[Competition Bug]: LIST OF BUG I FOUND FROM BITSONG

[Adefebrian]

Prerequisites

• [X] You confirm that your bug is available through the Chrome browser accessed by a Desktop computer.
• [X] You read the guidelines for contributing.
• [X] You are able to reproduce the problem in the latest version of Sinfonia.
• [X] You checked that the problem has not yet been reported (also through closed issues).

Describe the exact steps to reproduce the problem in as many details as possible

LIST OF BUGS I FOUND FROM 104.21.7.58 / testnet.sinfonia.zone Device for Testing : Macbook M1 Pro Tool : Openvas and NMAP

Detail and Solution is auto generated by openvas but all of them is valid please check the detail here

1. TCP Port Opened ( scanned by nmap 104.21.7.58 ) List port opened : 80,2052,443,2053,2082,2083,2086,2087,2095,8080,2096,8443,8880 Level Bug : Medium Detail : An open port may be an expected configuration. For example, web servers use port 80 to serve websites over http and port 443 to serve websites over https. For a list of commonly used ports see https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers. An unexpected open port could give unintended access to applications, data, and private networks. Open ports can also be dangerous when expected services are out of date and exploited through security vulnerabilities. Solution : Close the port
2. Application Error Disclosure Link Issue : https://testnet.sinfonia.zone/assets/index.8e544d33.js Level Bug : Medium CWE Id : 200 Detail : This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page. Solution : Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
3. Cross Domain Missconfiguration Level bug : medium CWE id : 264 Detail : Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server Solution : Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Reference : https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
4. Missing Anti-clickjacking Header Level Bug : Medium CWE id : 1021 Detail : The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. Solution : Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app. If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. Reference : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

more issue and bug on bitsong you can check here

Describe the issue behavior

The fault that I discovered was a technical issue rather than a bug on the web interface, hence it is critical that this issue be rectified as soon as possible since it is harmful for web bitsong.

BitSong Public Address

bitsong1dvuz6gaht4h26ev39r66p6ut43kmhe2syqkjds

Osmosis Public Address

osmo1dvuz6gaht4h26ev39r66p6ut43kmhe2sqjh2ed

Which browser are you using?

Google Chrome

Which is your browser version?

1.38.109

Which kind of device are you using?

Desktop

Are you using a ledger?

No

Which is your ledger version?

-

Agree the Competition Rules

• [X] You agree the competition rules

[giorgionocera]

For the first point, TCP Port Opened, the application runs over a served hosting platform. As a consequence, no interaction on the ports is possible. For the other points, this is a duplicate of #194.