Application Error Disclosure / Content Security Policy (CSP) Header Not Set / Cross-Domain Misconfiguration / Missing Anti-clickjacking Header

[KangDanKer]

Prerequisites

• [X] You confirm that your bug is available through the Chrome browser accessed by a Desktop computer.
• [X] You read the guidelines for contributing.
• [X] You are able to reproduce the problem in the latest version of Sinfonia.
• [X] You checked that the problem has not yet been reported (also through closed issues).

Describe the exact steps to reproduce the problem in as many details as possible

I tried to find bugs using software and the results I found some BUGs maybe not too important (medium) but it would be nice if they were fixed, because small problems if not fixed it will be disastrous or become a big problem later

Describe the issue behavior

Application Error Disclosure url : https://testnet.sinfonia.zone/assets/index.a0c0b53b.js BUG : This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page. SOLUTION : Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user. Content Security Policy (CSP) Header Not Set BUG : Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files. SOLUTION : Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+. Cross-Domain Misconfiguration BUG : Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server . The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. SOLUTION : Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Missing Anti-clickjacking Header BUG : The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. SOLUTION : Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app. If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

BitSong Public Address

bitsong16k4prt559040xtd83z9hh5k7m72lfergyjvg7q

Osmosis Public Address

osmo18tarmvpeyckhsrngvduxv37u6w9l3gzswjwmh9

Which browser are you using?

Google Chrome

Which is your browser version?

Version 101.0.4951.54 (Official Build) (64-bit)

Which kind of device are you using?

Desktop

Are you using a ledger?

No

Which is your ledger version?

No response

Agree the Competition Rules

• [X] You agree the competition rules

[giorgionocera]

I'll answer you by point:

1. No sensitive information is disclosed by error/warning messages.
2. As for the CSP, likely described in MDN, if the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy;
3. The endpoints only show data stored on the public blockchains. No sensitive data is available.
4. With respect to the last point, it is a good infrastructural suggestion, but it is not an application bug from Sinfonia.