Related PR implements “Generate random jwt security key while generating a project”

Issues are detailed below. Since these are now public, I’ve released the advisory at https://pulsesecurity.co.nz/advisories/aspnetboilerplate-jwt The POC code can also be found at: https://gist.github.com/bigshika/c577d58593dab01b69d1e5bbcee72a8e

Summary

The default JSON Web Token secret used to validate tokens is easily guessable and means that an attacker can gain unauthorized administrative access to an ABP instance. The default admin password is a constant across all projects and should be randomly generated instead. Deactivating users can still perform API actions. The SimpleStringCipher method uses CBC-mode which is vulnerable to a padding oracle attack.

Mitigation

ABP users should update the SecurityKey parameter in their appsettings.json file to a secure random string, and change the password of the admin user from the default value.

Issues

Weak JWT Signing Secret Default

A guessable token secret enables an attacker to create and sign tokens that will be accepted by the backend server as valid. While the project name is required for the secret to be known, this not a sensitive variable. In a newly generated ABP project, the JWT secret value is set to PROJECTNAME_C421AAEE0D114E9C. The project name is specified when generating a new framework download:

The following is an example appsettings.json file for a project called ACME. The _C421AAEE0D114E9C suffix of the token secret is a constant across all generated projects.

$ cat aspnet-core/src/ACME.Web.Host/appsettings.json
{
omitted for brevity...
  "Authentication": {
    "JwtBearer": {
      "IsEnabled": "true",
      "SecurityKey": "ACME_C421AAEE0D114E9C",
      ...omitted for brevity...
    }
}

This secret can be changed in the appsettings.json file after the project is downloaded and should be changed. A more secure alternative is to use randomly generated values, rather than relying on implementers to change default values.

This issue also affected the ABP.Zero commercial version of the framework; however, the pattern was: PROJECTNAME_8CFB2EC534E14D56

Default Admin User

When a new project is created, a default admin user is created. The credentials for this user default to admin:123qwe. This admin user can never be deleted as it is the default user.

This default password is defined in User.cs as shown in the snippet below:

namespace MyProject.Authorization.Users
{
    public class User : AbpUser<User>
    {
        public const string DefaultPassword = "123qwe";
…omitted for brevity…

The default admin user should have a strong password generated for it rather than using a publicly available default. In addition, an inactive user should not be able to carry out actions.

Token Validation

The backend token validation checks the user ID and the permissions assigned to that user; however, there is no check as to whether the user is still active and a malicious JWT generated on behalf of a deactivated admin user will still be able to perform all of the API actions as an active user.

Tokens issued on behalf of deactivated users should not be valid. The backend should check for the status of the user as part of token validation.

User ID Enumeration

The default admin user has the user ID of 1, so if an attacker generates a valid token for this user, they can perform administrative functions. However, even if administrator privileges have been removed from the default admin, an attacker can keep generating signed tokens and increment the user ID until a user is found that does have the right permissions. When present in combination with the weak secret, this allows an attacker to discover an admin account even if the default admin is unavailable.

SimpleStringCipher Padding Oracle Attack

The SimpleStringCipher method used in the signalr implementation is vulnerable to a padding oracle attack, which can be used to decrypt the encrypted JWT token passed to the signalr endpoint. SimpleStringCipher should be reimplemented to not use CBC-mode.