Would expect better website security on a renowned endpoint security site!

polonus · 2017-06-05T12:52:27.000Z

Top researchers also can have sites that have security flaws.
I very much doubt the people at Cyber Security Research are even aware of following site’s insecurities. :o

Look here, a meagre F-Status and according recommendations: https://observatory.mozilla.org/analyze.html?host=www.morphisec.com
Then retirable vulnerable jQuery libraries detected: http://retire.insecurity.today/#!/scan/7f3175d25a7002b0adf6f37e17f90bfa5992bad10e175a6f74154ef796e5ede6

D-status for issues for sri hashes not being generated: https://sritest.io/#report/5ddc240f-0631-4b56-9ee4-a16f8e5e9cb2

Re: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.morphisec.com%2F

Outdated plug-in: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

simple-share-buttons-adder 6.3.4 latest release (6.3.5) Update required
https://simplesharebuttons.com
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

Security through obscurity: http://www.domxssscanner.com/scan?url=http%3A%2F%2F2zprirhczd51638uv19ng3rp.wpengine.netdna-cdn.com

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-06-05T19:50:15.000Z

Do not take me wrong, website is neither suspicious nor has malware for that matter,
but website security for it is not maintained with best policies in mind,
and for a site like this, we would expect it to be a little more advanced as so to put it.

With staff members graduated from Ben-Gurion Faculty of Engineering Sciences one should know better.
You guys should be among the best and “top of the bill”…
and not produce a mediocre website with a run of the mill security status.

Let us have a closer look here, just some aspects of the code, we encountered through cold reconnaissance scanning,
not actually going there as we got public scanresults everyone can obtain.

When we look at the jQuery library to be retired, we find this error in the code

script
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function p.getElementsByTagName
error: undefined variable p

string not detected as name of a function. Cannot differentiate HTML selectors.

Consider: https://urlscan.io/result/a9e07dc1-1fae-43b5-8bbb-88533699d891#summary
and especially: https://urlscan.io/result/a9e07dc1-1fae-43b5-8bbb-88533699d891/dom/

Be aware of these tracking links: htxp://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6
and consider sources and sinks here: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fjs.zohostatic.com%2Fsalesiq%2FJun_01_2017_1_https%2Fjs%2Ftrack.js

&

Results from scanning URL: hxtps://www.gstatic.com//atari//js/k=atari.vw.en_US.vQYigNJPv88.O/m=view/rt=j/d=1/rs=AGEqA5mGYe3uCX3y6MV8u2Af6EtjBqnnCg
Number of sources found: 96
Number of sinks found: 45

not flagged anywhere, so probably benign.

Damian aka polonus

Announcements