You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
LIST OF BUGS I FOUND FROM 104.21.7.58 / testnet.sinfonia.zone
Device for Testing : Macbook M1 Pro
Tool : Openvas and NMAP
TCP Port Opened ( scanned by nmap 104.21.7.58 ) List port opened : 80,2052,443,2053,2082,2083,2086,2087,2095,8080,2096,8443,8880 Level Bug : Medium Detail : An open port may be an expected configuration. For example, web servers use port 80 to serve websites over http and port 443 to serve websites over https. For a list of commonly used ports see https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.
An unexpected open port could give unintended access to applications, data, and private networks. Open ports can also be dangerous when expected services are out of date and exploited through security vulnerabilities. Solution : Close the port
Application Error Disclosure Link Issue : https://testnet.sinfonia.zone/assets/index.8e544d33.js Level Bug : Medium CWE Id : 200 Detail : This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page. Solution : Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
Cross Domain Missconfiguration Level bug : medium CWE id : 264 Detail : Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server Solution : Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Reference : https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
Missing Anti-clickjacking Header Level Bug : Medium CWE id : 1021 Detail : The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. Solution : Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. Reference : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
LIST OF BUGS I FOUND FROM 104.21.7.58 / testnet.sinfonia.zone
Device for Testing : Macbook M1 Pro
Tool : Openvas and NMAP
List port opened : 80,2052,443,2053,2082,2083,2086,2087,2095,8080,2096,8443,8880
Level Bug : Medium
Detail : An open port may be an expected configuration. For example, web servers use port 80 to serve websites over http and port 443 to serve websites over https. For a list of commonly used ports see https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.
An unexpected open port could give unintended access to applications, data, and private networks. Open ports can also be dangerous when expected services are out of date and exploited through security vulnerabilities.
Solution : Close the port
Link Issue : https://testnet.sinfonia.zone/assets/index.8e544d33.js
Level Bug : Medium
CWE Id : 200
Detail : This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
Solution : Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
Level bug : medium
CWE id : 264
Detail : Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
Solution : Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
Reference : https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
Level Bug : Medium
CWE id : 1021
Detail : The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
Solution : Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
Reference : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
more issue and bug on bitsong you can check here
The text was updated successfully, but these errors were encountered: