/fd0e3451-9d4a-4908-b9e6-25a1ed3c0ec8#category-security
Then inside the browser there is Recx Security Analyser extension.
Re
HTTP/1.1 200 OK
Wed, 13 Nov 2019 22:35:33 GMT
Apache
PHP/5.6.40
Thu, 19 Nov 1981 08:52:00 GMT
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
no-cache
SAMEORIGIN
frontend=59c02d7a31291f121ab733e852b40f0a; expires=Wed, 13-Nov-2019 23:35:33 GMT; Max-Age=3600; path=/; domain=craft2cart dot com; HttpOnly
chunked
text/html; charset=UTF-8
We see the PHP version here: so we can look this up: https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-298516/PHP-PHP-5.6.40.html
So then we will ask this question: https://stackoverflow.com/questions/5777792/what-does-it-mean-to-run-php-in-quiet-mode
which will make it tad more difficult for either l33t attackers/and one-horse-trick script kiddies.
But we also have: https://dazzlepod.com/ip/?ip_address=http%3A%2F%2Fcraft2cart.com (Netcraft risk score 1 red out of 10).
From Lansing where the site is hosted we can find:
https://www.shodan.io/host/208.79.234.118 together with possible vulnerabilities on that hoster.
Note: the device may not be impacted by all of these issues.
The vulnerabilities are implied based on the software and version.
This, when we combine it with this info here: https://toolbar.netcraft.com/site_report?url=host.purvainfosystems.info
Site was with malware during June this year: https://www.virustotal.com/gui/ip-address/208.79.234.118/relations
And we wil find the malware analysis on the malware researcher’s resource site like maltiverse.
for craft2cart.com
created 5 months ago / modified 5 months ago
Bancolombia Personas phishing - Antiphishing.com.ar av-element detected
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
To check settings for your website, use https://hstspreload.org/
See: https://www.globaldots.com/blog/8-http-security-headers-best-practices
HTTP headers an extension for your browser to check websites with.
polonus
SSL checker: https://certlogik.com/ssl-checker/
Also other tools at that site: crt alert and decoder.
Another site with this newer scanner: https://redkestrel.co.uk/products/
polonus
Want to test hard coded key XOR Cipher and the weakness grade resembling Ceasar or rather Vigenère,
test here: https://www.dcode.fr/xor-cipher with many a tool to test encryption.
What did junky Pentesters find -
https://niiconsulting.com/checkmate/2018/05/reverse-engineering-for-beginners-xor-encryption-windows-x64/
Network Intelligence - XOR is still used, mainly for obfuscation.
polonus
Too much about blacklists and blacklisting, now are you on this whitelist?
Check: https://www.dnswl.org/?page_id=72
polonus
Using middleware inside browsers to speed up DNS-prefetching etc.
Read: https://github.com/helmetjs
DNS Prefetching is being used to resolve hosts faster and get a better load, however it could inside Google Chrome lead to averse effects. Making web pages load slower, not load at all, etc.
DNS-prefetching can be turned off-on inside your browser privacy settings.
Test performance here: https://www.webpagetest.org/
Also see test tools here: https://geekflare.com/test-your-website-load-time/
polonus
Combing with DOM-XSS scanning for sinks and sources combining wit retirablejQuery library issues,
we have fine resources here: https://github.com/s0md3v/AwesomeXSS
Find them before they find you :
polonus
What also could bring a lot of insight on a particular website, is when you open it up inside the Developer’s Console,
this could be done through at the same time giving in Ctrl+Shift+I
For this website -https://www.grenson.com
we could analyze:
preload.js:64 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details. init @ preload.js:64 content-tss.js:2 content-tss.js loaded: -https://www.grenson.com/us/'-alert()/ (unknown) hosted page injected content-ads.js:2 content-ads.js loaded: -https://www.grenson.com/us/'-alert()/ content.js:21 Uncaught TypeError: Illegal invocation: Function must be called on an object of type StorageArea at content.js:21 -www.google-analytics.com/analytics.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT -grens11111.pcapredict.com/js/sensor.js:1 Failed to load resource: net::ERR_BLOCKED_BY_CLIENT (index):1 [DOM] Found 2 elements with non-unique id #email: (More info: -https://goo.gl/9p2vKq) (index):1 [DOM] Found 2 elements with non-unique id #login-form: (More info: -https://goo.gl/9p2vKq) … … (index):1 [DOM] Found 2 elements with non-unique id #pass: (More info: -https://goo.gl/9p2vKq) (index):1 [DOM] Found 4 elements with non-unique id #search: (More info: -https://goo.gl/9p2vKq) (index):1 [DOM] Found 3 elements with non-unique id #search_mini_form: (More info: https://goo.gl/9p2vKq) … … … (index):1 [DOM] Found 2 elements with non-unique id #send2: (More info: -https://goo.gl/9p2vKq) … … (index):1 Unchecked runtime.lastError: Could not establish connection. Receiving end does not exist. preload.js:64 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See -https://www.chromestatus.com/features/4507242028072960 for more details. init @ preload.js:64 preload.js:64 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See h-ttps://www.chromestatus.com/features/4507242028072960 for more details. init @ preload.js:64 content-tss.js:2 content-tss.js loaded: -https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&co=aHR0cHM6Ly93d3cuZ3JlbnNvbi5jb206NDQz&hl=en&type=image&v=PRkVene3wKrZUWATSylf69ja&theme=light&size=normal&cb=4wm1rlpfzp0h (unknown) hosted page injected content-ads.js:2 content-ads.js loaded: -https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&co=aHR0cHM6Ly93d3cuZ3JlbnNvbi5jb206NDQz&hl=en&type=image&v=PRkVene3wKrZUWATSylf69ja&theme=light&size=normal&cb=4wm1rlpfzp0h content.js:21 Uncaught TypeError: Illegal invocation: Function must be called on an object of type StorageArea at content.js:21 fingercounting.js:188 Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document. at Counter.wrapMethod (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:188:27) at new Counter (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:160:12) at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:250:19 at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:255:3 (unknown) caught WebWorker content-tss.js:2 content-tss.js loaded: about:blank (unknown) hosted page injected content-ads.js:2 content-ads.js loaded: about:blank content-tss.js:2 content-tss.js loaded: about:blank (unknown) hosted page injected content-ads.js:2 content-ads.js loaded: about:blank content-tss.js:2 content-tss.js loaded: -https://www.google.com/recaptcha/api2/bframe?hl=en&v=PRkVene3wKrZUWATSylf69ja&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&cb=amz0tege1pe4 VM29:5 hosted page injected content-ads.js:2 content-ads.js loaded: -https://www.google.com/recaptcha/api2/bframe?hl=en&v=PRkVene3wKrZUWATSylf69ja&k=6Lft7xkUAAAAAJC3_IM8O68WPOJHvttOTN-1dj74&cb=amz0tege1pe4 content.js:21 Uncaught TypeError: Illegal invocation: Function must be called on an object of type StorageArea at content.js:21 fingercounting.js:188 Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document. at Counter.wrapMethod (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:188:27) at new Counter (chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:160:12) at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:250:19 at chrome-extension://ommfjecdpepadiafbnidoiggfpbnkfbj/js/web_accessible/fingercounting.js:255:3-> -https://www.grenson.com/ and -alert()/# returns a "You could go to previous page... etc.
Enjoy, good hunt
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
With Retire.JS as an extension in the browser and retire insecurity today online scanner and also SNYK evaluation (see webhint scanner)
one can establish retirable jQuery libraries, with DOM-XSS scanners possible sources (input that can be eventually controlled) en sources (methods towards such a goal that can be (ab)used.
Also look here at these resources: https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
Find these flaws, before they find you, see my test results:
https://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
You can for instance use the user script as User Script (ENUM_FUNCTION) inside Tamper Monkey extension, just an idea.
Test an example of DOM-based XSS here open up inbrowser: https://brutelogic.com.br/tests/sinks.html?name=<img+src+onerror=alert(3)> Read: https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/
This is
Object.create (eval at exec_fn (sinks.html?name=<img+src+onerror=alert(3)>:1),
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Two browser extensions that can extend the info detected here:
https://observatory.mozilla.org/analyze/meedoeninarnhem.nl a random example with C-grade status
are Recx Security Analyser v.1.3.0.4 (described earlier in this section Tests & other Media topics).
and CSP Evaluator →
base-uri ‘self’;
img-src * data: ‘unsafe-inline’;
default-src data: * ‘unsafe-inline’;
frame-ancestors ‘self’;
manifest-src ‘self’;
media-src *.readspeaker.com *.speechstream.net ‘self’;
script-src * ‘unsafe-inline’ ‘unsafe-eval’;
object-src ‘self’;checkbase-uri
expand_more
check’self’checkimg-src
expand_more
check*
checkdata:
check’unsafe-inline’checkdefault-src
expand_more
checkdata:
check*
check’unsafe-inline’checkframe-ancestors
expand_more
check’self’checkmanifest-src
expand_more
check’self’checkmedia-src
expand_more
check*.readspeaker.com
check*.speechstream.net
check’self’errorscript-src
expand_more
error*
script-src should not allow ‘*’ as source
error’unsafe-inline’
‘unsafe-inline’ allows the execution of unsafe in-page scripts and event handlers.
help_outline’unsafe-eval’
‘unsafe-eval’ allows the execution of code injected into DOM APIs such as eval().help_outlineobject-src
expand_more
help_outline’self’
Can you restrict object-src to ‘none’ only?Legend
errorHigh severity finding
errorMedium severity finding
help_outlinePossible high severity finding
removeDirective/value is ignored in this version of CSP
help_outlinePossible medium severity finding
clearSyntax error
info_outlineInformation
checkAll good
Could be also combined with results from https://webcookies.org/cookies/www.arnhem.nl/15998357
Enjoy, my good friends, enjoy,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Test websites for Dutch NCSC TLS-guidelines: https://internet.nl/
10 online tool → https://geekflare.com/ssl-test-certificate/
Check site’s cert fingerprint with this here: https://www.grc.com/fingerprints.htm
Each site’s authentic security certificate fingerprint (shown above) was just now obtained by GRC’s servers from each target web
server. If your web browser sees a different fingerprint for the same certificate (carefully verify the Certificate Name is identical) that
forms strong evidence that something is intercepting your web browser’s secure connections and is creating fraudulent site certificates.
polonus
You will find trackers reported, for instance through DNS Query Sniffer tool,
then check here: https://whotracks.me/trackers/gstatic.html
Also compare this search tool with insecure tracking found with Tracker SSL extension.
Enjoy, my good friends. enjoy,
polonus
Looking for alternatives for urlquery dot net, now it is more often down then up:
https://postmodernsecurity.com/2015/09/11/malware-analysis-and-incident-response-tools-for-the-frugal-and-lazy/
Examples from there: https://forum.avast.com/index.php?action=post;topic=129271.735;last_msg=1529228 (random example);
also: https://fortiguard.com/webfilter?q=justshopclub.com
Also do a IP scan: https://www.shodan.io/host/31.192.111.83 to be verified at VT IP relations, you can use VT4Browsers extension.
polonus
L.S.
Hunting for website errors that could be exploited, I stumbled upon this in the CSP arena:
Often CSP security is wrongly implemented or in cases can be circumvented.
Read: https://github.com/qazbnm456/awesome-web-security (see the CSP security section)
Also for instance: https://github.com/portswigger/irule-detector
I have this installed in the browser: CSP Evaluator extension.
See response headers in Web Developer extension for particular websites.
Also Evading CSP with DOM-based dangling markup
For instance we have CSP evaluation for https://observatory.mozilla.org/
with a possible medium severity finding with “script-src ‘self’”.
As ‘self’ can be problematic if you host JSONP, Angular or user uploaded files.
Which is not true as we check here: https://urlscan.io/result/2170f2aa-7870-4748-b629-7f246e95b6ae#behaviour
Seems folks have only just begun implementing strong Content Security Policies
and evaluating whether some attacker can bypass them.
Also XSS scanning could be worth while: https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-reflected-xss/
Can be combined with CSP bypasser via http://attacker.tld/link-subresource (link not found), still something of a push,
so read here: https://news.ycombinator.com/item?id=14077955
For security researchers and analysers/pentesters, this is the season just for some back-up reading on these subjects,
and to further protection againsts such weaknesses. Enjoy, my friends, enjoy,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)