Update penetration test report for 10.4#25634
Merged
Merged
Conversation
Contributor
|
Images automagically compressed by Calibre's image-actions ✨ Compression reduced images by 69.2%, saving 234.6 KB.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the public OWASP ZAP penetration test report documentation to reflect ABP Commercial MVC v10.4.0, aligning the example findings and guidance with the latest scan results.
Changes:
- Updates the report intro, affected URL examples, and several alert explanations to match the 10.4 ZAP scan.
- Replaces the alert summary screenshot reference with the 10.4 image.
- Rephrases some sections to better distinguish framework defaults vs application/deployment-specific security configuration.
| @@ -74,37 +49,14 @@ SQL injection may be possible. | |||
|
|
|||
| This is a **false-positive** alert. ABP Framework uses Entity Framework Core, which inherently uses parameterized queries, preventing standard SQL injection attacks. Manual verification showed that injecting SQL syntax into parameters like `providerKey` results in the input being treated as a literal string (resulting in no match or default behavior) rather than altering the query structure. | |||
| @@ -306,13 +243,12 @@ Manually confirm that the timestamp data is not sensitive, and that the data can | |||
|
|
|||
| This vulnerability was reported as a positive alert, because ABP uses the [zxcvbn](https://github.com/dropbox/zxcvbn) library for [password complexity indicators](../framework/ui/angular/password-complexity-indicator-component.md). This library is one of the most used password strength estimator and it does not disclosure any sensitive data related to web server's timestamp and therefore it's a **false-positive** alert. | |||
| * *[GET] — https://localhost:44349 (and other several URLs...)* | ||
| * *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=ar&returnUrl=%2F%3Fpage%3D% (same url with different query parameters...)* | ||
| * *[GET] — https://localhost:44348 (and other several URLs...)* | ||
| * *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=ar&returnUrl=%2F%3Fpage%3D% (same url with different query parameters...)* |
Comment on lines
+26
to
+28
| - *[GET] - https://localhost:44348/api/audit-logging/audit-logs?httpMethod=audit-logs&sorting=executionTime+desc&skipCount=0&maxResultCount=10* | ||
| - *[GET] - https://localhost:44348/Account/ForgotPassword?returnUrl=%5CForgotPassword* | ||
| - *[GET] - https://localhost:44348/Account/Login?ReturnUrl=%2FAccount%2FManage* |
Comment on lines
194
to
+196
| ### Cookie without `SameSite` Attribute [Risk: Low] — Positive (No need for a fix) | ||
|
|
||
| * *[GET] — https://localhost:44349/Abp/Languages/Switch?culture=ar&returnUrl=%2F&uiCulture=ar _(and other several URLs with different query parameters...)_* | ||
| * *[GET] — https://localhost:44348/Abp/Languages/Switch?culture=ar&returnUrl=%2F&uiCulture=ar _(and other several URLs with different query parameters...)_* |
EngincanV
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://github.com/volosoft/vs-internal/issues/8621