IdentityWithoutEF
IdentityWithoutEF copied to clipboard
MatthewKing
Potential Security Vulnerabilities
While it is obvious that this isn't a production project, it may be used as a template for real project. It may be an option to state in the readme, that the project contains potential security vulnerabilities and serves only as an example of implementing some techniques.
Summary
IdentityWithoutEF is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
Details
Issue 1: XSS (CVE-2018-0784)
The application doesn't have the fix for CVE-2018-0784 that was found in ASP.NET Core templates. It is vulnerable to XSS if the logged-in user is tricked into clicking a malicious link like https://localhost:44315/manage/EnableAuthenticator?AuthenticatorUri=%22%3E%3C/div%3E%00%00%00%00%00%00%00%3Cscript%3Ealert(%22XSS%22)%3C/script%3E and enters an invalid verification code. Mode details are available in this blog post.
Impact
This issue may lead to the elevation of privileges.
Remediation
Modify the code according to the instructions from the advisory.
Issue 2: CSRF (CVE-2018-0785)
The application doesn't have the fix for CVE-2018-0785 that was found in ASP.NET Core templates. It is vulnerable to CSRF. A logged-in user with enabled Second Factor Authentication (2FA) may lose their recovery codes if they are tricked into clicking a link like https://localhost:44315/manage/GenerateRecoveryCodes or visit a malicious site that makes the request without the user's consent. As a result the user may be permanently locked out of their account after loosing access to their 2FA device, as the initial recovery codes would no longer be valid.
Impact
This issue may lead to the per-user DoS.
Remediation
Modify the code according to the instructions from the advisory.
Thanks @JarLob. I certainly don't want anyone using this as a template for a real project, but you are right that people may do so. I'll have a look into fixing the vulnerabilities or updating the readme. Thanks for filing this issue - much appreciated.
