AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Inadequate Authorization Mechanism

The attacker can bypass authorization mechanisms that are inherently hard to maintain

Severity

Critical

Fix Cost

High

Trust Level

Medium

Frameworks provide easy to use authorization mechanism such as IsInRole static method or web.config authorization-allow directives. These mechanisms provide an appropriate authorization checks easily and quickly, however, as the requirements and the code gets more complex it becomes hard to maintain these styles of checks and easy to bring security weaknesses.

The code below uses such a technique for authorization;

                
if (User.IsInRole("admin")){
// only admins can access
}
else if (User.IsInRole("spectator")){
// only monitoring users can access
}
else {
// ...
}
              
        

It’s always hard to maintain an authorization check code for which as the requirement evolves the changes should take place in different places, in controllers, business logic or in views. This may lead to simple mistakes go unnoticed until a hacker finds out to abuse.

Another problematic hardcoded authorization check code piece is given below utilizing MVC annotations;


[Authorize(Roles = "root, admin, auditor")]
[HttpPost]
public ActionResult BulkInsert(NM model)
{
// ...
}


		

Frameworks provide easy to use authorization mechanism such as IsInRole static method or web.config authorization-allow directives. These mechanisms provide an appropriate authorization checks easily and quickly, however, as the requirements and the code gets more complex it becomes hard to maintain these styles of checks and easy to bring security weaknesses.

The code below uses such a technique for authorization;

                
if (request.isUserInRole("admin")){
// only admins can access
}
else if (request.isUserInRole("spectator")){
// only monitoring users can access
}
else {
// ...
}
                
            

It’s always hard to maintain an authorization check code for which as the requirement evolves the changes should take place in different places, in controllers, business logic or in views. This may lead to simple mistakes go unnoticed until a hacker finds out to abuse.

Another problematic hardcoded authorization check code pieces are given below utilizing annotations;


@PreAuthorize("hasAnyRole('admin','monitor')")
public Item findItem(long itemNumber) {
  // ...
}

@PreAuthorize("hasRole('admin')")
public Item findItem(long itemNumber) {
  // ...
}

@RolesAllowed({ "admin", "root" })
public void create(Contact contact){
  // ...
}

@Secured({ "admin", "root" })
public void create(Contact contact){
  // ...
}


		    

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!