Penetration Result
- Hashmato Team
DineConnect (v2.0) has been scanned for vulnerabilities with the latest version of OWASP ZAP (v2.9.0). The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular security tools and is actively maintained by hundreds of international volunteers.
The automated scanner has been reported several alerts. DineConnect Team has fixed the positive alerts regarding the report. On the other hand, most of the alerts can be stated as false-positive. The reasons for the false-positive alerts that are subject to these issues are clearly stated below.
Summary of Alerts
Path Traversal, Risk: High
Description
The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory.
Comment
Url:
http://localhost:44302/api/services/app/Role/GetRoles?permissions[X]=GetRoles
Parameter: permissions[3]
Attack: GetRoles
This request is false-positive because the tool is checking whether a request can get data with unexpected parameters. Since admin role has all permissions as a default, the response always has an admin role.
Recommendation
If your application has to accept input file names, file paths, or URL paths, you need to validate that the path is in the correct format and that it points to a valid location within the context of your application. To prevent a malicious user manipulating your code's file operations, avoid writing code that accepts user-supplied file or path input.
If you must accept filenames as input, use the full name of the file by using System.IO.Path.GetFileName.
If you must accept file paths as input, use the full file path by using System.IO.Path.GetFullPath.
If you use MapPath to map a supplied virtual path to a physical path on the server, use the overload of Request.MapPath that accepts a bool parameter so that you can prevent cross-application mapping.
Application Error Disclosure
Risk: Medium
Description
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
Comment
This request is false-positive because the tool is checking whether the response contains "internal error" text. The response of GetScripts contains translations that include "internal error" text.
URL: http://localhost:44302/Error?statusCode=401
Method: Get
This request is false-positive because the tool is checking whether the response contains "internal error" text. The response contains that but without sensitive information.
DineConnect never returns error details, if the only the developer sends it deliberatively. When the project runs on development, exceptions are being sent to the client. But publishing application in release mode prevents exception details to be sent. While the MVC project shows a custom error page, the Host project sends a JSON with a message "An internal error occurred during your request!"
Absence of Anti-CSRF Tokens
Risk: Low
Description
In short, CSRF abuses the trust relationship between browser and server. This means that anything that a server uses in order to establish trust with a browser (e.g., cookies, but also HTTP/Windows Authentication) is exactly what allows CSRF to take place - but this only the first piece for a successful CSRF attack.
Comment
DineConnect uses ajax to post most of the forms. All URLs listed is false-positive. DineConnect posts them via using ajax and their ajax requests has X-XSRF-TOKEN header.
Application Error Disclosure
Risk: Low
Description
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
Comment
DineConnect has its own built-in exception handling system. When an exception happens DineConnect catches it and throws a user-friendly exception. These requests are false-positive because the tool is checking whether the response return "HTTP 501 (Internal Server Error)". But returned errors don't contain an internal error.
URL: http://localhost:44302/api/services/app/Edition/CreateEdition
Method: Post
Evidence: HTTP/1.1 500 Internal Server Error
Url: http://localhost:44302/api/services/app/Friendship/CreateFriendshipRequest
Method: Post
Evidence: HTTP/1.1 500 Internal Server Error
Url: http://localhost:44302/api/services/app/Tenant/CreateTenant
Method: Post
Evidence: HTTP/1.1 500 Internal Server Error
Url: http://localhost:44302/api/services/app/User/CreateOrUpdateUser
Method: Post
Evidence: HTTP/1.1 500 Internal Server Error
Url: http://localhost:44302/api/services/app/UserLink/LinkToUser
Method: Post
Evidence: HTTP/1.1 500 Internal Server Error
Cookie Without SameSite Attribute
Risk: Low
Description
A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective countermeasure to cross-site request forgery, cross-site script inclusion, and timing attacks.
Comment
Solved on https://github.com/aspnetzero/aspnet-zero-core/issues/2950
Web Browser XSS Protection Not Enabled
Risk: Low
Description
Web Browser XSS Protection is not enabled or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the webserver
Comment
DineConnect framework v3.4.X adds the X-XSS-Protection header to all responses with the value 1; mode=block. If you want to remove the header you can do it via UseAbp() options in Configure method of Startup class.
This requests are false-positive because the tool is checking whether the response has X-XSS-Protection. Response don't have X-XSS-Protection because request gets 404.15 - Not Found.
Url:
http://localhost:44302/api/services/app/Role/GetRoles?permissions...
But a request without 404.15 error has that header.
Cookie No HttpOnly Flag
Low (Medium)
Description
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
Comment
DineConnect uses the HttpOnly flag wherever it needs. In some cases, the tool reports false-positive alerts. See the following instances to understand why they are false-positive.
URL:
Method: GET
Parameter: idsrv.session
Evidence: Set-Cookie: idsrv.session
In the above request, idsrv. session cookie is being set by Microsoft Identity Server. By design this is not HttpOnly . It is required by the OIDC session management spec for SPA clients. For the related spec see https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification .
URL: http://localhost:44302/App/Dashboard, http://localhost:44302/App/AuditLogs, http://localhost:44302/App/DemoUiComponents, http://localhost:44302/App/Editions, http://localhost:44302/App/HostDashboard, http://localhost:44302/App/HostSettings, http://localhost:44302/App/Languages, http://localhost:44302/App/Languages/Texts?languageName=cy, http://localhost:44302/App/Maintenance, http://localhost:44302/App/OrganizationUnits, http://localhost:44302/App/Roles, http://localhost:44302/App/Tenants, http://localhost:44302/App/UiCustomization, http://localhost:44302/App/Users
Method: GET
Parameter: XSRF-TOKEN
Evidence: Set-Cookie: XSRF-TOKEN
Setting XSRF-TOKEN as HttpOnly is pointless because in Angular UI client must access this cookie.
Reference
For all the other OWASP standardizations, download the OWASP sheet.