Ends in:
7 DAYS
13 HRS
17 MIN
35 SEC
Ends in:
7 D
13 H
17 M
35 S
Open Closed

Cross-site scripting issue found in our project #4623


User avatar
0
nhontran created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Hi, a cross-site scripting issue has been flagged out in our project by penetration test team. This vulnerability is related to "__tenant" parameter in query string:

Subject:

Reflected Cross-Site Scripting (XSS)

https://<masked url>/api/* [GET parameter: __tenant]
https://<masked url>/identity/* [GET parameter: __tenant]

Description:

Reflected XSS occurs when malicious JavaScript code is supplied in a user’s request and returned back to them for
execution within their browser in the context of the website itself. This allows an attacker to inject code which is executed
by legitimate users when they are tricked into opening a malicious link or visiting a site under an attacker’s control. This
allows an attacker to perform unauthorised actions in the application on behalf of legitimate users or spread malware via
the application.

The __tenant parameter used in the identified subjects is vulnerable to XSS attacks. An example is demonstrated below:

Payload used:

Attached file is the screenshot that I have tested in my local:


8 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share the implementation of this API?

    At the same time, angular should encode the response.

  • User Avatar
    0
    nhontran created

    Hi @maliming, sorry, forgot to mention that this issue happens with ABP endpoint as well, it shows the tenant not found page:

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok, I see. will work on it.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    https://github.com/abpframework/abp/pull/15842

  • User Avatar
    0
    nhontran created

    Hi @maliming, thanks for the reply.

    While waiting for the upgrade, is there a way to override the current AbpAspNetCoreMultiTenancyOptions to implement the fix?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can override the MultiTenancyMiddlewareErrorPageBuilder

    https://github.com/abpframework/abp/blob/dev/docs/en/Multi-Tenancy.md#abpmultitenancyoptions-handle-inactive-and-non-existent-tenants

  • User Avatar
    0
    nhontran created

    Hi @maliming, thanks for the reply. we managed to implement it, just found a minor issue in documentation, it should be "AbpAspNetCoreMultiTenancyOptions" instead of "AbpMultiTenancyOptions".

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    https://github.com/abpframework/abp/pull/15891

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06