This includes ‘unsafe-inline’ or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.
Content Security Policy Analysis
Test Pass Info
Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src x
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src V
Blocks execution of plug-ins, using object-src restrictions X
Blocks inline styles by not allowing 'unsafe-inline' inside style-src X
Blocks loading of active content over HTTP or FTP V
Blocks loading of passive content over HTTP or FTP V
Clickjacking protection, using frame-ancestors X
Deny by default, using default-src 'none' X
Restricts use of the tag by using base-uri 'none', base-uri 'self', or specific origins X
Restricts where contents may be submitted by using form-action 'none', form-action 'self', or specific URIs X
Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional) -
The header exposes web server version details. These server no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product.
No base-uri allows attackers to inject base tags which override the base URI to an attacker-controlled origin. Set to ‘none’ unless you need to handle tricky relative URLs scheme
Various domain checks: https://www.zonemaster.net/domain_check
The following nameservers failed to resolve to an IP address : -ns-02.avast.com, -ns-06.avast.com.
Valid policy at → https://report-uri.com/home/analyseView
Raw Policy
Warning
1:462: The child-src directive is deprecated as of CSP level 3. Authors who wish to regulate nested browsing contexts and workers SHOULD use the frame-src and worker-src directives, respectively.
1:502: The upgrade-insecure-requests directive is an experimental directive that will be likely added to the CSP specification.
Info
1:529: A draft of the next version of CSP deprecates report-uri in favour of a new report-to directive.
So well worthy to bookmark this website address, when website developers have need of this addidtional inspection and validation (Remember always online nothing is a 100% full proof best policy, todays’ standards aren’t tomorrow’s).
Inside Avast Secure Browser I now use CSP Evaluator extension and CSP Tester extension next to JNote extension,
a JavaScript error notifier.
So we keep collecting various interesting tools for our toolboxes.
Check and test well into the coming new year 2020, my good friends, enjoy.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
I found when validating CSP Strings it had “upgrade-insecure-requests”, an experimental directive
that will be likely added to the CSP specification.
Adding scrpt-src gave “directive is missing”
and for “object-src”, that when this is missing injections of plug-ins which can execute JS is possible.
So it is better to set it to ‘none’.
Reference the DNS info above, I can recall, Firefox are introducing addition measures for secure DNS connections, a bit like https secure connections. I commented on how/if avast would deal with this additional protection level.
An example where digging goes wrong.
DNS lookup fails with “254.242.55.65.in-addr.arpa” for instance.
DNSQuerySniffer, running under the browser, does not come up with a reply and cannot resolve.
You often experience that with PTR requests that involve MS.
So then looked here:
id 7223
opcode QUERY
rcode NXDOMAIN
flags QR RD RA
;QUESTION
254.242.55.65.in-addr.arpa. IN A
;ANSWER
;AUTHORITY
55.65.in-addr.arpa. 1799 IN SOA [b]ns1.msft.net. msnhst.microsoft.com.[/b] 2019121601 7200 900 7200000 3600
;ADDITIONAL
this with toolbox google app's Dig DNS lookup.
Just like we expected NXDOMAIN, not registered domain or as a result of some server hick-up.
Many folks never really studied DNS and the ways to manipulate DNS.
A shame really, for it is an important issue,
playing out everywhere, also in the background (Cloud, Big Tech data retrieving).
Conclusion here “Parties fail to innovate and to overhaul and that even partly”,
or just call it like Americans do “sloppiness”, whatever.
Errors in browser console: Refused to load the image ‘hxtps://lite.qwant.com/img/v4/header/header-bg-tablet.svg?redirect=OperaMobi13.04&1539938515=’ because it violates the following Content Security Policy directive: “img-src blob: ‘self’ s1.qwant.coms2.qwant.coms.qwant.com data: s-boards.qwant.coms-lite.qwant.comwww.qwant.com”.
To make the theoretical ideas stand out more practically - when we combine retire.JS -
domstorm repository, SNYK vulners etc., is to know how to protect against this,
especially against abuse combined with payload injectors. (XSSight abuse etc.).
In general: Defenses against XSS
What input do we trust? (browser- and client-side validation)
Does it adhere to expected patterns?
Never simply reflect untrusted data.
Applies to data within our database too.
Encoding of context(Java/attribute/HTML/CSS
Let us take a particular example with known abuse and analyse retirable jQuery library there.
Re: https://www.abuseipdb.com/check/195.62.29.11 *
Check that particular IP for “vulners”: https://www.shodan.io/host/195.62.29.11 common OpenSSH abuse…
Site report: https://sitereport.netcraft.com/?url=http%3A%2F%2Fparagon.net.uk
We see an outdated Word Press CMS version there: WordPress Version 4.9.13
We see it has passed various reputation checks (questionable in the light of the abuse report, see above *)
Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:OK
External hosts also Google Safe Browsing approved:
Externally Linked Host Hosting Provider Country
-www.godaddy.com GTT Communications Inc. United States
-www.heg.com Host Europe GmbH United Kingdom
-domains.meshdigital.com Host Europe GmbH United Kingdom
-www.domainbox.com Host Europe GmbH United Kingdom
-aboutus.godaddy.net Dosarrest Internet Security LTD United States
Sources, output that could be controlled - .top! .innerHTML= [name= .location. .name write( opener| .parent .open( .op= =top+ “top”
sinks, methods to do so, .value href= data= .src=
Also valuable info from: https://webcookies.org/cookies/www.heg.com/28887761?484748
about outdated PHP and excessive server info proliferation; X-Powered-By: PHP/5.4.44
The header exposes web server version details. These serves no purpose apart from making life of security auditors and hackers easier, leading them straight to exploits for this particular version of product - Server: Apache/2.2.15 (CentOS)
→ https://www.centos.org/forums/viewtopic.php?t=65285
Results of vulners webscanner extension for/on HEG website:
wXw.heg.com
Apache, headers
Not vulnerable
[i]PHP, headers - 5.4.44 [i]vulnerable[/i]
7.5[/i]
jQuery, headers - 1.3
Not vulnerable
jQuery, script
Not vulnerable
jQuery Migrate, script
Not vulnerable
Bootstrap, script
Not vulnerable
Font Awesome, html
Not vulnerable
Yoast SEO, html - 4.5
Not vulnerable
Wordpress - 4.9.13
Not vulnerable
2017 -Vulners.comvulners.com
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Linting for javascript errors and flaws, e.g. javascript-validation.
Combine with results from vulners webs scanner extension, Zen Mate Web Firewall extension &
Javascript Error Notifier extension and shodan extension for eventual website server info.
Line Col Errors
222 58 Unnecessary semicolon.
258 18 ‘options’ is defined but never used.
298 22 ‘e’ is defined but never used.
308 28 ‘e’ is defined but never used.
360 35 ‘options’ is defined but never used.
399 1 ‘new_max’ is defined but never used.
424 53 ‘options’ is defined but never used.
475 1 ‘whCustom’ is defined but never used.
530 22 ‘index’ is defined but never used.
460 1 ‘html_el’ is defined but never used.
464 1 ‘full_slider’ is defined but never used.
651 8 Use ‘===’ to compare with ‘0’.
695 27 ‘direction’ is defined but never used.
751 58 Expected an assignment or function call and instead saw an expression.
760 9 [‘jswing’] is better written in dot notation.
760 30 [‘swing’] is better written in dot notation.
794 62 A leading decimal point can be confused with a dot: ‘.3’.
801 62 A leading decimal point can be confused with a dot: ‘.3’.
808 65 A leading decimal point can be confused with a dot: ‘.3’.
811 22 A leading decimal point can be confused with a dot: ‘.5’.
812 71 A leading decimal point can be confused with a dot: ‘.5’.
834 41 A leading decimal point can be confused with a dot: ‘.75’.
836 44 A leading decimal point can be confused with a dot: ‘.9375’.
838 47 A leading decimal point can be confused with a dot: ‘.984375’.
842 70 A leading decimal point can be confused with a dot: ‘.5’.
843 60 A leading decimal point can be confused with a dot: ‘.5’.
843 67 A leading decimal point can be confused with a dot: ‘.5’.
781 49 Use ‘===’ to compare with ‘0’.
784 6 Use ‘===’ to compare with ‘0’.
794 6 Use ‘===’ to compare with ‘0’.
795 33 ‘s’ is already defined.
796 10 ‘s’ is already defined.
801 6 Use ‘===’ to compare with ‘0’.
802 33 ‘s’ is already defined.
803 10 ‘s’ is already defined.
808 6 Use ‘===’ to compare with ‘0’.
809 33 ‘s’ is already defined.
810 10 ‘s’ is already defined.
815 7 Use ‘===’ to compare with ‘undefined’.
819 7 Use ‘===’ to compare with ‘undefined’.
823 7 Use ‘===’ to compare with ‘undefined’.
906 50 ‘delay’ is defined but never used.
1173 17 Use ‘===’ to compare with ‘true’.
1289 5 ‘win’ is defined but never used.
1186 22 ‘avia_is_mobile’ is not defined.
Then we gonna compare to detected sinks and sources via a DOM XSS scan:
jQuery versions with known weaknesses
Bug 9521 - $(“#”)
Bug 11290 - $(“element[attribute=‘’”)
jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript
jQuery issue 11974 - parseHTML executes inline scripts like event handlers
enjoy, my good friends, enjoy.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
(Remember always online nothing is a 100% full proof best policy, todays’ standards aren’t tomorrow’s).