Our store does not protect against brute force attacks. This allows users to maliciously flood our data with inputs through registration, login, or searches.
One fix to this would be to throttle requests as shown below:
[AllowXRequestsEveryXSecondsAttribute(Name = "LogOn",
Message = "You have performed this action more than {x}
times in the last {n} seconds.", Requests = 3, Seconds
= 60)]
Even though it doesn't seem to be an issue with our website, there appears to not be any check to ensure that the ID of the current user matches that of the basket item to update.
This can be remedied through the following code:
public async Task<IActionResult> Update([Bind("ID, ProductID, ProductName,
CustomerEmail, Quantity, ImgUrl, Description, UnitPrice")]BasketItem basketItem)
{
if (user.Identity.Name != basketItem.CustomerEmail)
return RedirectToAction(nameof(Index));
}
We did not reduce the forms authentication timeout from the default value of 20 minutes. ASP.NET does not appear to have any built-in methods to do so.
One way to implement timeouts is through JavaScript:
$(function() {
var _redirectTimeout = 15*1000; // fifteen minute timeout
var _redirectUrl = '/Account/Login'; // login URL
var _redirectHandle = null;
function resetRedirect() {
if (_redirectHandle) clearTimeout(_redirectHandle);
_redirectHandle = setTimeout(function() { window.location.href = _redirectUrl; }, _redirectTimeout);
}
$.ajaxSetup({complete: function() { resetRedirect(); } }); // reset idle redirect when an AJAX request completes
resetRedirect(); // start idle redirect timer initially.
});
This takes the user to the login page after being inactive for 15 minutes.
We did not install the Microsoft AntiXSS library. This could have been fixed by the following install:
Install-Package AntiXSS
Then in a config include the following:
<system.web>
<httpRuntime targetFramework="4.5" enableVersionHeader="false" encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary" maxRequestLength="4096" />
Additionally, a content security policy should be added such as the following:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'; script-src 'self'" />
...
This prevents pages from accessing assets that it shouldn't be able to access.
This is not an issue with our program. This describes how ASP.NET MVC Core solved the issue.
Unvalidated redirects is when a user is redirect to another part of a site and a malicious attacker is able to add a URL that will either perform phishing or install malware.
The protection against this checks if a login in is successful with the userManager.
In our code, it is the line starting with var result:
var result = await _userManager.CreateAsync(user, rvm.Password);
if (result.Succeeded)
{...
This is not an issue with our program. This describes how ASP.NET MVC Core solved the issue.
Not authorizing a user for a specific HTTP request at the method or controller level.
Specifying the specific role that has access to the action. The authorization can be placed before an external endpoint, but it's better if it is placed at the controller level, which is how we did it for the AdminController.cs.
In our code, it is the data annotations at the top of the method:
[Authorize(Policy = "AdminOnly")]
public class AdminController : Controller
{...