Missing function level access control¶
ID: cs/web/missing-function-level-access-control
Kind: problem
Security severity: 7.5
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-285
- external/cwe/cwe-284
- external/cwe/cwe-862
Query suites:
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authorization checks to ensure that they cannot be used by malicious actors.
Recommendation¶
Ensure that proper authorization checks are made for sensitive actions. For WebForms applications, the authorization
tag in Web.config
XML files can be used to implement access control. The System.Web.UI.Page.User
property can also be used to verify a user’s role. For MVC applications, the Authorize
attribute can be used to require authorization on specific action methods.
Example¶
In the following WebForms example, the case marked BAD has no authorization checks whereas the case marked GOOD uses User.IsInRole
to check for the user’s role.
class ProfilePage : System.Web.UI.Page {
// BAD: No authorization is used
protected void btn1_Edit_Click(object sender, EventArgs e) {
...
}
// GOOD: `User.IsInRole` checks the current user's role.
protected void btn2_Delete_Click(object sender, EventArgs e) {
if (!User.IsInRole("admin")) {
return;
}
...
}
}
The following Web.config
file uses the authorization
tag to deny access to anonymous users, in a location
tag to have that configuration apply to a specific path.
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="User/Profile">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
In the following MVC example, the case marked BAD has no authorization checks whereas the case marked GOOD uses the Authorize
attribute.
public class ProfileController : Controller {
// BAD: No authorization is used.
public ActionResult Edit(int id) {
...
}
// GOOD: The `Authorize` attribute is used.
[Authorize]
public ActionResult Delete(int id) {
...
}
}
References¶
Page.User
Property - Microsoft Learn.Control authorization permissions in an ASP.NET application - Microsoft Learn.
Simple authorization in ASP.NET Core - Microsoft Learn.
Common Weakness Enumeration: CWE-285.
Common Weakness Enumeration: CWE-284.
Common Weakness Enumeration: CWE-862.