Page Comparison

This document was created for review by the Synapse engineering team to respond to

Jira Legacy

server	System JIRA
serverId	ba6fb084-9827-3160-8067-8ac7470f78b2
key	SWC-6374

. There is no guarantee that this information is up-to-date, nor is it prescriptive for future security concerns.

...

The domain for the repository services (repo-<stack>.prod.sagebase.org) were also specified in the report, but the services are not vulnerable to the same attack, and specific findings were not provided. There is a related misconfiguration that does not expose us to any vulnerability, but we should address it to reduce the risk of vulnerabilities introduced by future changes.

...

By default, browsers restrict JavaScript code from accessing the response of an HTTP request to a different origin than an origin different from that of the open window or frame. For certain types of requests, browsers send a “preflight” request to determine if the request would be allowed before it is sent. The server can set values in certain headers to loosen these restrictions. This document will focus only on the headers referenced in the penetration test and issue for the sake of brevity.

...

Expand

title	Portal Unique Origins

In the Synapse production AWS account, Cloudwatch logs were used to determine the number of unique origin values that made requests to the portal servers.

To gather this data, three log groups were used:

/aws/elasticbeanstalk/portal-prod-435-0/var/log/httpd/access_log

/aws/elasticbeanstalk/portal-prod-436-0/var/log/httpd/access_log

/aws/elasticbeanstalk/portal-prod-437-0/var/log/httpd/access_log

These groups encompass the current production stack, as well as the previous two stacks.

The following Cloudwatch Log Insights query was used to determine the unique origins that used the Portal service in the last 30 days (note that the time filter was applied via the Cloudwatch UI):

Code Block

parse @message '* - * [*] "* * *" * * "*" "*"' as host, identity, dateTimeString, httpVerb, url, protocol, statusCode, bytes, referer, useragent
| parse referer '*://*/' as protocol2, domain
| fields concat(protocol2, "://", domain) as origin
| stats count() as count by origin
| sort count desc

This returned 863 unique results. Here are the top 5:

Origin	Count
https://www.synapse.org	12,291,758
<empty>	2,483,980
https://staging.synapse.org	92,497
https://adknowledgeportal.synapse.org	10,304
https://accounts.google.com	4,716

...

Expand

title	Table of all Origin Requests from 2022-12-25 to 2023-01-24

ORIGIN	Number of Requests, past 30 days
<empty>	68,165,544
https://www.synapse.org	14,502,342
https://psychencode.synapse.org	3,131,519
https://adknowledgeportal.synapse.org	828,395
https://staging.synapse.org	70,991
https://nf.synapse.org	46,339
http://localhost:6060	24,957
https://arkportal.synapse.org	20,155
http://127.0.0.1:8888	17,700
https://signin.synapse.org	13,188
https://www.cancercomplexity.synapse.org	9,509
https://dhealth.synapse.org	7,421
https://bsmn.synapse.org	5,694
https://cancercomplexity.synapse.org	5,112
http://localhost:3000	2,566
https://staging.arkportal.synapse.org	2,507
https://sage-bionetworks.github.io	2,123
https://staging.adknowledgeportal.synapse.org	1,283
null	790
https://tst.synapse.org	701
https://stopadportal.synapse.org	593
https://staging.accounts.sagebionetworks.synapse.org	436
https://d2ludihrr6kxy3.cloudfront.net	337
http://127.0.0.1:3000	247
https://staging.nf.synapse.org	216
https://d9t3oxh59s1dm.cloudfront.net	100
https://agora.adknowledgeportal.org	82
https://portal-dev.dev.sagebase.org	38
https://staging.cancercomplexity.synapse.org	27
https://staging.studies.mobiletoolbox.org	27
https://portal-prod-432-2.synapse.org	20
https://portal-prod-436-0.synapse.org	20
https://synapse-prod.synapse.org	20
http://localhost:8080	14
https://34.230.158.104	10
https://research.sagebridge.org	10
http://127.0.0.1:3001	8
https://52.203.200.37	5
https://agora-develop.adknowledgeportal.org	5
https://psychencode-synapse-org.translate.goog	4
https://d2urqeqifglv0s.cloudfront.net	3
http://agora.adknowledgeportal.org	2
https://agora-staging.adknowledgeportal.org	2
https://tnt-ui-dot-amp-pd-data-coordination.uc.r.appspot.com	2
http://localhost	1
http://www.synapse.org	1

_{Data captured from running the following query in the data warehouse on 2023-01-24:}

Code Block

language	sql

SELECT ORIGIN, COUNT(*) AS NUMBER_OF_RECORDS
FROM ACCESS_RECORD
WHERE TIMESTAMP BETWEEN unix_timestamp(curdate())*1000 - (30*24*60*60*1000) AND unix_timestamp(curdate())*1000
GROUP BY ORIGIN;

...

Versions Compared

Old Version 1

New Version Current

Key