Steemit.com Security Vulnerability Audit

in #steemit6 years ago (edited)

image.png

Was having some issues focusing on coding endevours coupled as well as troubles sleeping this evening so I decided to fire up website security analysis program Taipan and run it against Steemit.com to see if I could uncover any existing yet unknown security issues on the site.

In a thorough vulnerability / penetration test scan elapsing roughly 45 minutes Steemit.com was audited against majority of known website exploits. While this doesn't 100% confirm that the Steemit.com website is impervious to hackers or expliots it does indicate that the website is quite secure in terms of

Results of Security Audit

image.png

-=[ Scan Result Summary ]=-

-= Web Server =-
        Nginx

-= Web Programming Language =-
        Php

-= Security Issues =-
SSL Test on https://www.steemit.com/. TLSv1.0
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_128_CBC_SHA
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_256_CBC_SHA
        Strenght: strong, Name: RSA_WITH_AES_128_CBC_SHA
        Strenght: strong, Name: RSA_WITH_AES_256_CBC_SHA

TLSv1.1
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_128_CBC_SHA
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_256_CBC_SHA
        Strenght: strong, Name: RSA_WITH_AES_128_CBC_SHA
        Strenght: strong, Name: RSA_WITH_AES_256_CBC_SHA

TLSv1.2
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_128_GCM_SHA256
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_128_CBC_SHA256
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_128_CBC_SHA
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_256_GCM_SHA384
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_256_CBC_SHA384
        Strenght: strong, Name: ECDHE_RSA_WITH_AES_256_CBC_SHA
        Strenght: strong, Name: RSA_WITH_AES_128_GCM_SHA256
        Strenght: strong, Name: RSA_WITH_AES_128_CBC_SHA256
        Strenght: strong, Name: RSA_WITH_AES_128_CBC_SHA
        Strenght: strong, Name: RSA_WITH_AES_256_GCM_SHA384
        Strenght: strong, Name: RSA_WITH_AES_256_CBC_SHA256
        Strenght: strong, Name: RSA_WITH_AES_256_CBC_SHA

SSLv3/TLS, chain: 1

Certificate: 1
        Valid From: 11/25/2018 12:00:00 AM
        Valid To: 12/25/2019 12:00:00 PM
        Self Issued: False
        Serial:
        Subject: CN=steemit.com
        Issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
        Server Names:
                steemit.com
                *.steemit.com

Certificate: 2
        Valid From: 10/22/2015 12:00:00 AM
        Valid To: 10/19/2025 12:00:00 AM
        Self Issued: False
        Serial:
        Subject: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
        Issuer: CN=Amazon Root CA 1,O=Amazon,C=US

Certificate: 3
        Valid From: 5/25/2015 12:00:00 PM
        Valid To: 12/31/2037 1:00:00 AM
        Self Issued: False
        Serial:
        Subject: CN=Amazon Root CA 1,O=Amazon,C=US
        Issuer: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US

Certificate: 4
        Valid From: 9/2/2009 12:00:00 AM
        Valid To: 6/28/2034 5:39:16 PM
        Self Issued: False
        Serial:
        Subject: CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US
        Issuer: OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US

Warnings:
        CS006: Server supports cipher suites with no forward secrecy.

Missing Strict-Transport-Security on https://www.steemit.com/
Cookie Not Marked As Secure on https://www.steemit.com/. Cookie: Expires
Cookie Not Marked As HttpOnly on https://www.steemit.com/. Cookie: Expires



Other than some cookies buggery and cipher suites having no forward secrecy the website scan results were quite lackluster which is a good thing when doing this. All and all this website penetration scan showed little to none signs of weakness on behalf of Steemit.com security which is a great report.

Good work Steemit. Inc!

Need Your Site Audited for Vulnerabilities?

If you're a web developer wishing to test to see if their website is secure against would be hackers I'm willing to extend this service to you for a small sum of STEEM which can be paid in the amount of 25 STEEM per a site audited. This will include a full site vulnerability scan as well as complete output of results from the scan!

Message below in the comments if you're interested!

Thanks for Reading, Voting and the Support
( please consider voting my witness for more cool posts, development and MS-paint art! )

VOTE @KLYE FOR WITNESS!

Every Single Vote Helps, Thanks for the Support!

Witness Server Hosted Via Privex.io


Need to get in Contact with KLYE?

Join the Official #KLYE Discord Server Today!

Sort:  

https://www.ssllabs.com/ssltest/ is my favorite to test a website's SSL and security vulnerabilities.

Nice@ Appreciate the share of information sir!

This post has been included in the latest edition of The Steem News in 10 posts - a compilation of the key news stories on the Steem blockchain.

Thanks Pennsif! Much appreciated.

Coin Marketplace

STEEM 0.19
TRX 0.18
JST 0.031
BTC 89741.18
ETH 3181.15
USDT 1.00
SBD 2.88