-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathMissingAccessControl.qhelp
More file actions
54 lines (43 loc) · 2.01 KB
/
MissingAccessControl.qhelp
File metadata and controls
54 lines (43 loc) · 2.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authorization checks
to ensure that they cannot be used by malicious actors.
</p>
</overview>
<recommendation>
<p>
Ensure that proper authorization checks are made for sensitive actions.
For WebForms applications, the <code>authorization</code> tag in <code>Web.config</code> XML files
can be used to implement access control. The <code>System.Web.UI.Page.User</code> property can also be
used to verify a user's role.
For MVC applications, the <code>Authorize</code> attribute can be used to require authorization on specific
action methods.
</p>
</recommendation>
<example>
<p>
In the following WebForms example, the case marked BAD has no authorization checks whereas the
case marked GOOD uses <code>User.IsInRole</code> to check for the user's role.
</p>
<sample src="WebForms.cs" />
<p>
The following <code>Web.config</code> file uses the <code>authorization</code> tag to deny access to anonymous users,
in a <code>location</code> tag to have that configuration apply to a specific path.
</p>
<sample src="Web.config" />
<p>
In the following MVC example, the case marked BAD has no authorization
checks whereas the case marked GOOD uses the <code>Authorize</code> attribute.
</p>
<sample src="MVC.cs" />
</example>
<references>
<li><code>Page.User</code> Property - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.page.user?view=netframework-4.8.1#system-web-ui-page-user">Microsoft Learn</a>.</li>
<li>Control authorization permissions in an ASP.NET application - <a href="https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/www-authentication-authorization/authorization-permissions">Microsoft Learn</a>.</li>
<li>Simple authorization in ASP.NET Core - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0">Microsoft Learn</a>.</li>
</references>
</qhelp>