CUTCODEDOWN
Minimalist Semantic Markup

Welcome Guest
Please Login or Register

If you have registered but not recieved your activation e-mail in a reasonable amount of time, or have issues with using the registration form, please use our Contact Form for assistance. Include both your username and the e-mail you tried to register with.

Author Topic: Any recommendations for a simple site vulnerability validation tool  (Read 953 times)

John_Betong

  • Full Member
  • ***
  • Posts: 218
  • Karma: +24/-1
    • The Fastest Joke Site On The Web
I’m a great believer in free site validation tools (listed below) such as w3.org have for testing  html and css... are there similar free tools that check if a site has security vulnerabilities?

HTML validation
https://validator.w3.org/

CSS validation
https://jigsaw.w3.org/css-validator/

Webpage  Speed Test
https://tools.pingdom.com/

I would like to be able to add my site and have a list of vulnerabilities preferably with solution links.
Retired in the City of Angels where the weather suits my clothes

coothead

  • Sr. Member
  • ****
  • Posts: 390
  • Karma: +89/-0
  • I smile benignly
    • coothead's stuff ~ an eclectic collection
Hi there John,

here is a list of some of the Web Developer - extension/addon tools...


I have no recommendations to make, good or bad.  :o
All I can suggest is 'suck it and see'8)

coothead
~ the original bald headed old fart ~

GrumpyYoungMan

  • Hero Member
  • *****
  • Posts: 787
  • Karma: +8/-0
    • Grumpy Young Man
There would probably be too many variables for an off-the-shelve vulnerability scanner I’m not sure if any IDE’s have that capability either...

Is this for your own code or for a more general use?
« Last Edit: 21 Feb 2021, 07:04:22 am by GrumpyYoungMan »
Trying to learn a new trick to prove old dogs can learn new ones...

Total Novice have-a go Amateur Programmer - not sure that is the right thing to say... but trying to learn...

John_Betong

  • Full Member
  • ***
  • Posts: 218
  • Karma: +24/-1
    • The Fastest Joke Site On The Web
Hi there John,

here is a list of some of the Web Developer - extension/addon tools...
I have no recommendations to make, good or bad.  :o
All I can suggest is 'suck it and see'8)

Hi @coothead,

Many thanks for the prompt reply. I tried the supplied links but none gave the information i required :(

I've found the site below which does what I want and now got a list of recommendations.

https://observatory.mozilla.org/

I tried your site and it got the following results:
Score:35/100
Tests Passed:6/11

The problem now is to see which vulnerabilities are critical and which ones I can ignore.
« Last Edit: 21 Feb 2021, 11:16:29 pm by John_Betong »
Retired in the City of Angels where the weather suits my clothes

coothead

  • Sr. Member
  • ****
  • Posts: 390
  • Karma: +89/-0
  • I smile benignly
    • coothead's stuff ~ an eclectic collection
Quote from: John_Betong
I tried your site and it got the following results:
Score:35/100
Tests Passed:6/11

Well, that is all very interesting.

The site informs me that I am in desperate need of
frame-ancestors to avoid the devil knows what.  :o

Unfortunately, it does not inform me on how to
install the magic cure.

Is this an htaccess issue?

Perhaps, you could take me by the hand and guide
me to safety?


coothead
« Last Edit: 22 Feb 2021, 05:40:10 am by coothead »
~ the original bald headed old fart ~

coothead

  • Sr. Member
  • ****
  • Posts: 390
  • Karma: +89/-0
  • I smile benignly
    • coothead's stuff ~ an eclectic collection
Hi there John,

I've added this...
Code: [Select]
Header set Referrer-Policy "same-origin"

Header set Content-Security-Policy: "frame-ancestors 'self'"

Header set X-FRAME-OPTIONS "deny"

Header set X-Content-Type-Options "nosniff"

Header set Content-Security-Policy "default-src 'self';

...to my .htaccess file and it now gives the following results:

Score:60/100
Tests Passed:7/11

Is that good or do I need to go poke around some more?

I noticed that this forum has this result:

Score:10/100
Tests Passed:7/11


coothead
« Last Edit: 22 Feb 2021, 08:46:04 am by coothead »
~ the original bald headed old fart ~

John_Betong

  • Full Member
  • ***
  • Posts: 218
  • Karma: +24/-1
    • The Fastest Joke Site On The Web
Like yourself I have no idea what frame-ancestors involves.

I had a similar warning and after extensive Googling managed to install a missing module  file which helped but still needed .htaccess modifications.

May I suggest copying the complete warning and hope that @benanamen can offer assistance. I believe he is the resident security guru :)
« Last Edit: 22 Feb 2021, 09:56:48 am by John_Betong »
Retired in the City of Angels where the weather suits my clothes

coothead

  • Sr. Member
  • ****
  • Posts: 390
  • Karma: +89/-0
  • I smile benignly
    • coothead's stuff ~ an eclectic collection
Hi there John,

after my .htaccess update my site can no longer be iframed,
which, if my understanding is correct, means it should now
not be vulnerable to 'clickjacking ', whatever that may mean.  :o

I presume that it was ...
Code: [Select]
Header set X-FRAME-OPTIONS "deny"

...that now makes my site emulate Google's  search page.  :)

What the others do, in his infinite wisdom,  God only knows;D

coothead
~ the original bald headed old fart ~

John_Betong

  • Full Member
  • ***
  • Posts: 218
  • Karma: +24/-1
    • The Fastest Joke Site On The Web
Hi @coothead,

I’m delighted that after lots of trial and error, the following .htaccess additions achieve an excellent result. The web-page no longer displays external images!

Header set Content-Security-Policy "default-src 'self'; script-src 'self';" 

Header set Strict-Transport-Security: max-age=63072000

Header set X-FRAME-OPTIONS "deny"

Header set X-Content-Type-Options: nosniff


https://john-betong.tk

« Last Edit: 23 Feb 2021, 10:53:03 am by John_Betong »
Retired in the City of Angels where the weather suits my clothes

coothead

  • Sr. Member
  • ****
  • Posts: 390
  • Karma: +89/-0
  • I smile benignly
    • coothead's stuff ~ an eclectic collection
Hi there John,

the best that  I can  achieve is:

B+
Score:80/100
Tests Passed:10/11

I could get an A+, but I would have to remove this page...

The Complete Google Font Collection

...because of this...

Code: [Select]
   var requestURL = 'https://www.googleapis.com/webfonts/v1/webfonts?';
   var request = new XMLHttpRequest();
       request.open( 'GET', requestURL,true );
       request.send();

coothead

~ the original bald headed old fart ~

John_Betong

  • Full Member
  • ***
  • Posts: 218
  • Karma: +24/-1
    • The Fastest Joke Site On The Web
@coothead,

You done well to get B+ 10/11.

I’ve had a brief unsuccessful search to see if external images and files could be included with an override.

Any other users have suggestions?


Edit:
Perhaps use a less severe .htaccess file for the web page that reduces your score?
« Last Edit: 28 Feb 2021, 01:56:29 pm by John_Betong »
Retired in the City of Angels where the weather suits my clothes

coothead

  • Sr. Member
  • ****
  • Posts: 390
  • Karma: +89/-0
  • I smile benignly
    • coothead's stuff ~ an eclectic collection
Hi there John,



The problem was with this...
Code: [Select]
   var requestURL = 'https://www.googleapis.com/webfonts/v1/webfonts?';

...where I had omitted the app key that went after the ?. :(

According to the WC3. it must match the url in it's  entirety.

Code: [Select]
connect-src https://www.googleapis.com/webfonts/v1/webfonts?key=AIzaSyCs464p5-UvUraP30-1kZD3JCfnq8DIDzc

cothead
« Last Edit: 28 Feb 2021, 02:58:05 pm by coothead »
~ the original bald headed old fart ~

 

SMF spam blocked by CleanTalk

Advertisement