Info
Content

DineConnect Penetration Test Report

DineConnect (v2.0) has been scanned for vulnerabilities with the latest version of OWASP ZAP (v2.9.0). The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular security tools and is actively maintained by hundreds of international volunteers.

The automated scanner has been reported several alerts. DineConnect Team has fixed the positive alerts regarding the report. On the other hand, most of the alerts can be stated as false-positive. The reasons for the false-positive alerts that are subject to these issues are clearly stated below.

Summary of Alerts

Path Traversal, Risk: High

Description

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory.

Comment

This request is false-positive because the tool is checking whether a request can get data with unexpected parameters. Since admin role has all permissions as a default, the response always has an admin role.

Recommendation

If your application has to accept input file names, file paths, or URL paths, you need to validate that the path is in the correct format and that it points to a valid location within the context of your application. To prevent a malicious user manipulating your code's file operations, avoid writing code that accepts user-supplied file or path input.

  • If you must accept filenames as input, use the full name of the file by using System.IO.Path.GetFileName.
  • If you must accept file paths as input, use the full file path by using System.IO.Path.GetFullPath.

If you use MapPath to map a supplied virtual path to a physical path on the server, use the overload of Request.MapPath that accepts a bool parameter so that you can prevent cross-application mapping.

Application Error Disclosure

Risk: Medium

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Comment

  • URL: http://localhost:44302/AbpScripts/GetScripts?v=637170099309929078
    • Method: GET

This request is false-positive because the tool is checking whether the response contains "internal error" text. The response of GetScripts contains translations that include "internal error" text.

  • URL: http://localhost:44302/Error?statusCode=401
    • Method: Get

This request is false-positive because the tool is checking whether the response contains "internal error" text. The response contains that but without sensitive information.

DineConnect never returns error details, if the only the developer sends it deliberatively. When the project runs on development, exceptions are being sent to the client. But publishing application in release mode prevents exception details to be sent. While the MVC project shows a custom error page, the Host project sends a JSON with a message "An internal error occurred during your request!"

Absence of Anti-CSRF Tokens

Risk: Low

Description

In short, CSRF abuses the trust relationship between browser and server. This means that anything that a server uses in order to establish trust with a browser (e.g., cookies, but also HTTP/Windows Authentication) is exactly what allows CSRF to take place - but this only the first piece for a successful CSRF attack.

Comment

DineConnect uses ajax to post most of the forms. All URLs listed is false-positive. DineConnect posts them via using ajax and their ajax requests has X-XSRF-TOKEN header.

Application Error Disclosure

Risk: Low

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Comment

DineConnect has its own built-in exception handling system. When an exception happens DineConnect catches it and throws a user-friendly exception. These requests are false-positive because the tool is checking whether the response return "HTTP 501 (Internal Server Error)". But returned errors don't contain an internal error.

  • URL: http://localhost:44302/api/services/app/Edition/CreateEdition
    • Method: Post
    • Evidence: HTTP/1.1 500 Internal Server Error
  • Url: http://localhost:44302/api/services/app/Friendship/CreateFriendshipRequest
    • Method: Post
    • Evidence: HTTP/1.1 500 Internal Server Error
  • Url: http://localhost:44302/api/services/app/Tenant/CreateTenant
    • Method: Post
    • Evidence: HTTP/1.1 500 Internal Server Error
  • Url: http://localhost:44302/api/services/app/User/CreateOrUpdateUser
    • Method: Post
    • Evidence: HTTP/1.1 500 Internal Server Error
  • Url: http://localhost:44302/api/services/app/UserLink/LinkToUser
    • Method: Post
    • Evidence: HTTP/1.1 500 Internal Server Error
    •  

Risk: Low

Description

Comment

Solved on https://github.com/aspnetzero/aspnet-zero-core/issues/2950

Web Browser XSS Protection Not Enabled

Risk: Low

Description

Web Browser XSS Protection is not enabled or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the webserver

Comment

DineConnect framework v3.4.X adds the X-XSS-Protection header to all responses with the value 1; mode=block. If you want to remove the header you can do it via UseAbp() options in Configure method of Startup class.

This requests are false-positive because the tool is checking whether the response has X-XSS-Protection. Response don't have X-XSS-Protection because request gets 404.15 - Not Found.

Low (Medium)

Description

Comment

DineConnect uses the HttpOnly flag wherever it needs. In some cases, the tool reports false-positive alerts. See the following instances to understand why they are false-positive.

In the above request, idsrv. session cookie is being set by Microsoft Identity Server. By design this is not HttpOnly . It is required by the OIDC session management spec for SPA clients. For the related spec see https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification .

  • URL: http://localhost:44302/App/Dashboard, http://localhost:44302/App/AuditLogs, http://localhost:44302/App/DemoUiComponents, http://localhost:44302/App/Editions, http://localhost:44302/App/HostDashboard, http://localhost:44302/App/HostSettings, http://localhost:44302/App/Languages, http://localhost:44302/App/Languages/Texts?languageName=cy, http://localhost:44302/App/Maintenance, http://localhost:44302/App/OrganizationUnits, http://localhost:44302/App/Roles, http://localhost:44302/App/Tenants, http://localhost:44302/App/UiCustomization, http://localhost:44302/App/Users
    • Method: GET
    • Parameter: XSRF-TOKEN
    • Evidence: Set-Cookie: XSRF-TOKEN

Setting XSRF-TOKEN as HttpOnly is pointless because in Angular UI client must access this cookie.

Reference

For all the other OWASP standardizations, download the OWASP sheet.

Open Web Application Security Project (OWASP) - Application Security Verification Standard 3.0 PDF sheet

https://owasp.org/www-community/Anti_CRSF_Tokens_ASP-NET

 

Back to top