Closed tonyliving closed 6 days ago
RolandGuijt
commented
2 weeks ago Can you please explain why the parameter name would be a problem? It's hard to change because it's hardcoded into IdentityServer.
From my perspective the only part of the parameter that could be vulnerable is its value. And that is encrypted.
tonyliving
commented
2 weeks ago Just because of the name, mainly because the client does not understand security-related knowledge and only listens to reports from third-party security companies.
RolandGuijt
commented
6 days ago I'm sorry but we can't help here. If it was a real security related problem we would of course do our best to fix it but this seems to be more of a political problem which is outside of our scope.
tonyliving
commented
6 days ago ok,thanks!
Which version of Duende IdentityServer are you using? 7.0 Which version of .NET are you using? 8.0
My client requested a third-party security company to conduct a vulnerability scan, which identified the EndSessionCallback request's endSessionId parameter as sensitive information leakage due to the inclusion of the keyword session. My client has limited knowledge about security and asked us to make modifications. Could you provide a method to rename this parameter or change it to static readonly? I am considering using reflection to modify it.