Hi @ismcagdas, Not sure whether forcing anti-forgery validation will fix the session hijacking issue. Put anti-forgery validation aside, have you considered the session hijacking issue in the original Zero app. Please note that I can reproduce it in ASP.NET Zero 12.4.2.
Hi @ismcagdas,
Yes, our app has HTTP-Only cookies enabled. The HttpOnly flag prevents client-side scripts (JavaScript) from accessing the cookie containing the token. This helps mitigate Cross-site Scripting (XSS) attacks, where an attacker injects malicious code into a web page and steals the token using JavaScript.
However, it doesn't prevent access from the developer tools provided by your browser. Anyone with access to your browser, including yourself, can view and copy the token using these tools.
Please try Zero app 12.4.2: copy the Abp.AuthToken from an admin user to a non-admin user. The non-admin user now has the admin rights.
Hi @ismcagdas, Yes, we host Angular app with the Host app together under the same domain.
I have reinstated [ValidateAntiForgeryToken] attributes. But it didn't help solve the reported session hijacking described at the top pf this post.
The example of session hijacking: I copied the AbP.AuthToken from an admin user to a non-admin user. The non-admin user now has the admin rights, which is an authentication and authorization issue.
I think the [ValidateAntiForgeryToken] attribute won't directly address the session hijacking. It is not directly applicable to preventing token impersonation. Is this an authentication issue?
Please note that this issue can also be reproduced with Zero app 12.4.2.
Hi @ismcagdas, Thank you for your suggestion. Please have a look at my implementation of ApiDocController below. Am I on the right track? I can see that the attribute routing works for the existing TokenAuthController. I think in this case I don't need to do anything special to enable attribute routing, right? I haven't got it working. Please point out what is missed. Thank you.
`namespace umsplus.Web.Controllers { [Route("apidoc")] public class ApiDocController : umsplusControllerBase { public ApiDocController() {
}
[HttpGet("{fileName}")]
public IActionResult GetFile(string fileName)
{
// Assuming your apidoc files are stored in the wwwroot/apidoc directory
// Validate and sanitize fileName
fileName = Path.GetFileNameWithoutExtension(fileName) + Path.GetExtension(fileName); // Remove potential path traversal attempts
// Enforce directory restriction
var filePath = Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "apidoc", fileName);
filePath = Path.GetFullPath(filePath); // Normalize path
if (filePath.StartsWith(Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "apidoc")))
{
// Proceed with file retrieval if path is valid
if (System.IO.File.Exists(filePath))
{
var fileContent = System.IO.File.ReadAllBytes(filePath);
return File(fileContent, "application/octet-stream", fileName);
}
else
{
return NotFound();
}
}
else
{
// Handle invalid path attempts, potentially logging or raising an alert
return BadRequest("Invalid file path");
}
}
}
}`
Hi @ismcagdas,
What is your product version? v12.4.0
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)? .net 7
[IgnoreAntiforgeryToken] is used in the following files: aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\TokenController.cs aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\AuthorizeController.cs, HandleAsync() aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\UserInfoController.cs
With [IgnoreAntiforgeryToken], the endpoint will not be protected for XSRF Attacks. Why [IgnoreAntiforgeryToken]? Are there any consequences if removed?
Hi @ismcagdas,
We also need to do API rate limiting / throttling for third-party facing / external APIs (AppServices).
What is your product version? v12.4.0
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)? .net 7
Please advise whether the attribute-driven rate limiting / throttling such as [EnableRateLimiting("Api")], sliding window limit, is available.
Please advise the steps. Thank you.
Adding <PackageReference Include="Castle.Core-Serilog" Version="5.1.1" /> to ServiceCore,Host project made the error go away.
This issue has been resolved.
Hi ismcagdas,
We tried it in a couple of AppService classes. We also tried it in TokenAuthController.cs. The errors are similar, for example, "Can't create component 'umsplus.Web.Controllers.TokenAuthController' as it has dependencies to be satisfied".
We have found other ways to dynamic show/hide menu items and permission tree items in app-navigation.service.ts, PermissionAppService and RoleAppService.