Security Validation

Live results from darkforest v2.0, a pure Rust security validator that runs penetration tests, protocol fuzzing, and cryptographic posture checks against all 13 services.

"DARK_FOREST" findings are informational observations worth tracking, not failures.

Back

🟢 Overall: 179 PASS, 0 FAIL, 6 DARK_FOREST

Metric	Value
Total checks	185
Pass	179
Fail	0
Dark Forest (informational)	6
Scan time	973.9s
Timestamp	unknown
Suite	all

---

Results by Suite

Suite	Total	Pass	Fail	Dark Forest
🟢 crypto	19	17	0	2
🟢 fuzz.barracuda	8	8	0	0
🟢 fuzz.beardog	8	8	0	0
🟢 fuzz.biomeos	8	8	0	0
🟢 fuzz.coralreef	8	8	0	0
🟢 fuzz.hub	12	11	0	1
🟢 fuzz.loamspine	8	8	0	0
🟢 fuzz.nestgate	8	8	0	0
🟢 fuzz.petaltongue	8	8	0	0
🟢 fuzz.rhizocrypt	8	8	0	0
🟢 fuzz.skunkbat	8	8	0	0
🟢 fuzz.songbird	8	8	0	0
🟢 fuzz.squirrel	8	8	0	0
🟢 fuzz.sweetgrass	8	8	0	0
🟢 fuzz.toadstool	8	8	0	0
🟢 pentest.compute	21	21	0	0
🟢 pentest.external	20	19	0	1
🟢 pentest.readonly	9	7	0	2

---

Dark Forest Findings

DARK_FOREST items are informational — not failures, but observations worth tracking.

ID	Finding	Severity	Evidence
PEN-A1-01	Hub API leaks version 5.4.5 at /hub/api/ (unauthenticated)	medium	GET /hub/api/ returned version=5.4.5
PEN-C3-01	Reviewer can see shared/projects/ (doc says showcase only)	low	ls succeeded
PEN-C3-02	Reviewer can see shared/data/	low	ls succeeded
FUZ-HUB-02	Null byte username reflected in error page (HTTP 403, CSP mitigates)	medium	xfuzz15f2c8
CRY-11	BEARDOG_MASTER_KEY not found in systemd units — ephemeral key derivation in use	high	Key material regenerated each restart
CRY-12	Cookie format may be v1 (SHA-1) — verify Tornado version	medium	set-cookie: _xsrf=MnwxOjB8MTA6MTc3ODMzMDYwNnw1Ol94c3JmfDY4OlRtOXVaVHBFU0VKRFdXcHFWR3hVY2pod01tVTFNbm95Um5GVk5FZGtVa055ZW1nMWQzWkhZV1pFWTNKVmVscEZQUT09fDFkN2FiMDA1M2UyZmY2Y2Q0ZDExNTQwMjA4Y2NkNjI4MWNjOWJkM2VjYjExM2QyNWFiNjRmOWRhNjlmNzMxYTI; Max-Age=3600; Path=/hub/

---

Failed Checks

All checks passed. No failures detected.

---

Full Check Details

	ID	Check	Category
🌑	PEN-A1-01	Hub API leaks version 5.4.5 at /hub/api/ (unauthenticated)	info_leak
✅	PEN-A1-02	Server header: server:	info_leak
✅	PEN-A2-01	/hub/admin blocked (HTTP 302)	auth
✅	PEN-A2-02	/hub/api/users blocked (HTTP 403)	auth
✅	PEN-A2-03	/hub/api/proxy blocked (HTTP 403)	auth
✅	PEN-A2-04	/hub/api/services blocked (HTTP 403)	auth
✅	PEN-A3-01	Traversal blocked: /hub/../../../etc/passwd (HTTP 302)	auth
✅	PEN-A3-02	Traversal blocked: /hub/%2e%2e/%2e%2e/etc/passwd (HTTP 302)	auth
✅	PEN-A3-03	Traversal blocked: /services/voila/voila/render/../../../etc/passwd (HTTP 302)	auth
✅	PEN-A3-04	Traversal blocked: /services/voila/voila/render/%2e%2e/%2e%2e/%2e%2e/etc/passwd (HTTP 302)	auth
✅	PEN-A3-05	Traversal blocked: /services/voila/voila/render/..%252f..%252f..%252fetc/passwd (HTTP 302)	auth
✅	PEN-A4-01	Host 'evil.com' not reflected	info_leak
✅	PEN-A4-02	Host '127.0.0.1:9999' not reflected	info_leak
✅	PEN-A4-03	Host 'localhost:22' not reflected	info_leak
✅	PEN-A5-01	Voila service reachable (behind Hub OAuth)	auth
✅	PEN-A6-TK-01	Tunnel healthy (tunnelKeeper)	network
✅	PEN-A6-TK-02	cloudflared running (PID 396577)	network
✅	PEN-A6-TK-03	DNS resolves: 2606:4700:3033::6815:1a15	network
✅	PEN-A6-TK-04	Tunnel config valid (7 ingress rules), credentials readable	crypto
✅	PEN-A7-00	All primal ports bound to 127.0.0.1 only	network
✅	PEN-B1-01	dig not available or DNS blocked	network
✅	PEN-B1-02	Raw DNS to external blocked	network
✅	PEN-B2-01	MethodGate enforced on beardog — JH-0 fully resolved	auth
✅	PEN-B2-02	storage.list rejected on nestgate:9500	auth
✅	PEN-B2-03	storage.store_blob rejected on nestgate:9500	auth
✅	PEN-B2-04	spine.status rejected on loamspine:9700	auth
✅	PEN-B2-05	job.list rejected on toadstool:9400	auth
✅	PEN-B2-06	crypto.list_keys rejected on beardog:9100	auth
✅	PEN-B2-07	composition.list rejected on biomeos:9800	auth
✅	PEN-B3-01	Cannot write to shared conda envs	isolation
✅	PEN-B3-02	Cannot write to shared site-packages	isolation
✅	PEN-B4-01	Cannot read JupyterHub process environ	isolation
✅	PEN-B4-02	Cannot read JupyterHub cmdline (hidepid=2)	isolation
✅	PEN-B4-03	Cannot read jupyterhub.sqlite	crypto
✅	PEN-B4-04	Cannot read jupyterhub_cookie_secret	crypto
✅	PEN-B5-01	Cannot list /home/irongate/	isolation
✅	PEN-B5-02	Cannot read /etc/crontab	info_leak
✅	PEN-B5-03	Cannot enumerate sensitive system services	info_leak
✅	PEN-B6-01	Cannot access /home/abgreviewer/	isolation
✅	PEN-B6-02	Cannot access /home/abg-test/	isolation
✅	PEN-B7-01	CHP proxy API blocked or not exposed (HTTP 403)	network
✅	PEN-C1-01	ipykernel not in reviewer PATH	isolation
✅	PEN-C1-02	Reviewer cannot execute python3	isolation
✅	PEN-C1-03	jupyter CLI not in reviewer PATH	isolation
✅	PEN-C2-01	Reviewer cannot create dirs in ~/notebooks/	isolation
✅	PEN-C2-02	Reviewer cannot create files in ~/notebooks/	isolation
🌑	PEN-C3-01	Reviewer can see shared/projects/ (doc says showcase only)	isolation
🌑	PEN-C3-02	Reviewer can see shared/data/	isolation
✅	PEN-C4-01	Observer cannot create dirs in ~/notebooks/	isolation
✅	PEN-C4-02	MethodGate enforced — observer RPC blocked without token	auth
✅	FUZ-barracuda-mal	barracuda handled all 19 malformed payloads	fuzz
✅	FUZ-barracuda-tls_clienthello	barracuda rejects tls_clienthello	fuzz
✅	FUZ-barracuda-http2_preface	barracuda rejects http2_preface	fuzz
✅	FUZ-barracuda-ssh_banner	barracuda rejects ssh_banner	fuzz
✅	FUZ-barracuda-redis_ping	barracuda rejects redis_ping	fuzz
✅	FUZ-barracuda-memcached_stats	barracuda rejects memcached_stats	fuzz
✅	FUZ-barracuda-big	barracuda handled 100KB payload	fuzz
✅	FUZ-barracuda-timing	barracuda: response times within 0.003s	fuzz
✅	FUZ-beardog-mal	beardog handled all 19 malformed payloads	fuzz
✅	FUZ-beardog-tls_clienthello	beardog rejects tls_clienthello	fuzz
✅	FUZ-beardog-http2_preface	beardog rejects http2_preface	fuzz
✅	FUZ-beardog-ssh_banner	beardog rejects ssh_banner	fuzz
✅	FUZ-beardog-redis_ping	beardog rejects redis_ping	fuzz
✅	FUZ-beardog-memcached_stats	beardog rejects memcached_stats	fuzz
✅	FUZ-beardog-big	beardog handled 100KB payload	fuzz
✅	FUZ-beardog-timing	beardog: response times within 0.000s	fuzz
✅	FUZ-biomeos-mal	biomeos handled all 19 malformed payloads	fuzz
✅	FUZ-biomeos-tls_clienthello	biomeos rejects tls_clienthello	fuzz
✅	FUZ-biomeos-http2_preface	biomeos rejects http2_preface	fuzz
✅	FUZ-biomeos-ssh_banner	biomeos rejects ssh_banner	fuzz
✅	FUZ-biomeos-redis_ping	biomeos rejects redis_ping	fuzz
✅	FUZ-biomeos-memcached_stats	biomeos rejects memcached_stats	fuzz
✅	FUZ-biomeos-big	biomeos handled 100KB payload	fuzz
✅	FUZ-biomeos-timing	biomeos: response times within 0.001s	fuzz
✅	FUZ-coralreef-mal	coralreef handled all 19 malformed payloads	fuzz
✅	FUZ-coralreef-tls_clienthello	coralreef rejects tls_clienthello	fuzz
✅	FUZ-coralreef-http2_preface	coralreef rejects http2_preface	fuzz
✅	FUZ-coralreef-ssh_banner	coralreef rejects ssh_banner	fuzz
✅	FUZ-coralreef-redis_ping	coralreef rejects redis_ping	fuzz
✅	FUZ-coralreef-memcached_stats	coralreef rejects memcached_stats	fuzz
✅	FUZ-coralreef-big	coralreef handled 100KB payload	fuzz
✅	FUZ-coralreef-timing	coralreef: response times within 0.003s	fuzz
✅	FUZ-loamspine-mal	loamspine handled all 19 malformed payloads	fuzz
✅	FUZ-loamspine-tls_clienthello	loamspine rejects tls_clienthello	fuzz
✅	FUZ-loamspine-http2_preface	loamspine rejects http2_preface	fuzz
✅	FUZ-loamspine-ssh_banner	loamspine rejects ssh_banner	fuzz
✅	FUZ-loamspine-redis_ping	loamspine rejects redis_ping	fuzz
✅	FUZ-loamspine-memcached_stats	loamspine rejects memcached_stats	fuzz
✅	FUZ-loamspine-big	loamspine handled 100KB payload	fuzz
✅	FUZ-loamspine-timing	loamspine: response times within 0.000s	fuzz
✅	FUZ-nestgate-mal	nestgate handled all 19 malformed payloads	fuzz
✅	FUZ-nestgate-tls_clienthello	nestgate rejects tls_clienthello	fuzz
✅	FUZ-nestgate-http2_preface	nestgate rejects http2_preface	fuzz
✅	FUZ-nestgate-ssh_banner	nestgate rejects ssh_banner	fuzz
✅	FUZ-nestgate-redis_ping	nestgate rejects redis_ping	fuzz
✅	FUZ-nestgate-memcached_stats	nestgate rejects memcached_stats	fuzz
✅	FUZ-nestgate-big	nestgate handled 100KB payload	fuzz
✅	FUZ-nestgate-timing	nestgate: response times within 0.003s	fuzz
✅	FUZ-petaltongue-mal	petaltongue handled all 19 malformed payloads	fuzz
✅	FUZ-petaltongue-tls_clienthello	petaltongue rejects tls_clienthello	fuzz
✅	FUZ-petaltongue-http2_preface	petaltongue rejects http2_preface	fuzz
✅	FUZ-petaltongue-ssh_banner	petaltongue rejects ssh_banner	fuzz
✅	FUZ-petaltongue-redis_ping	petaltongue rejects redis_ping	fuzz
✅	FUZ-petaltongue-memcached_stats	petaltongue rejects memcached_stats	fuzz
✅	FUZ-petaltongue-big	petaltongue handled 100KB payload	fuzz
✅	FUZ-petaltongue-timing	petaltongue: response times within 0.000s	fuzz
✅	FUZ-rhizocrypt-mal	rhizocrypt handled all 19 malformed payloads	fuzz
✅	FUZ-rhizocrypt-tls_clienthello	rhizocrypt rejects tls_clienthello	fuzz
✅	FUZ-rhizocrypt-http2_preface	rhizocrypt rejects http2_preface	fuzz
✅	FUZ-rhizocrypt-ssh_banner	rhizocrypt rejects ssh_banner	fuzz
✅	FUZ-rhizocrypt-redis_ping	rhizocrypt rejects redis_ping	fuzz
✅	FUZ-rhizocrypt-memcached_stats	rhizocrypt rejects memcached_stats	fuzz
✅	FUZ-rhizocrypt-big	rhizocrypt handled 100KB payload	fuzz
✅	FUZ-rhizocrypt-timing	rhizocrypt: response times within 0.000s	fuzz
✅	FUZ-skunkbat-mal	skunkbat handled all 19 malformed payloads	fuzz
✅	FUZ-skunkbat-tls_clienthello	skunkbat rejects tls_clienthello	fuzz
✅	FUZ-skunkbat-http2_preface	skunkbat rejects http2_preface	fuzz
✅	FUZ-skunkbat-ssh_banner	skunkbat rejects ssh_banner	fuzz
✅	FUZ-skunkbat-redis_ping	skunkbat rejects redis_ping	fuzz
✅	FUZ-skunkbat-memcached_stats	skunkbat rejects memcached_stats	fuzz
✅	FUZ-skunkbat-big	skunkbat handled 100KB payload	fuzz
✅	FUZ-skunkbat-timing	skunkbat: response times within 0.000s	fuzz
✅	FUZ-songbird-mal	songbird handled all 19 malformed payloads	fuzz
✅	FUZ-songbird-tls_clienthello	songbird rejects tls_clienthello	fuzz
✅	FUZ-songbird-http2_preface	songbird rejects http2_preface	fuzz
✅	FUZ-songbird-ssh_banner	songbird rejects ssh_banner	fuzz
✅	FUZ-songbird-redis_ping	songbird rejects redis_ping	fuzz
✅	FUZ-songbird-memcached_stats	songbird rejects memcached_stats	fuzz
✅	FUZ-songbird-big	songbird handled 100KB payload	fuzz
✅	FUZ-songbird-timing	songbird: response times within 0.000s	fuzz
✅	FUZ-squirrel-mal	squirrel handled all 19 malformed payloads	fuzz
✅	FUZ-squirrel-tls_clienthello	squirrel rejects tls_clienthello	fuzz
✅	FUZ-squirrel-http2_preface	squirrel rejects http2_preface	fuzz
✅	FUZ-squirrel-ssh_banner	squirrel rejects ssh_banner	fuzz
✅	FUZ-squirrel-redis_ping	squirrel rejects redis_ping	fuzz
✅	FUZ-squirrel-memcached_stats	squirrel rejects memcached_stats	fuzz
✅	FUZ-squirrel-big	squirrel handled 100KB payload	fuzz
✅	FUZ-squirrel-timing	squirrel: response times within 0.003s	fuzz
✅	FUZ-sweetgrass-mal	sweetgrass handled all 19 malformed payloads	fuzz
✅	FUZ-sweetgrass-tls_clienthello	sweetgrass rejects tls_clienthello	fuzz
✅	FUZ-sweetgrass-http2_preface	sweetgrass rejects http2_preface	fuzz
✅	FUZ-sweetgrass-ssh_banner	sweetgrass rejects ssh_banner	fuzz
✅	FUZ-sweetgrass-redis_ping	sweetgrass rejects redis_ping	fuzz
✅	FUZ-sweetgrass-memcached_stats	sweetgrass rejects memcached_stats	fuzz
✅	FUZ-sweetgrass-big	sweetgrass handled 100KB payload	fuzz
✅	FUZ-sweetgrass-timing	sweetgrass: response times within 0.001s	fuzz
✅	FUZ-toadstool-mal	toadstool handled all 19 malformed payloads	fuzz
✅	FUZ-toadstool-tls_clienthello	toadstool rejects tls_clienthello	fuzz
✅	FUZ-toadstool-http2_preface	toadstool rejects http2_preface	fuzz
✅	FUZ-toadstool-ssh_banner	toadstool rejects ssh_banner	fuzz
✅	FUZ-toadstool-redis_ping	toadstool rejects redis_ping	fuzz
✅	FUZ-toadstool-memcached_stats	toadstool rejects memcached_stats	fuzz
✅	FUZ-toadstool-big	toadstool handled 100KB payload	fuzz
✅	FUZ-toadstool-timing	toadstool: response times within 0.001s	fuzz
✅	FUZ-HUB-01	Hub handles oversized cookie (HTTP 431)	fuzz
🌑	FUZ-HUB-02	Null byte username reflected in error page (HTTP 403, CSP mitigates)	fuzz
✅	FUZ-HUB-03	Fake token rejected (HTTP 403)	auth
✅	FUZ-HUB-04	Login form handles SQL injection payloads without crash	fuzz
✅	FUZ-HUB-05	XSS in ?next parameter not reflected	fuzz
✅	FUZ-HUB-M-put	PUT /hub/api/users returns 405	fuzz
✅	FUZ-HUB-M-delete	DELETE /hub/api/users returns 405	fuzz
✅	FUZ-HUB-M-patch	PATCH /hub/api/users returns 405	fuzz
✅	FUZ-HUB-M-options	OPTIONS /hub/api/users returns 200	fuzz
✅	FUZ-HUB-M-trace	TRACE /hub/api/users returns 405	fuzz
✅	FUZ-HUB-TRACE	TRACE method blocked (HTTP 405)	fuzz
✅	FUZ-HUB-FLOOD	Hub survives 50 concurrent connections	fuzz
✅	CRY-01	Cookie secret entropy OK: 4.88 bits/byte, 32 bytes	crypto
✅	CRY-02	Cookie secret is 4 days old (within 90-day window)	crypto
✅	CRY-03	Cookie secret permissions OK: mode=600, owner=irongate	crypto
✅	CRY-04	No API tokens in database or database not accessible	crypto
✅	CRY-05-tamison	tamison: SHA-512 hash	crypto
✅	CRY-05-abgreviewer	abgreviewer: yescrypt hash	crypto
✅	CRY-05-abg-test	abg-test: SHA-512 hash	crypto
✅	CRY-05-kmok	kmok: yescrypt hash	crypto
✅	CRY-06	Hash rounds/cost factor adequate	crypto
✅	CRY-07	BearDog rejected tampered token (non-standard response)	crypto
✅	CRY-08	BearDog rejected expired token (non-standard response)	crypto
✅	CRY-09	BTSP port rejects plaintext (handshake required)	crypto
✅	CRY-10	rhizocrypt BTSP rejects plaintext	crypto
🌑	CRY-11	BEARDOG_MASTER_KEY not found in systemd units — ephemeral key derivation in use	crypto
🌑	CRY-12	Cookie format may be v1 (SHA-1) — verify Tornado version	crypto
✅	CRY-13-cookie_secret	Cookie secret: permissions OK (600)	crypto
✅	CRY-13-jupyterhub_database	JupyterHub database: permissions OK (600)	crypto
✅	CRY-13-cloudflare_tunnel_config	Cloudflare tunnel config: permissions OK (600)	crypto
✅	CRY-13-tunnel_creds	Tunnel credential files properly restricted	crypto