Hi @ismcagdas,
What is your product version? v12.4.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net 7
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. Using the Cookie, attacker can gain access to the application as authorized user and can modify the data, and he can pose as legitimate users, gain information, and take actions under the assumed identity. Please see the details in the following screenshots.
When copying an admin's Abp.AuthToken cookie to a non-admin user, WMS Pro shows an error message: "Request data failed, Session.UserId is null! Probably, user is not logged in.". Reload the page, the user is logged out. This is normal. Please investigate why sometimes the user is not logged out. Refresh the page, the non-admin user is shown as an admin.
Related:
My question at https://support.aspnetzero.com/QA/Questions/10654/Login-Issue-w-Antiforgery-Tokens
Why do we have to comment out [ValidateAntiForgeryToken] in the following places: \webapi\src\umsplus.Web.Core\Controllers\TenantCustomizationController.cs //[ValidateAntiForgeryToken] public async Task<JsonResult> UploadLightLogo() ... //[ValidateAntiForgeryToken] public async Task<JsonResult> UploadCustomCss() ... \webapi\src\umsplus.Web.Core\Controllers\UsersControllerBase.cs //[ValidateAntiForgeryToken] public async Task<JsonResult> ImportFromExcel() ...
...\webapi\src\umsplus.Web.Host\Startup\Startup.cs services.AddControllersWithViews(options => { options.Filters.Add(new AbpAutoValidateAntiforgeryTokenAttribute());
It should be done for dynamic web api automatically. Does this mean, with this set, we don't need to set the attribute [ValidateAntiForgeryToken] in the places?
9 Answer(s)
-
0
Hi,
You shouldn't disable
ValidateAntiForgeryTokenattribute. Did you face any issues while using it ? If not, you can enable it back. It seems like your HTTPS certificate is not valid as far as I can see from the screnshot. I suggest using a valid certificate. This should solve the problem. -
0
I have reinstated [ValidateAntiForgeryToken] attributes. But it didn't help solve the reported session hijacking described at the top pf this post.
The example of session hijacking: I copied the AbP.AuthToken from an admin user to a non-admin user. The non-admin user now has the admin rights, which is an authentication and authorization issue.
I think the [ValidateAntiForgeryToken] attribute won't directly address the session hijacking. It is not directly applicable to preventing token impersonation. Is this an authentication issue?
Please note that this issue can also be reproduced with Zero app 12.4.2.
-
0
Hi,
Are you hosting Angular app with the Host app together under the same domain ?
-
0
Hi @ismcagdas, Yes, we host Angular app with the Host app together under the same domain.
-
0
Thanks,
In that case, instead of directly serving Angular app (and its index.html file), you can host this file via an ASP.NET Core Controller and cshtml file. You can follow an approach like this https://github.com/angular/angular-cli/issues/2960#issuecomment-263639803
In that case, Anti-Forgery will work.
I assume you already enabled HTTP-Only cookies. In that case, client side can't access auth token at all.
-
0
Hi @ismcagdas,
Yes, our app has HTTP-Only cookies enabled. The HttpOnly flag prevents client-side scripts (JavaScript) from accessing the cookie containing the token. This helps mitigate Cross-site Scripting (XSS) attacks, where an attacker injects malicious code into a web page and steals the token using JavaScript.
However, it doesn't prevent access from the developer tools provided by your browser. Anyone with access to your browser, including yourself, can view and copy the token using these tools.
Please try Zero app 12.4.2: copy the Abp.AuthToken from an admin user to a non-admin user. The non-admin user now has the admin rights.
-
0
Hi,
In that case, as I stated above (if you also want to enable Anti-Forgery validation), you need to follow;
In that case, instead of directly serving Angular app (and its index.html file), you can host this file via an ASP.NET Core Controller and cshtml file. You can follow an approach like this https://github.com/angular/angular-cli/issues/2960#issuecomment-263639803
This way, you can force anti-forgery validaiton for your Angular client.
-
0
Hi @ismcagdas, Not sure whether forcing anti-forgery validation will fix the session hijacking issue. Put anti-forgery validation aside, have you considered the session hijacking issue in the original Zero app. Please note that I can reproduce it in ASP.NET Zero 12.4.2.
-
0
Hi,
Yes, we did but it didn't come out in our tests. Please take a look at the following artice https://www.globalsign.com/en/blog/session-hijacking-and-how-to-prevent-it.
Normally tools like you are using offers a solution to their findings. Do you have such an information ? We can evaluate to implement it.
