Base solution for your next web application
Open Closed

Important security issue: API calls succeed after logout #1956


User avatar
0
dcpar created

Hello,

I've encountered a security issue with ABP, and I'm wondering if there's a simple way to fix this. In a nutshell, I'm able to call API methods after logout by re-using the cookie. During a security audit, this was identified as a critical security issue by a 3rd party firm.

Here are the steps to reproduce the problem:

  1. Start fiddler
  2. Login to the aspnetzero application
  3. Logout of the aspnetzero application
  4. In the Fiddler window, select a previous service call such as "GetCurrentLoginInformations"
  5. Click "Replay" in Fiddler (which includes the cookie)
  6. Notice that the replayed service was successful, ie. success":true,"result":{"user":{"name":"admin","surname":"admin","userName":"admin","emailAddress":"[email protected]","profilePictureId":null,"id":2},"tenant":{"tenancyName":"Default","name":"GCGC","editionDisplayName":"Standard","id":1}},"error":null,"unAuthorizedRequest":false}

The expected result is that the service call would fail, since the user has logged out.

Is there a built-in way of preventing this behaviour?

Thanks,

Dave


3 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi Dave,

    Is your Logout action in AccountController like this ?

    public async Task<ActionResult> Logout()
    {
        await _signInManager.SignOutAllAsync();
        return RedirectToAction("Login");
    }
    

    One of the previous versions was using a buggy logout action.

  • User Avatar
    0
    meysam created

    Hello,

    I also have this problem.

    This is my Logout method:

    public virtual ActionResult Logout()
    {
         _authenticationManager.SignOutAll();
    
         return RedirectToAction("Login");
    }
    

    Can you tell me how can I fix this issue?

    Thanks,

    Meysam

  • User Avatar
    0
    alper created
    Support Team

    is it possible for you to update ABP and ZERO to the latest. As far as I remember there was a issue as you stated but it was fixed.