Base solution for your next web application

Activities of "dcpar"

All Question Answer
Newest Oldest
Important security issue: API calls succeed after logout #1956
Question

Hello,

I've encountered a security issue with ABP, and I'm wondering if there's a simple way to fix this. In a nutshell, I'm able to call API methods after logout by re-using the cookie. During a security audit, this was identified as a critical security issue by a 3rd party firm.

Here are the steps to reproduce the problem:

  1. Start fiddler
  2. Login to the aspnetzero application
  3. Logout of the aspnetzero application
  4. In the Fiddler window, select a previous service call such as "GetCurrentLoginInformations"
  5. Click "Replay" in Fiddler (which includes the cookie)
  6. Notice that the replayed service was successful, ie. success":true,"result":{"user":{"name":"admin","surname":"admin","userName":"admin","emailAddress":"[email protected]","profilePictureId":null,"id":2},"tenant":{"tenancyName":"Default","name":"GCGC","editionDisplayName":"Standard","id":1}},"error":null,"unAuthorizedRequest":false}

The expected result is that the service call would fail, since the user has logged out.

Is there a built-in way of preventing this behaviour?

Thanks,

Dave

UpdateAsync(user) method fails the first time #1892
Question

We're experiencing this exact issue.

<a class="postlink" href="http://stackoverflow.com/questions/36129794/why-does-my-updateasyncuser-method-fail-the-first-time-claiming-user-doesnt">http://stackoverflow.com/questions/3612 ... ser-doesnt</a>

  • User starts up the app (not currently logged in) and clicks button to post viewModel to server.
  • The app logs the user in,
  • If the viewModel is different than the existing user's data, the server attempts to update it.
  • This update will fail with "There is no user with id: 99"
  • User clicks button again and posts the same data to the server. (this time user has been logged in from previous failed post)
  • viewModel is still different than existing data (remember, the update failed last time)
  • await _userManager.UpdateAsync(user); works and the record is updated.

Has there been any resolution to this?

Passwords logged in plain text #1877
Question

Hi guys,

When the CreateOrUpdateUser method is logged, the password is logged in plain text. This is a big security issue, as the logs could be used to compromise the system.

Can you add a setting to disable logging of sensitive information?

Thanks,

Dave

Showing 1 to 3 of 3 entries