ASP.NET 2.0 Security Inspection Questions - Authorization

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Jason Taylor, Rudolph Araujo


Contents

Authorization Vulnerabilities and Implications

Vulnerability

Implications

Reliance on a single gatekeeper

If the gatekeeper is bypassed or is improperly configured, a user can gain unauthorized access.

Failing to lock down system resources against application identities

An attacker can coerce the application and access restricted system resources.

Failing to limit database access to specified stored procedures

An attacker can mount a SQL injection attack to retrieve, manipulate, or destroy data.

Inadequate separation of privileges

There is no accountability or ability to perform per-user authorization.


The following questions can help you to identify vulnerable areas:

  • How does the code protect access to restricted pages?
  • How does the code protect access to page classes?
  • Does the code use Server.Transfer?

How does the code protect access to restricted pages?

If the application uses Windows authentication, has it configured NTFS permissions on the page (or the folder that contains the restricted pages) to allow access only to authorized users?

Is the <authorization> element configured to specify which users and groups of users can access specific pages?


How does the code protect access to page classes?

Are principal permission demands added to classes to specify which users and groups of users can access the classes?


Does the code use Server.Transfer?

Make sure that if the code uses Server.Transfer to transfer a user to another page, the currently authenticated user is authorized to access the target page. If the code uses Server.Transfer to transfer to a page that the user is not authorized to view, the page is still processed. This is because Server.Transfer uses a different module to process the page rather than making another request from the server, which would force authorization.

The code should not use Server.Transfer if security is a concern on the target Web page. It should use HttpResponse.Redirect instead.

Personal tools