XSS-attack on this website or false alarm?

system · 2015-11-01T14:56:37.000Z

Hello!

I went to visit the website “teamfrourstar.com”, a website of Dragon Ball Z abridged parody dubbing team. I’ve visited this site countles times before, but just now something appeared; when I went to watch one of their newest videos and was going to activate Flash player (I keep it on asking permission setting as default), but then Noscript alerted me about possible XSS-attack on the site, but after visiting the page where Noscript showed the alert, it gave me nothing. Im not sure if this is falce positive or what, could someone check it out? ??? Sucuri shows up clean, as does Virustotal.

https://sitecheck.sucuri.net/results/teamfourstar.com

https://www.virustotal.com/en/url/c192841decc5f9f5578e12a89bcb01b999fa961f554620884039675886b861a0/analysis/

EDIT: It seemed to happen again when I tried opening website in new browser window window. Noscpript console shows this (part of text is in finnish, but I hope you can make out some of it):

ReferenceError: googletag is not defined dbz-abridged-movie-super-android-13-teamfourstar-tfs:3902:2 TypeError: sing is undefined bal.js:931:17 [NoScript InjectionChecker] JavaScript Injection in ///u/function ()t.__noSuchMethod__(n,Array.prototype.slice.call(arguments))/se/0/_/ 1/fastbutton?usegapi=1&width=100&size=medium&origin=http://teamfourstar.com&url=http://teamfourstar.com/video/dbz-abridged-movie-super-android-13-teamfourstar-tfs/&gsrc=3p&ic=1&jsh=m;/_/scs/apps-static/_/js/k=oz.gapi.fi.SYxU0C_41cA.O/m=__features__/am=AQ/rt=j/d=1/t=zcms/rs=AGLTcCN6vod5mWx6CTilOJQAzWyzkwEqAg#_methods=onPlusOne,_ready,_close,_open,_resizeMe,_renderstart,oncircled,drefresh,erefresh,onload&id=I0_1446392001374&parent=http://teamfourstar.com&pfname=&rpctoken=10178753 (function anonymous() { u/function ()t.__noSuchMethod__(n,Array.prototype.slice.call(arguments)) /* COMMENT_TERMINATOR */ DUMMY_EXPR }) [NoScript XSS] Siistitty epäilyttävä pyyntö. Alkuperäinen URL [-https://apis.google.com/u/function%20()t.__noSuchMethod__(n,Array.prototype.slice.call(arguments))/se/0/_/+1/fastbutton?usegapi=1&width=100&size=medium&origin=http%3A%2F%2Fteamfourstar.com&url=http%3A%2F%2Fteamfourstar.com%2Fvideo%2Fdbz-abridged-movie-super-android-13-teamfourstar-tfs%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.fi.SYxU0C_41cA.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Ft%3Dzcms%2Frs%3DAGLTcCN6vod5mWx6CTilOJQAzWyzkwEqAg#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Conload&id=I0_1446392001374&parent=http%3A%2F%2Fteamfourstar.com&pfname=&rpctoken=10178753] pyydetty kohteesta [-http://teamfourstar.com/video/dbz-abridged-movie-super-android-13-teamfourstar-tfs/]. Siistitty URL: [-https://apis.google.com/u/FUNCTION%20%20%20t.__NOSUCHMETHOD__%20n,Array.prototype.slice.call%20arguments%20%20/se/0/_/+1/fastbutton?usegapi=1&width=100&size=medium&origin=http%3A%2F%2Fteamfourstar.com&url=http%3A%2F%2Fteamfourstar.com%2Fvideo%2Fdbz-abridged-movie-super-android-13-teamfourstar-tfs%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%20oz.gapi.fi.SYxU0C_41cA.O%2Fm%20__features__%2Fam%20AQ%2Frt%20j%2Fd%201%2Ft%20zcms%2Frs%20AGLTcCN6vod5mWx6CTilOJQAzWyzkwEqAg#9956950407942605437]. TypeError: sing is undefined bal.js:931:17 about:blank : Unable to run script because scripts are blocked internally. Sivusto käyttää SHA-1 -varmennetta. On suositeltua käyttää varmenteita, joiden allekirjoitusalgoritmit käyttävät SHA-1:ä vahvempia tiivistefunktioita.[Learn More] www.facebook.com about:blank : Unable to run script because scripts are blocked internally. Turvallisuusvirhe: Sisältö kohteessa -https://plus.google.com/u/FUNCTION%20%20%20t.__NOSUCHMETHOD__%20n,Array.prototype.slice.call%20arguments%20%20/se/0/_/+1/fastbutton?usegapi=1&width=100&size=medium&origin=http://teamfourstar.com&url=http://teamfourstar.com/video/dbz-abridged-movie-super-android-13-teamfourstar-tfs/&gsrc=3p&ic=1&jsh=m;/_/scs/apps-static/_/js/k+oz.gapi.fi.SYxU0C_41cA.O/m+__features__/am+AQ/rt+j/d+1/t+zcms/rs+AGLTcCN6vod5mWx6CTilOJQAzWyzkwEqAg#9956950407942605437 ei voi ladata dataa kohteesta -http://teamfourstar.com/video/dbz-abridged-movie-super-android-13-teamfourstar-tfs/. Load denied by X-Frame-Options: -https://plus.google.com/u/FUNCTION%20%20%20t.__NOSUCHMETHOD__%20n,Array.prototype.slice.call%20arguments%20%20/se/0/_/+1/fastbutton?usegapi=1&width=100&size=medium&origin=http://teamfourstar.com&url=http://teamfourstar.com/video/dbz-abridged-movie-super-android-13-teamfourstar-tfs/&gsrc=3p&ic=1&jsh=m;/_/scs/apps-static/_/js/k+oz.gapi.fi.SYxU0C_41cA.O/m+__features__/am+AQ/rt+j/d+1/t+zcms/rs+AGLTcCN6vod5mWx6CTilOJQAzWyzkwEqAg#9956950407942605437 does not permit cross-origin framing. TypeError: sing is undefined bal.js:931:17 TypeError: site is null DirectoryLinksProvider.jsm:504:13 Sivusto käyttää SHA-1 -varmennetta. On suositeltua käyttää varmenteita, joiden allekirjoitusalgoritmit käyttävät SHA-1:ä vahvempia tiivistefunktioita.[Learn More] uib.ff.avast.com TypeError: site is null DirectoryLinksProvider.jsm:504:13 about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. Use of getAttributeNode() is deprecated. Use getAttribute() instead. desktop_module_main.js:83:0 about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally. about:blank : Unable to run script because scripts are blocked internally.

^I made inserted links unlinkable.

polonus · 2015-11-01T17:03:41.000Z

Vulnerabilities on website. WordPress: Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled

-http://teamfourstar.com
Detected libraries:
jquery-migrate - 1.2.1 : -http://teamfourstar.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://teamfourstar.com
(active) - the library was also found to be active by running code
1 vulnerable library detected

Vulnerability DOM-XSS: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fconnect.facebook.net%2Fen_US%2Fall.js

On this external link: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fmodernizr%2F2.7.1%2Fmodernizr.min.js%3Fver%3D2.7.1
-https://cdnjs.cloudflare.com
Detected libraries:
handlebars.js - 1.0.0 : (active1) -https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/1.0.0/handlebars.min.js
Info: Severity: medium
https://github.com/wycats/handlebars.js/pull/1083
jquery - 1.7.2 : (active1) -https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

&
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdnjs.cloudflare.com%2Fajax%2Flibs%2Fselectivizr%2F1.0.2%2Fselectivizr-min.js%3Fver%3D1.0.2

polonus

system · 2015-11-01T17:22:02.000Z

Reported this to the site’s owners, see if they can help it anyhow.

polonus · 2015-11-01T23:16:28.000Z

Thank you, Pernaman, as this thread’s contents are also kind of an instruction to those that come to visit here
to be attentive to insecurities.
In that respect our postings are also instructional and educational as it is again the same errors that are being made,
outdated server software and misconfigurations or bad settings, outdated, unpatched and even left content managment software that even could better be retired. User enumeration enabled, directory listings enabled, excessive server header info proliferation, PHP vulnerabilities, clickjacking vulnerabilities, XSS exploitable code to mention the most prevailing issues.
Those that follow the cold reconnaissance third party website scan postings here, will now know not to make these basic mistakes anymore.

Damian

system · 2015-11-01T23:31:45.000Z

Thank you for your words

The usual way I notice these things is by checking out some of stuff I post here is checking websites I visit in online scanners out of curiosity/doubt, or when I notice something weird when visiting sites. Part of this could be my general anxiety/slight possible cyberphobia. But nothingless I as much as anyone I like being more secure on the web, though it migh make me paranoid in eyes of some people, since I usually worry about security of my PC even with all antivirus/malware & browser security tools I use. :-[ Byt notheless I most of all try to do my part keeping web browsing safe for everyone else and myself.

polonus · 2015-11-01T23:58:39.000Z

Hi Pernaman,

While doing this you get more and more experience and your insights and your online security will only grow!
I have learned to not accept things while others say so, but always check whether I am right or wrong myself.
That is why third party cold reconnaisance scanning in a sandbox environment is so rewarding.
You are never to access the suspicious or malicious websites directly yourself, but use third party scan results in stead.
Sometimes these can also come blocked as sometimes too much of (mal)code is being detected (often without any payload, but nevertheless).
There is also a special Mozilla browser to do this scanning and it is called Malzilla (a wonderful concept).
Download and try it and load that suspicious url there (yes it is sandboxed by design ).
Well, or read through my “musings thread” in the general section of this forum, where I give some more examples, like http://fetch.scritch.org/ and working a websites source code through for instance Redlegs fileviewer via a web proxy.

polonus

system · 2015-12-12T11:35:31.000Z

No more XSS alerts on this website it seems

polonus · 2015-12-12T14:49:30.000Z

Hi Pernaman,

So you see what we are doing here really makes sense and the follow up of it really brings advanced security to both those of the website and those that come to visit it. So keep reporting your issues, please
We try to get enhanced awareness, it is a very slow process, but as here in this case we make progress into the right direction trying to make the website landscape online a tiny bit more secure.

polonus

system · 2016-02-18T10:18:42.000Z

Too bad to return to this issue, but seemingly Noscript gave another XSS alert from this website when browsing some of it’s older videos with seemingly different flash player than more recent content. Here’s what console gave me:

Overriding failed (2147500037) redirect callback for 12: http://image.screenwavemedia.com/TeamFourStar-56c2d8fea3bdb_thumb_640x360.jpg -> http://image.screenwavemedia.com/TeamFourStar-56c2d8fea3bdb_thumb_640x360.jpg - 2
Overriding failed (2147500037) redirect callback for 12: http://imasdk.googleapis.com/flash/sdkloader/adsapi_3.swf -> http://imasdk.googleapis.com/flash/sdkloader/adsapi_3.swf - 2
Overriding failed (2147500037) redirect callback for 12: http://s0.2mdn.net/crossdomain.xml -> http://s0.2mdn.net/crossdomain.xml - 2
Overriding failed (2147500037) redirect callback for 12: http://pubads.g.doubleclick.net/crossdomain.xml -> http://pubads.g.doubleclick.net/crossdomain.xml - 2
[NoScript InjectionChecker] JavaScript Injection in ///u/function ()t.__noSuchMethod__(n,Array.prototype.slice.call(arguments))/se/0/_/ 1/fastbutton?usegapi=1&width=100&size=medium&origin=http://teamfourstar.com&url=http://teamfourstar.com/video/ygotas-episode-20-rebexorcist/&gsrc=3p&ic=1&jsh=m;/_/scs/apps-static/_/js/k=oz.gapi.fi.YehYBWv3VuQ.O/m=__features__/am=AQ/rt=j/d=1/t=zcms/rs=AGLTcCMQufx5DWT7HutEX7wvWDDrcxKsHw#_methods=onPlusOne,_ready,_close,_open,_resizeMe,_renderstart,oncircled,drefresh,erefresh,onload&id=I0_1455789471209&parent=http://teamfourstar.com&pfname=&rpctoken=35040168
(function anonymous() {
u/function ()t.__noSuchMethod__(n,Array.prototype.slice.call(arguments)) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Siistitty epäilyttävä pyyntö. Alkuperäinen URL [https://apis.google.com/u/function%20()t.__noSuchMethod__(n,Array.prototype.slice.call(arguments))/se/0/_/+1/fastbutton?usegapi=1&width=100&size=medium&origin=http%3A%2F%2Fteamfourstar.com&url=http%3A%2F%2Fteamfourstar.com%2Fvideo%2Fygotas-episode-20-rebexorcist%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.fi.YehYBWv3VuQ.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Ft%3Dzcms%2Frs%3DAGLTcCMQufx5DWT7HutEX7wvWDDrcxKsHw#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Conload&id=I0_1455789471209&parent=http%3A%2F%2Fteamfourstar.com&pfname=&rpctoken=35040168] pyydetty kohteesta [http://teamfourstar.com/video/ygotas-episode-20-rebexorcist/]. Siistitty URL: [https://apis.google.com/u/FUNCTION%20%20%20t.__NOSUCHMETHOD__%20n,Array.prototype.slice.call%20arguments%20%20/se/0/_/+1/fastbutton?usegapi=1&width=100&size=medium&origin=http%3A%2F%2Fteamfourstar.com&url=http%3A%2F%2Fteamfourstar.com%2Fvideo%2Fygotas-episode-20-rebexorcist%2F&gsrc=3p&ic=1&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%20oz.gapi.fi.YehYBWv3VuQ.O%2Fm%20__features__%2Fam%20AQ%2Frt%20j%2Fd%201%2Ft%20zcms%2Frs%20AGLTcCMQufx5DWT7HutEX7wvWDDrcxKsHw#5734793525529194408].

Sorry for part of it being finnish, but the last sentence tells about suspicious request being filtered.

Announcements