Activities of "hongbing.wang"
Hi @ismcagdas, Not sure whether forcing anti-forgery validation will fix the session hijacking issue. Put anti-forgery validation aside, have you considered the session hijacking issue in the original Zero app. Please note that I can reproduce it in ASP.NET Zero 12.4.2.
Hi @ismcagdas,
Yes, our app has HTTP-Only cookies enabled. The HttpOnly flag prevents client-side scripts (JavaScript) from accessing the cookie containing the token. This helps mitigate Cross-site Scripting (XSS) attacks, where an attacker injects malicious code into a web page and steals the token using JavaScript.
However, it doesn't prevent access from the developer tools provided by your browser. Anyone with access to your browser, including yourself, can view and copy the token using these tools.
Please try Zero app 12.4.2: copy the Abp.AuthToken from an admin user to a non-admin user. The non-admin user now has the admin rights.
Hi @ismcagdas, Yes, we host Angular app with the Host app together under the same domain.
I have reinstated [ValidateAntiForgeryToken] attributes. But it didn't help solve the reported session hijacking described at the top pf this post.
The example of session hijacking: I copied the AbP.AuthToken from an admin user to a non-admin user. The non-admin user now has the admin rights, which is an authentication and authorization issue.
I think the [ValidateAntiForgeryToken] attribute won't directly address the session hijacking. It is not directly applicable to preventing token impersonation. Is this an authentication issue?
Please note that this issue can also be reproduced with Zero app 12.4.2.
Hi @ismcagdas, Thank you for your suggestion. Please have a look at my implementation of ApiDocController below. Am I on the right track? I can see that the attribute routing works for the existing TokenAuthController. I think in this case I don't need to do anything special to enable attribute routing, right? I haven't got it working. Please point out what is missed. Thank you.
`namespace umsplus.Web.Controllers { [Route("apidoc")] public class ApiDocController : umsplusControllerBase { public ApiDocController() {
}
[HttpGet("{fileName}")]
public IActionResult GetFile(string fileName)
{
// Assuming your apidoc files are stored in the wwwroot/apidoc directory
// Validate and sanitize fileName
fileName = Path.GetFileNameWithoutExtension(fileName) + Path.GetExtension(fileName); // Remove potential path traversal attempts
// Enforce directory restriction
var filePath = Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "apidoc", fileName);
filePath = Path.GetFullPath(filePath); // Normalize path
if (filePath.StartsWith(Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "apidoc")))
{
// Proceed with file retrieval if path is valid
if (System.IO.File.Exists(filePath))
{
var fileContent = System.IO.File.ReadAllBytes(filePath);
return File(fileContent, "application/octet-stream", fileName);
}
else
{
return NotFound();
}
}
else
{
// Handle invalid path attempts, potentially logging or raising an alert
return BadRequest("Invalid file path");
}
}
}
}`
Hi @ismcagdas,
What is your product version? v12.4.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net 7
We need to implement API rate limiting / throttling for third-party facing / external APIs (AppServices).
Please advise whether the attribute-driven rate limiting / throttling such as [EnableRateLimiting("Api")] and sliding window limit, is available.
Please advise the steps. Thank you.
Hi @ismcagdas,
What is your product version? v12.4.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net 7
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. Using the Cookie, attacker can gain access to the application as authorized user and can modify the data, and he can pose as legitimate users, gain information, and take actions under the assumed identity. Please see the details in the following screenshots.
When copying an admin's Abp.AuthToken cookie to a non-admin user, WMS Pro shows an error message: "Request data failed, Session.UserId is null! Probably, user is not logged in.". Reload the page, the user is logged out. This is normal. Please investigate why sometimes the user is not logged out. Refresh the page, the non-admin user is shown as an admin.
Related:
My question at https://support.aspnetzero.com/QA/Questions/10654/Login-Issue-w-Antiforgery-Tokens
Why do we have to comment out [ValidateAntiForgeryToken] in the following places: \webapi\src\umsplus.Web.Core\Controllers\TenantCustomizationController.cs //[ValidateAntiForgeryToken] public async Task<JsonResult> UploadLightLogo() ... //[ValidateAntiForgeryToken] public async Task<JsonResult> UploadCustomCss() ... \webapi\src\umsplus.Web.Core\Controllers\UsersControllerBase.cs //[ValidateAntiForgeryToken] public async Task<JsonResult> ImportFromExcel() ...
...\webapi\src\umsplus.Web.Host\Startup\Startup.cs services.AddControllersWithViews(options => { options.Filters.Add(new AbpAutoValidateAntiforgeryTokenAttribute());
It should be done for dynamic web api automatically. Does this mean, with this set, we don't need to set the attribute [ValidateAntiForgeryToken] in the places?
Hi @ismcagdas,
What is your product version? v12.4.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net 7
Abp.AuthToken and Abp.AuthRefresh are not cleared following logout in production build with the implementation of HTTP-only-cookie by integrating server and client in the same app. But this problem doesn't occur in debug build where the server and the client are separate. Please see the following screenshot for more details.
Please advise the steps to resolve the issue in the HTTP-only production build.
Hi @ismcagdas,
What is your product version? v12.4.0
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)? .net 7
[IgnoreAntiforgeryToken] is used in the following files: aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\TokenController.cs aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\AuthorizeController.cs, HandleAsync() aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\UserInfoController.cs
With [IgnoreAntiforgeryToken], the endpoint will not be protected for XSRF Attacks. Why [IgnoreAntiforgeryToken]? Are there any consequences if removed?
Hi @ismcagdas,
We also need to do API rate limiting / throttling for third-party facing / external APIs (AppServices).
What is your product version? v12.4.0
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)? .net 7
Please advise whether the attribute-driven rate limiting / throttling such as [EnableRateLimiting("Api")], sliding window limit, is available.
Please advise the steps. Thank you.