Contents
About this report
Report parameters
Contexts
No contexts were selected, so all contexts were included by default.
Sites
The following sites were included:
- https://dev.duracloud.org
(If no sites were selected, all sites were included by default.)
An included site must also be within one of the included contexts for its data to be included in the report.
Risk levels
Included: High, Medium, Low, Informational
Excluded: None
Confidence levels
Included: User Confirmed, High, Medium, Low
Excluded: User Confirmed, High, Medium, Low, False Positive
Summaries
Alert counts by risk and confidence
Confidence | ||||||
---|---|---|---|---|---|---|
User Confirmed | High | Medium | Low | Total | ||
Risk | High | 0 (0.0%) |
0 (0.0%) |
0 (0.0%) |
0 (0.0%) |
0 (0.0%) |
Medium | 0 (0.0%) |
0 (0.0%) |
37 (32.2%) |
0 (0.0%) |
37 (32.2%) |
|
Low | 0 (0.0%) |
0 (0.0%) |
34 (29.6%) |
7 (6.1%) |
41 (35.7%) |
|
Informational | 0 (0.0%) |
0 (0.0%) |
0 (0.0%) |
37 (32.2%) |
37 (32.2%) |
|
Total | 0 (0.0%) |
0 (0.0%) |
71 (61.7%) |
44 (38.3%) |
115 (100%) |
Alert counts by site and risk
Risk | |||||
---|---|---|---|---|---|
High (= High) |
Medium (>= Medium) |
Low (>= Low) |
Informational (>= Informational) |
||
Site | https://dev.duracloud.org | 0 (0) |
37 (37) |
41 (78) |
37 (115) |
Alert counts by alert type
Alert type | Risk | Count |
---|---|---|
Cross-Domain Misconfiguration | Medium | 36 (31.3%) |
Vulnerable JS Library | Medium | 1 (0.9%) |
Absence of Anti-CSRF Tokens | Low | 4 (3.5%) |
Cookie without SameSite Attribute | Low | 2 (1.7%) |
Timestamp Disclosure - Unix | Low | 7 (6.1%) |
X-Content-Type-Options Header Missing | Low | 28 (24.3%) |
Information Disclosure - Suspicious Comments | Informational | 37 (32.2%) |
Total | 115 |
Alerts
-
Risk=Medium, Confidence=Medium (37)
-
https://dev.duracloud.org (37)
-
Cross-Domain Misconfiguration (36)
GET https://dev.duracloud.org
Alert tags Alert description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
Other info The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
Request Request line and header section (239 bytes)
GET https://dev.duracloud.org HTTP/1.1 Host: dev.duracloud.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Pragma: no-cache Cache-Control: no-cache
Request body (0 bytes)
Response Status line and header section (721 bytes)
HTTP/1.1 200 Date: Tue, 07 Dec 2021 17:15:52 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 7029 Connection: keep-alive Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Language: en-US Set-Cookie: JSESSIONID=5E31D0F4635FF98D07FB6B0F6D1FBCA9; Path=/duradmin; Secure; HttpOnly Vary: Accept-Encoding Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization
Response body (7029 bytes)
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <!-- created by Daniel Bernstein and CH --> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="language" content="en" /> <meta http-equiv="Expires" content="-1"/> <title>DuraCloud :: Login </title> <link rel="shortcut icon" href="/duradmin/favicon.ico" /> <link rel="stylesheet" href="/duradmin/style/jquery-ui.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/base.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/flex.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/dialogs.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/buttons.css" type="text/css" /> <!-- non jquery third party plugins --> <script type="text/javascript" src="/duradmin/js/thirdparty/date.js"></script> <!-- jquery core, ui and css --> <script type="text/javascript" src="/duradmin/jquery/jquery.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/jquery-ui.js"></script> <!-- 3rd party jquery plugins start--> <link type="text/css" rel="stylesheet" href="/duradmin/jquery/plugins/jquery.dropdown/jquery.dropdown.css" /> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.dropdown/jquery.dropdown.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.layout.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.ba-throttle-debounce.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.form.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery-validate/jquery.validate.js"></script> <link rel="stylesheet" href="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.fancybox-1.3.1.css" type="text/css" media="screen" /> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.fancybox-1.3.1.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.easing-1.3.pack.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/ext/jquery.fn.ext.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/ext/jquery.dc.common.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.onoffswitch.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.selectablelist.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.listdetailviewer.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.expandopanel.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/api/durastore-api.js"></script> <script type="text/javascript"> $(function() { /////////////////////////////////////////////////////////////////////// ////controls rollovers on tags and properties /////////////////////////////////////////////////////////////////////// $(".dc-mouse-panel-activator td, li.dc-mouse-panel-activator, .dc-mouse-panel").live("mouseover",function(evt){ var ancestor = $(evt.target).nearestOfClass(".dc-mouse-panel-activator"); $(".dc-mouse-panel",ancestor).css("visibility","visible"); }).live("mouseout",function(evt){ var ancestor = $(evt.target).nearestOfClass(".dc-mouse-panel-activator"); $(".dc-mouse-panel",ancestor).css("visibility","hidden"); }); $(".dc-mouse-panel").css("visibility", "hidden"); /////////////////////////////////////////////////////////////////////// ////Layout Page Frame /////////////////////////////////////////////////////////////////////// var pageHeaderLayout; $("body").layout({ north__size: 87 , north__paneSelector:"#page-header" , resizable: false , slidable: false , spacing_open: 0 , togglerLength_open: 0 , togglerLength_closed: -1 , useStateCookie: true , center__paneSelector: "#page-content" , center__onresize: "centerLayout.resizeAll" , enableCursorHotkey: false }); }); </script> <!-- page level header extensions reserved for pages that wish to inject page specific scripts into the header --> <link rel="stylesheet" href="/duradmin/style/login.css" type="text/css" /> </head> <body> <script type="text/javascript"> $(function() { $("#username").focus(); $("#button-login").click(function(evt) { evt.stopPropagation(); dc.login($("#loginForm")); }); }); </script> <form id="loginForm" action="/duradmin/login" method="post" onsubmit="return false;" > <div id="login-wrapper"> <div id="login-header" class="outer clearfix"> <div id="dc-logo-panel"><a href="/duradmin/spaces" id="dc-logo"><img src="/duradmin/images/logo_top_duracloud_lg.png" alt="DURACLOUD"/></a></div> </div> <div id="login-content" class="pane-L1-body clearfix"> <div id="form-fields" class="form-fields float-r"> <div id="msg-error" class="error" style="display:none">Username/Password combination not valid. Please try again.</div> <ul> <li class="clearfix"> <label for="username">Username</label> <input type="text" id="username" name="username" class="field"/> </li> <li class="clearfix"> <label for="password">Password</label> <input id="password" type="password" name="password" class="field"/> </li> <li class="clearfix"> <button id="button-login" class="primary float-r">Login</button> <span id="feedback" style="display:none; color:white" class="primary float-r"><img src="/duradmin/images/wait.gif"/>Logging in...</span> </li> </ul> <div id="login-links"> <ul class="horizontal-list"> <li><a href="https://ama-dev.duracloud.org/users/forgot-password" target="_blank">Forgot Password</a></li> </ul> </div> </div> </div> <div id="login-footer" class="outer footer clearfix"> <div class="footer-content"> <div class="float-r" id="logo-ds"></div> DuraCloud Administrator v7.1.0-SNAPSHOT rev:a328d <span class="sep">|</span> ©<script type="text/javascript">document.write(new Date().getFullYear());</script> <a target="_blank" href="http://duracloud.org">DuraCloud</a> <span class="sep">|</span> <a target="_blank" href="http://lyrasis.org">LYRASIS</a> <span class="sep">|</span> <a target="_blank" href="https://wiki.lyrasis.org/display/DURACLOUD/DuraCloud+Help+Center">Help Center</a> <span class="sep">|</span> <a target="_blank" href="https://lyrasis.zendesk.com/">Support</a> </div> </div> </div> </form> </body> </html>
Evidence Access-Control-Allow-Origin: *
Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
GET https://dev.duracloud.org/duradmin
Alert tags Alert description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
Other info The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
Request Request line and header section (284 bytes)
GET https://dev.duracloud.org/duradmin HTTP/1.1 Host: dev.duracloud.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Pragma: no-cache Cache-Control: no-cache Referer: https://dev.duracloud.org
Request body (0 bytes)
Response Status line and header section (309 bytes)
HTTP/1.1 302 Date: Tue, 07 Dec 2021 17:15:54 GMT Content-Length: 0 Connection: keep-alive Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips Location: /duradmin/ Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization
Response body (0 bytes)
Evidence Access-Control-Allow-Origin: *
Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
GET https://dev.duracloud.org/duradmin/
Alert tags Alert description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
Other info The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
Request Request line and header section (294 bytes)
GET https://dev.duracloud.org/duradmin/ HTTP/1.1 Host: dev.duracloud.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Pragma: no-cache Cache-Control: no-cache Referer: https://dev.duracloud.org/duradmin
Request body (0 bytes)
Response Status line and header section (721 bytes)
HTTP/1.1 200 Date: Tue, 07 Dec 2021 17:15:54 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 7029 Connection: keep-alive Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Language: en-US Set-Cookie: JSESSIONID=BA85415E20038D7E9CFF1EA542ABFFFF; Path=/duradmin; Secure; HttpOnly Vary: Accept-Encoding Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization
Response body (7029 bytes)
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <!-- created by Daniel Bernstein and CH --> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="language" content="en" /> <meta http-equiv="Expires" content="-1"/> <title>DuraCloud :: Login </title> <link rel="shortcut icon" href="/duradmin/favicon.ico" /> <link rel="stylesheet" href="/duradmin/style/jquery-ui.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/base.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/flex.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/dialogs.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/buttons.css" type="text/css" /> <!-- non jquery third party plugins --> <script type="text/javascript" src="/duradmin/js/thirdparty/date.js"></script> <!-- jquery core, ui and css --> <script type="text/javascript" src="/duradmin/jquery/jquery.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/jquery-ui.js"></script> <!-- 3rd party jquery plugins start--> <link type="text/css" rel="stylesheet" href="/duradmin/jquery/plugins/jquery.dropdown/jquery.dropdown.css" /> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.dropdown/jquery.dropdown.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.layout.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.ba-throttle-debounce.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.form.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery-validate/jquery.validate.js"></script> <link rel="stylesheet" href="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.fancybox-1.3.1.css" type="text/css" media="screen" /> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.fancybox-1.3.1.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.easing-1.3.pack.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/ext/jquery.fn.ext.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/ext/jquery.dc.common.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.onoffswitch.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.selectablelist.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.listdetailviewer.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.expandopanel.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/api/durastore-api.js"></script> <script type="text/javascript"> $(function() { /////////////////////////////////////////////////////////////////////// ////controls rollovers on tags and properties /////////////////////////////////////////////////////////////////////// $(".dc-mouse-panel-activator td, li.dc-mouse-panel-activator, .dc-mouse-panel").live("mouseover",function(evt){ var ancestor = $(evt.target).nearestOfClass(".dc-mouse-panel-activator"); $(".dc-mouse-panel",ancestor).css("visibility","visible"); }).live("mouseout",function(evt){ var ancestor = $(evt.target).nearestOfClass(".dc-mouse-panel-activator"); $(".dc-mouse-panel",ancestor).css("visibility","hidden"); }); $(".dc-mouse-panel").css("visibility", "hidden"); /////////////////////////////////////////////////////////////////////// ////Layout Page Frame /////////////////////////////////////////////////////////////////////// var pageHeaderLayout; $("body").layout({ north__size: 87 , north__paneSelector:"#page-header" , resizable: false , slidable: false , spacing_open: 0 , togglerLength_open: 0 , togglerLength_closed: -1 , useStateCookie: true , center__paneSelector: "#page-content" , center__onresize: "centerLayout.resizeAll" , enableCursorHotkey: false }); }); </script> <!-- page level header extensions reserved for pages that wish to inject page specific scripts into the header --> <link rel="stylesheet" href="/duradmin/style/login.css" type="text/css" /> </head> <body> <script type="text/javascript"> $(function() { $("#username").focus(); $("#button-login").click(function(evt) { evt.stopPropagation(); dc.login($("#loginForm")); }); }); </script> <form id="loginForm" action="/duradmin/login" method="post" onsubmit="return false;" > <div id="login-wrapper"> <div id="login-header" class="outer clearfix"> <div id="dc-logo-panel"><a href="/duradmin/spaces" id="dc-logo"><img src="/duradmin/images/logo_top_duracloud_lg.png" alt="DURACLOUD"/></a></div> </div> <div id="login-content" class="pane-L1-body clearfix"> <div id="form-fields" class="form-fields float-r"> <div id="msg-error" class="error" style="display:none">Username/Password combination not valid. Please try again.</div> <ul> <li class="clearfix"> <label for="username">Username</label> <input type="text" id="username" name="username" class="field"/> </li> <li class="clearfix"> <label for="password">Password</label> <input id="password" type="password" name="password" class="field"/> </li> <li class="clearfix"> <button id="button-login" class="primary float-r">Login</button> <span id="feedback" style="display:none; color:white" class="primary float-r"><img src="/duradmin/images/wait.gif"/>Logging in...</span> </li> </ul> <div id="login-links"> <ul class="horizontal-list"> <li><a href="https://ama-dev.duracloud.org/users/forgot-password" target="_blank">Forgot Password</a></li> </ul> </div> </div> </div> <div id="login-footer" class="outer footer clearfix"> <div class="footer-content"> <div class="float-r" id="logo-ds"></div> DuraCloud Administrator v7.1.0-SNAPSHOT rev:a328d <span class="sep">|</span> ©<script type="text/javascript">document.write(new Date().getFullYear());</script> <a target="_blank" href="http://duracloud.org">DuraCloud</a> <span class="sep">|</span> <a target="_blank" href="http://lyrasis.org">LYRASIS</a> <span class="sep">|</span> <a target="_blank" href="https://wiki.lyrasis.org/display/DURACLOUD/DuraCloud+Help+Center">Help Center</a> <span class="sep">|</span> <a target="_blank" href="https://lyrasis.zendesk.com/">Support</a> </div> </div> </div> </form> </body> </html>
Evidence Access-Control-Allow-Origin: *
Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
GET https://dev.duracloud.org/duradmin/?error
Alert tags Alert description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
Other info The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
Request Request line and header section (359 bytes)
GET https://dev.duracloud.org/duradmin/?error HTTP/1.1 Host: dev.duracloud.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Pragma: no-cache Cache-Control: no-cache Referer: https://dev.duracloud.org/duradmin/login Cookie: JSESSIONID=BA85415E20038D7E9CFF1EA542ABFFFF
Request body (0 bytes)
Response Status line and header section (630 bytes)
HTTP/1.1 200 Date: Tue, 07 Dec 2021 17:15:56 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 7029 Connection: keep-alive Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Language: en-US Vary: Accept-Encoding Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization
Response body (7029 bytes)
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <!-- created by Daniel Bernstein and CH --> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="language" content="en" /> <meta http-equiv="Expires" content="-1"/> <title>DuraCloud :: Login </title> <link rel="shortcut icon" href="/duradmin/favicon.ico" /> <link rel="stylesheet" href="/duradmin/style/jquery-ui.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/base.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/flex.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/dialogs.css" type="text/css" /> <link rel="stylesheet" href="/duradmin/style/buttons.css" type="text/css" /> <!-- non jquery third party plugins --> <script type="text/javascript" src="/duradmin/js/thirdparty/date.js"></script> <!-- jquery core, ui and css --> <script type="text/javascript" src="/duradmin/jquery/jquery.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/jquery-ui.js"></script> <!-- 3rd party jquery plugins start--> <link type="text/css" rel="stylesheet" href="/duradmin/jquery/plugins/jquery.dropdown/jquery.dropdown.css" /> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.dropdown/jquery.dropdown.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.layout.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.ba-throttle-debounce.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.form.min.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery-validate/jquery.validate.js"></script> <link rel="stylesheet" href="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.fancybox-1.3.1.css" type="text/css" media="screen" /> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.fancybox-1.3.1.js"></script> <script type="text/javascript" src="/duradmin/jquery/plugins/jquery.fancybox-1.3.1/fancybox/jquery.easing-1.3.pack.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/ext/jquery.fn.ext.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/ext/jquery.dc.common.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.onoffswitch.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.selectablelist.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.listdetailviewer.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/widget/ui.expandopanel.js"></script> <script type="text/javascript" src="/duradmin/jquery/dc/api/durastore-api.js"></script> <script type="text/javascript"> $(function() { /////////////////////////////////////////////////////////////////////// ////controls rollovers on tags and properties /////////////////////////////////////////////////////////////////////// $(".dc-mouse-panel-activator td, li.dc-mouse-panel-activator, .dc-mouse-panel").live("mouseover",function(evt){ var ancestor = $(evt.target).nearestOfClass(".dc-mouse-panel-activator"); $(".dc-mouse-panel",ancestor).css("visibility","visible"); }).live("mouseout",function(evt){ var ancestor = $(evt.target).nearestOfClass(".dc-mouse-panel-activator"); $(".dc-mouse-panel",ancestor).css("visibility","hidden"); }); $(".dc-mouse-panel").css("visibility", "hidden"); /////////////////////////////////////////////////////////////////////// ////Layout Page Frame /////////////////////////////////////////////////////////////////////// var pageHeaderLayout; $("body").layout({ north__size: 87 , north__paneSelector:"#page-header" , resizable: false , slidable: false , spacing_open: 0 , togglerLength_open: 0 , togglerLength_closed: -1 , useStateCookie: true , center__paneSelector: "#page-content" , center__onresize: "centerLayout.resizeAll" , enableCursorHotkey: false }); }); </script> <!-- page level header extensions reserved for pages that wish to inject page specific scripts into the header --> <link rel="stylesheet" href="/duradmin/style/login.css" type="text/css" /> </head> <body> <script type="text/javascript"> $(function() { $("#username").focus(); $("#button-login").click(function(evt) { evt.stopPropagation(); dc.login($("#loginForm")); }); }); </script> <form id="loginForm" action="/duradmin/login" method="post" onsubmit="return false;" > <div id="login-wrapper"> <div id="login-header" class="outer clearfix"> <div id="dc-logo-panel"><a href="/duradmin/spaces" id="dc-logo"><img src="/duradmin/images/logo_top_duracloud_lg.png" alt="DURACLOUD"/></a></div> </div> <div id="login-content" class="pane-L1-body clearfix"> <div id="form-fields" class="form-fields float-r"> <div id="msg-error" class="error" style="display:none">Username/Password combination not valid. Please try again.</div> <ul> <li class="clearfix"> <label for="username">Username</label> <input type="text" id="username" name="username" class="field"/> </li> <li class="clearfix"> <label for="password">Password</label> <input id="password" type="password" name="password" class="field"/> </li> <li class="clearfix"> <button id="button-login" class="primary float-r">Login</button> <span id="feedback" style="display:none; color:white" class="primary float-r"><img src="/duradmin/images/wait.gif"/>Logging in...</span> </li> </ul> <div id="login-links"> <ul class="horizontal-list"> <li><a href="https://ama-dev.duracloud.org/users/forgot-password" target="_blank">Forgot Password</a></li> </ul> </div> </div> </div> <div id="login-footer" class="outer footer clearfix"> <div class="footer-content"> <div class="float-r" id="logo-ds"></div> DuraCloud Administrator v7.1.0-SNAPSHOT rev:a328d <span class="sep">|</span> ©<script type="text/javascript">document.write(new Date().getFullYear());</script> <a target="_blank" href="http://duracloud.org">DuraCloud</a> <span class="sep">|</span> <a target="_blank" href="http://lyrasis.org">LYRASIS</a> <span class="sep">|</span> <a target="_blank" href="https://wiki.lyrasis.org/display/DURACLOUD/DuraCloud+Help+Center">Help Center</a> <span class="sep">|</span> <a target="_blank" href="https://lyrasis.zendesk.com/">Support</a> </div> </div> </div> </form> </body> </html>
Evidence Access-Control-Allow-Origin: *
Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
GET https://dev.duracloud.org/duradmin/favicon.ico
Alert tags Alert description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
Other info The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
Request Request line and header section (359 bytes)
GET https://dev.duracloud.org/duradmin/favicon.ico HTTP/1.1 Host: dev.duracloud.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Pragma: no-cache Cache-Control: no-cache Referer: https://dev.duracloud.org/duradmin/ Cookie: JSESSIONID=BA85415E20038D7E9CFF1EA542ABFFFF
Request body (0 bytes)
Response Status line and header section (439 bytes)
HTTP/1.1 200 Date: Tue, 07 Dec 2021 17:15:54 GMT Content-Type: image/x-icon Content-Length: 1406 Connection: keep-alive Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips Accept-Ranges: bytes ETag: W/"1406-1571741506000" Last-Modified: Tue, 22 Oct 2019 10:51:46 GMT Vary: Accept-Encoding Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization
Response body (1406 bytes)
-
-