Hi,
We have had a penetration test run against our ASP Zero installation and a security vulnerability has been highlighted. This medium level vulnerability relates to certain ABP Settings being visible through javascript prior to logging in to the application. The settings of concern are:
Abp.Zero.UserManagement.IsEmailConfirmationRequiredForLogin:"false"
Abp.Zero.UserManagement.TwoFactorLogin.IsEmailProviderEnabled:"true"
Abp.Zero.UserManagement.TwoFactorLogin.IsEnabled:"false"
Abp.Zero.UserManagement.TwoFactorLogin.IsRememberBrowserEnabled:"true"
Abp.Zero.UserManagement.TwoFactorLogin.IsSmsProviderEnabled:"true"
Abp.Zero.UserManagement.UserLockOut.DefaultAccountLockoutSeconds:"300"
Abp.Zero.UserManagement.UserLockOut.IsEnabled:"true"
Abp.Zero.UserManagement.UserLockOut.MaxFailedAccessAttemptsBeforeLockout:"5"
They are of concern as they relate to security and could potentially be used by a attacker to better craft their attack strategy.
Are we able to alter the settings scope (IsVisibleToClients = false) or will this break the login process? If we are unable to change this scope then how would you advise us to modify the login process so that these settings are not required on the client side prior to authentication.
Thanks,
Sean Duffy
1 Answer(s)
-
0
Hi,
Thank you for your explanation. Currently this is not possible I think.
We need to add a new property, maybe IsVisibleToAuthenticatedClients, to ABP framework. I have created an issue here for that <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/2072">https://github.com/aspnetboilerplate/as ... ssues/2072</a>, you can follow it.
Thanks.
