How can we limit the information returned before any user are logged in: /AbpScripts/GetScripts:
During the penetration test, it was observed that the API endpoint /AbpScripts/GetScripts?v=638574937565860233 exposed a significant amount of sensitive information.
Details: When analyzing the endpoint, we discovered that it reveals internal configuration details, including:
Password complexity requirements. Account lockout policies, specifically that the lockout time is set to 300 seconds after 5 failed attempts. This information is valuable to an attacker, who could use it to tailor brute force attacks or craft payloads that align with the application's security settings.
1 Answer(s)
-
0
Hi @williepieterse,
Removing this information may cause problems in the application. We will open an issue about this and discuss how we can do it better.
You can follow the process at https://github.com/aspnetzero/aspnet-zero-core/issues/5327
