Base solution for your next web application
Open Closed

Client Side ABP Setting and Penetration Testing #3027


User avatar
0
[email protected] created

Hi,

We have had a penetration test run against our ASP Zero installation and a security vulnerability has been highlighted. This medium level vulnerability relates to certain ABP Settings being visible through javascript prior to logging in to the application. The settings of concern are:

Abp.Zero.UserManagement.IsEmailConfirmationRequiredForLogin:"false"
Abp.Zero.UserManagement.TwoFactorLogin.IsEmailProviderEnabled:"true"
Abp.Zero.UserManagement.TwoFactorLogin.IsEnabled:"false"
Abp.Zero.UserManagement.TwoFactorLogin.IsRememberBrowserEnabled:"true"
Abp.Zero.UserManagement.TwoFactorLogin.IsSmsProviderEnabled:"true"
Abp.Zero.UserManagement.UserLockOut.DefaultAccountLockoutSeconds:"300"
Abp.Zero.UserManagement.UserLockOut.IsEnabled:"true"
Abp.Zero.UserManagement.UserLockOut.MaxFailedAccessAttemptsBeforeLockout:"5"

They are of concern as they relate to security and could potentially be used by a attacker to better craft their attack strategy.

Are we able to alter the settings scope (IsVisibleToClients = false) or will this break the login process? If we are unable to change this scope then how would you advise us to modify the login process so that these settings are not required on the client side prior to authentication.

Thanks,

Sean Duffy


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Thank you for your explanation. Currently this is not possible I think.

    We need to add a new property, maybe IsVisibleToAuthenticatedClients, to ABP framework. I have created an issue here for that <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/2072">https://github.com/aspnetboilerplate/as ... ssues/2072</a>, you can follow it.

    Thanks.