Merge branch rel-10.5 with rel-10.4#25635
Merged
Merged
Conversation
…eport-10.4 Update penetration test report for 10.4
voloagent
approved these changes
Jun 15, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This automated merge PR updates the ABP penetration test report documentation to reflect the findings and configuration guidance for the ABP Commercial MVC v10.4.0 template scan.
Changes:
- Updated the report’s version/context (v10.4.0), scan URLs/ports, and the referenced alert list image.
- Revised multiple alert sections (CSP/HSTS/static headers/cookies) to emphasize application/deployment-specific configuration and local validation outcomes.
- Removed/reshaped some previously documented alerts and reworded explanations to match the new scan results.
Comment on lines
+26
to
+28
| - *[GET] - https://localhost:44348/api/audit-logging/audit-logs?httpMethod=audit-logs&sorting=executionTime+desc&skipCount=0&maxResultCount=10* | ||
| - *[GET] - https://localhost:44348/Account/ForgotPassword?returnUrl=%5CForgotPassword* | ||
| - *[GET] - https://localhost:44348/Account/Login?ReturnUrl=%2FAccount%2FManage* |
| **Explanation**: | ||
|
|
||
| This is a **false-positive** alert. v9.0 uses .NET 9 and the XSLT transformation is not possible on .NET5 or higher. | ||
| This is a **false-positive** alert. ABP v10.4.x uses .NET 10, and the scanned endpoints do not execute user-supplied XSLT. The local validation did not expose XSLT execution or system property output. |
| @@ -306,13 +243,12 @@ Manually confirm that the timestamp data is not sensitive, and that the data can | |||
|
|
|||
| This vulnerability was reported as a positive alert, because ABP uses the [zxcvbn](https://github.com/dropbox/zxcvbn) library for [password complexity indicators](../framework/ui/angular/password-complexity-indicator-component.md). This library is one of the most used password strength estimator and it does not disclosure any sensitive data related to web server's timestamp and therefore it's a **false-positive** alert. | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR generated automatically to merge rel-10.5 with rel-10.4. Please review the changed files before merging to prevent any errors that may occur.