Security issues found
See original GitHub issueHi. I’ve discovered some security issues in the ABP project. I have a write up and working PoC code available - do you have a contact email where I can send this information? If you prefer, I can detail the problem here, although this will publicly disclose the issues immediately. Thanks 🙂
Edit: I tried info@volosoft.com
last week but didn’t receive a response.
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Respond to security alerts - Google Account Help
Go to your Google Account. On the Security issues found panel, click Secure account. If the activity was you. On the security alert,...
Read more >How to fix Critical Security Issues Found in Google Account
Critical security issues found · Your saved passwords · Your devices · Recent security events · 2-Step Verification · Third-party access · Gmail ......
Read more >About Google's App Security
Reporting security issues If you believe you have discovered a vulnerability in a Google product or have a security incident to report, go...
Read more >Security Checkup
Sign in to use Google's Security Checkup to strengthen your online security. Secure your data & devices. Add extra protections. Check recent security...
Read more >Fix: Critical Security Issues Found Warning Not Going Away
How to Fix “Critical Security Issues Found” Warning Not Going Away · Fix 1: Reverify Account Security · Fix 2: Switch to a...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Related PR implements “Generate random jwt security key while generating a project”
Issues are detailed below. Since these are now public, I’ve released the advisory at https://pulsesecurity.co.nz/advisories/aspnetboilerplate-jwt The POC code can also be found at: https://gist.github.com/bigshika/c577d58593dab01b69d1e5bbcee72a8e
Summary
The default JSON Web Token secret used to validate tokens is easily guessable and means that an attacker can gain unauthorized administrative access to an ABP instance. The default admin password is a constant across all projects and should be randomly generated instead. Deactivating users can still perform API actions. The
SimpleStringCipher
method usesCBC-mode
which is vulnerable to a padding oracle attack.Mitigation
ABP users should update the
SecurityKey
parameter in theirappsettings.json
file to a secure random string, and change the password of the admin user from the default value.Issues
Weak JWT Signing Secret Default
A guessable token secret enables an attacker to create and sign tokens that will be accepted by the backend server as valid. While the project name is required for the secret to be known, this not a sensitive variable. In a newly generated ABP project, the JWT secret value is set to
PROJECTNAME_C421AAEE0D114E9C
. The project name is specified when generating a new framework download:The following is an example appsettings.json file for a project called ACME. The
_C421AAEE0D114E9C
suffix of the token secret is a constant across all generated projects.This secret can be changed in the
appsettings.json
file after the project is downloaded and should be changed. A more secure alternative is to use randomly generated values, rather than relying on implementers to change default values.This issue also affected the ABP.Zero commercial version of the framework; however, the pattern was:
PROJECTNAME_8CFB2EC534E14D56
Default Admin User
When a new project is created, a default admin user is created. The credentials for this user default to
admin:123qwe
. This admin user can never be deleted as it is the default user.This default password is defined in
User.cs
as shown in the snippet below:The default admin user should have a strong password generated for it rather than using a publicly available default. In addition, an inactive user should not be able to carry out actions.
Token Validation
The backend token validation checks the user ID and the permissions assigned to that user; however, there is no check as to whether the user is still active and a malicious JWT generated on behalf of a deactivated admin user will still be able to perform all of the API actions as an active user.
Tokens issued on behalf of deactivated users should not be valid. The backend should check for the status of the user as part of token validation.
User ID Enumeration
The default admin user has the user ID of 1, so if an attacker generates a valid token for this user, they can perform administrative functions. However, even if administrator privileges have been removed from the default admin, an attacker can keep generating signed tokens and increment the user ID until a user is found that does have the right permissions. When present in combination with the weak secret, this allows an attacker to discover an admin account even if the default admin is unavailable.
SimpleStringCipher Padding Oracle Attack
The
SimpleStringCipher
method used in thesignalr
implementation is vulnerable to a padding oracle attack, which can be used to decrypt the encrypted JWT token passed to thesignalr
endpoint.SimpleStringCipher
should be reimplemented to not use CBC-mode.