SlideShare a Scribd company logo

Defending broken access control in .NET

Download as PPTX, PDF
S
Supriya G

This document discusses broken access control and how to prevent and remediate it. It begins by explaining the difference between authentication and authorization, and provides examples of each. It then discusses various access control policy types like role-based access control and how to implement authorization in ASP.NET using simple authorization, role-based authorization, policy-based authorization, and claims-based authorization. The document also covers preventing insecure direct object references, and remediating authorization issues through steps like invalidating tokens after logout and restricting access based on roles.

Software
1 of 18
Download to read offline
1
2
3
Most read
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Defending Broken Access Control in .NET By Supriya Golla Senior Cyber Security Analyst
What will be covered? Broken Access control Difference between Authentication and Authorization Example for Authentication and Authorization Improper Authorization Consequences Access control policy types Implementing policy in .NET Prevention of IDOR Remediation for Authorization References
Broken Access Control Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. Authorization is a process by which a server determines if the client has permission to use a resource or access a file. • These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. • Access control sounds like a simple problem but is insidiously difficult to implement correctly. • A web application’s access control model is closely tied to the content and functions that the site provides. • Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
What is Authentication and Authorization:  What You Know  What You Have  What You ARE Authorization is the process to determine whether the authenticated user has access to the specific resources. Broken Access Control
Broken Access Control Authentication and Authorization Difference Using Example: • Authentication should be used whenever you want to know exactly who is using or viewing your site. Web-login is University’s primary method of authentication. Students/Professor/Administrator need to authenticate to view the university information. • Authorization should be used whenever you want to control viewer access of certain pages. For example, University students are not authorized to view certain web pages dedicated to professors and administration. The authorization requirements for a site are typically defined in a website’s web.config file. Authorization verifies your rights to grant you access to resources such as information, databases, files, etc. Authorization usually comes after authentication which confirms your privileges to perform. In simple terms, it’s like giving someone official permission to do something or anything.
Broken Access Control Improper Authorization Consequences: • Privilege Escalation • Path Traversal • Sensitive data exposure • Presence of Insecure Direct Object Reference (IDOR) vulnerabilities
Broken Access Control Authorization is designed based on access control policy • Role Base Access Control (RBAC): In RBAC, access decisions are based on an individual's roles and responsibilities within the organization or user base. For instance, in a medical organization, the different roles of users may include those such as a doctor, nurse, attendant, patients, etc. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy and any relevant regulations (HIPAA, Gramm-Leach-Bliley, etc.). • Discretionary Access Control (DAC): DAC is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (username, password, hardware/software token, etc.). • Mandatory Access Control (MAC): MAC ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at. MAC is usually appropriate for extremely secure systems, including multilevel secure military applications or mission-critical data applications. • Permission Based Access Control: The key concept in Permission Based Access Control is the abstraction of application actions into a set of permissions. A permission may be represented simply as a string-based name, for example, "READ". Access decisions are made by checking if the current user has the permission associated with the requested application action.
Broken Access Control Authorization implementation in ASP.Net: ASP.NET Core authorization provides the following different models: • Simple authorization • Role-based authorization • Policy-based authorization • Claims Based Authorization
Broken Access Control Simple authorization: Authorization in MVC is controlled through the “AuthorizeAttribute” attribute and its various parameters. At its simplest, applying the “AuthorizeAttribute” attribute to a controller or action limits access to the controller or action to any authenticated user. • Authorization components, including the AuthorizeAttribute and AllowAnonymousAttribute attributes, are found in the Microsoft.AspNetCore.Authorization namespace. • This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
Broken Access Control Role-based authorization: Role-based authorization is a declarative way to restrict access to resources. You can specify the roles that the current user must be a member of to access a specified resource. The Authorize attribute enables you to restrict access to resources based on roles. It is a declarative attribute that can be applied to a controller or an action method. In the above code snippet members of the Administrator role or the PowerUser role can access the controller and the SetTime action
Broken Access Control Policy-based authorization: A policy-based security model decouples authorization and application logic and provides a flexible, reusable and extensible security model in ASP.NET Core. The policy-based security model is centered on three main concepts. These include policies, requirements, and handlers. An authorization policy consists of one or more requirements. It's registered as part of the authorization service configuration, in the Startup.ConfigureServices method: In the above example, an "AtLeast21" policy is created. It has a single requirement—that of a minimum age, which is supplied as a parameter to the requirement. An authorization handler is responsible for the evaluation of a requirement's properties. The authorization handler evaluates the requirements against a provided AuthorizationHandlerContext to determine if access is allowed.
Broken Access Control Applying the Policy: Once the policy has been registered, you can apply the policy in your controller or the controller’s action methods. If you were to apply the policy at the controller level, here’s how you would need to specify the policy. [Authorize(Policy = “AtLeast21”)] public class SecurityController: Controller { //Action methods } As you can see, instead of specifying roles in the [Authorize] attribute, you can specify the policy that you would like to apply. To apply a policy to an action method, you can take advantage of the Policy property of the Authorize attribute as shown in the code.
Broken Access Control Claims Based Authorization: Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be: The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access. First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices() in your Startup.cs file. In this case the EmployeeOnly policy checks for the presence of an EmployeeNumber claim on the current identity. You then apply the policy using the Policy property on the AuthorizeAttribute attribute to specify the policy name;
Broken Access Control You can then apply this policy at the controller level on the AuthorizeAttribute attribute as shown below. [Authorize(Policy = "EmployeeOnly")] public IActionResult SomeMethod() { //Write your code here }
Broken Access Control Prevention to IDOR: When you have a resource (object) which can be accessed by a reference (in the sample below this is the id) then you need to ensure that the user is intended to be there.
Broken Access Control Remediation:  Invalidate tokens and cookies after logout.  Forced login/logout after a password change.  Server-side resource restriction e.g. directories.  Restrict access to all resources basis roles.  Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.  Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.  Log access control failures, alert admins when appropriate (e.g. repeated failures).  Rate limit API and controller access to minimize the harm from automated attack tooling.  JWT tokens should be invalidated on the server after logout. Developers and QA staff should include functional access control unit and integration tests.
References:  https://owasp.org/www-project-top- ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control  https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Che at_Sheet.html  https://docs.microsoft.com/en- us/aspnet/core/security/authorization/introduction?view=aspnetcore- 3.1  https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authoriz ation_Cheat_Sheet.html
Thank You!!!

More Related Content

PPTX
Tasklet vs work queues (Deferrable functions in linux)
RajKumar Rampelli
 
PPTX
Secerna repa 2007 power point
Cranki
 
PDF
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
PDF
Index tuning
Microsoft
 
PDF
Enabling Project Collaboration with Primavera P6
p6academy
 
DOCX
Oracle Database 19c (19.3) Installation on Windows (Step-by-Step)
Feras Ahmad
 
PDF
S5-Authorization
zakieh alizadeh
 
PPTX
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
Tasklet vs work queues (Deferrable functions in linux)
RajKumar Rampelli
 
Secerna repa 2007 power point
Cranki
 
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
Index tuning
Microsoft
 
Enabling Project Collaboration with Primavera P6
p6academy
 
Oracle Database 19c (19.3) Installation on Windows (Step-by-Step)
Feras Ahmad
 
S5-Authorization
zakieh alizadeh
 
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 

Similar to Defending broken access control in .NET (20)

DOCX
Database Security Concepts | Introduction to Database Security
Raj vardhan
 
PDF
Dit yvol3iss33
Rick Lemieux
 
DOCX
Please describe the process of the Implementation of Role-based access.docx
ellenj4
 
PDF
Dit yvol5iss38
Rick Lemieux
 
PPTX
database Security for data security .pptx
KarimAhmed722436
 
PDF
Access ControlThe term Access Control really alludes to the contr.pdf
anandshingavi23
 
DOCX
Authorization in asp
OPENLANE
 
PDF
Data base Access Control a look at Fine grain Access method
International Journal of Engineering Inventions www.ijeijournal.com
 
PPTX
Cm3 secure code_training_1day_access_control
dcervigni
 
PPTX
Authorization Pattern.pptx power point s
Coderkids
 
PPTX
security and privacy in dbms and in sql database
gourav kottawar
 
PPTX
unit 5 in the database for master of Engineering
poonkodiraja2806
 
PDF
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
PDF
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
PDF
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
PDF
Pazu Netflix Video Downloader Download
blouch53kp
 
PDF
Internet Download Manager (IDM) Free key
alihamzakpa039
 
PDF
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
PDF
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
DOCX
M05-Protect Application or System software.docx
endeshman
 
Database Security Concepts | Introduction to Database Security
Raj vardhan
 
Dit yvol3iss33
Rick Lemieux
 
Please describe the process of the Implementation of Role-based access.docx
ellenj4
 
Dit yvol5iss38
Rick Lemieux
 
database Security for data security .pptx
KarimAhmed722436
 
Access ControlThe term Access Control really alludes to the contr.pdf
anandshingavi23
 
Authorization in asp
OPENLANE
 
Data base Access Control a look at Fine grain Access method
International Journal of Engineering Inventions www.ijeijournal.com
 
Cm3 secure code_training_1day_access_control
dcervigni
 
Authorization Pattern.pptx power point s
Coderkids
 
security and privacy in dbms and in sql database
gourav kottawar
 
unit 5 in the database for master of Engineering
poonkodiraja2806
 
Skype free Download (Latest version 2025)
mohsinrazakpa69
 
3D Escape crack 2025 Free key Download
mohsinrazakpa86
 
Revo Uninstaller Pro Download (Latest 2025)
alihamzakpa085
 
Pazu Netflix Video Downloader Download
blouch53kp
 
Internet Download Manager (IDM) Free key
alihamzakpa039
 
Wondershare Recoverit 13.5.11.3 Free Download
alihamzakpa061
 
Apple Logic Pro X Crack for macOS 2025 Free Download
umnazadiwe
 
M05-Protect Application or System software.docx
endeshman
 
Ad

Recently uploaded (20)

PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
System and Network Administraation Chapter 3
jaramharo
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
AI in Product Development-omnex systems
omnex systems
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Introduction to Artificial Intelligence
lohedi9363
 
Ad

Defending broken access control in .NET

  • 1. Defending Broken Access Control in .NET By Supriya Golla Senior Cyber Security Analyst
  • 2. What will be covered? Broken Access control Difference between Authentication and Authorization Example for Authentication and Authorization Improper Authorization Consequences Access control policy types Implementing policy in .NET Prevention of IDOR Remediation for Authorization References
  • 3. Broken Access Control Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. Authorization is a process by which a server determines if the client has permission to use a resource or access a file. • These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. • Access control sounds like a simple problem but is insidiously difficult to implement correctly. • A web application’s access control model is closely tied to the content and functions that the site provides. • Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 4. What is Authentication and Authorization:  What You Know  What You Have  What You ARE Authorization is the process to determine whether the authenticated user has access to the specific resources. Broken Access Control
  • 5. Broken Access Control Authentication and Authorization Difference Using Example: • Authentication should be used whenever you want to know exactly who is using or viewing your site. Web-login is University’s primary method of authentication. Students/Professor/Administrator need to authenticate to view the university information. • Authorization should be used whenever you want to control viewer access of certain pages. For example, University students are not authorized to view certain web pages dedicated to professors and administration. The authorization requirements for a site are typically defined in a website’s web.config file. Authorization verifies your rights to grant you access to resources such as information, databases, files, etc. Authorization usually comes after authentication which confirms your privileges to perform. In simple terms, it’s like giving someone official permission to do something or anything.
  • 6. Broken Access Control Improper Authorization Consequences: • Privilege Escalation • Path Traversal • Sensitive data exposure • Presence of Insecure Direct Object Reference (IDOR) vulnerabilities
  • 7. Broken Access Control Authorization is designed based on access control policy • Role Base Access Control (RBAC): In RBAC, access decisions are based on an individual's roles and responsibilities within the organization or user base. For instance, in a medical organization, the different roles of users may include those such as a doctor, nurse, attendant, patients, etc. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy and any relevant regulations (HIPAA, Gramm-Leach-Bliley, etc.). • Discretionary Access Control (DAC): DAC is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (username, password, hardware/software token, etc.). • Mandatory Access Control (MAC): MAC ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at. MAC is usually appropriate for extremely secure systems, including multilevel secure military applications or mission-critical data applications. • Permission Based Access Control: The key concept in Permission Based Access Control is the abstraction of application actions into a set of permissions. A permission may be represented simply as a string-based name, for example, "READ". Access decisions are made by checking if the current user has the permission associated with the requested application action.
  • 8. Broken Access Control Authorization implementation in ASP.Net: ASP.NET Core authorization provides the following different models: • Simple authorization • Role-based authorization • Policy-based authorization • Claims Based Authorization
  • 9. Broken Access Control Simple authorization: Authorization in MVC is controlled through the “AuthorizeAttribute” attribute and its various parameters. At its simplest, applying the “AuthorizeAttribute” attribute to a controller or action limits access to the controller or action to any authenticated user. • Authorization components, including the AuthorizeAttribute and AllowAnonymousAttribute attributes, are found in the Microsoft.AspNetCore.Authorization namespace. • This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
  • 10. Broken Access Control Role-based authorization: Role-based authorization is a declarative way to restrict access to resources. You can specify the roles that the current user must be a member of to access a specified resource. The Authorize attribute enables you to restrict access to resources based on roles. It is a declarative attribute that can be applied to a controller or an action method. In the above code snippet members of the Administrator role or the PowerUser role can access the controller and the SetTime action
  • 11. Broken Access Control Policy-based authorization: A policy-based security model decouples authorization and application logic and provides a flexible, reusable and extensible security model in ASP.NET Core. The policy-based security model is centered on three main concepts. These include policies, requirements, and handlers. An authorization policy consists of one or more requirements. It's registered as part of the authorization service configuration, in the Startup.ConfigureServices method: In the above example, an "AtLeast21" policy is created. It has a single requirement—that of a minimum age, which is supplied as a parameter to the requirement. An authorization handler is responsible for the evaluation of a requirement's properties. The authorization handler evaluates the requirements against a provided AuthorizationHandlerContext to determine if access is allowed.
  • 12. Broken Access Control Applying the Policy: Once the policy has been registered, you can apply the policy in your controller or the controller’s action methods. If you were to apply the policy at the controller level, here’s how you would need to specify the policy. [Authorize(Policy = “AtLeast21”)] public class SecurityController: Controller { //Action methods } As you can see, instead of specifying roles in the [Authorize] attribute, you can specify the policy that you would like to apply. To apply a policy to an action method, you can take advantage of the Policy property of the Authorize attribute as shown in the code.
  • 13. Broken Access Control Claims Based Authorization: Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be: The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access. First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices() in your Startup.cs file. In this case the EmployeeOnly policy checks for the presence of an EmployeeNumber claim on the current identity. You then apply the policy using the Policy property on the AuthorizeAttribute attribute to specify the policy name;
  • 14. Broken Access Control You can then apply this policy at the controller level on the AuthorizeAttribute attribute as shown below. [Authorize(Policy = "EmployeeOnly")] public IActionResult SomeMethod() { //Write your code here }
  • 15. Broken Access Control Prevention to IDOR: When you have a resource (object) which can be accessed by a reference (in the sample below this is the id) then you need to ensure that the user is intended to be there.
  • 16. Broken Access Control Remediation:  Invalidate tokens and cookies after logout.  Forced login/logout after a password change.  Server-side resource restriction e.g. directories.  Restrict access to all resources basis roles.  Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.  Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.  Log access control failures, alert admins when appropriate (e.g. repeated failures).  Rate limit API and controller access to minimize the harm from automated attack tooling.  JWT tokens should be invalidated on the server after logout. Developers and QA staff should include functional access control unit and integration tests.
  • 17. References:  https://owasp.org/www-project-top- ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control  https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Che at_Sheet.html  https://docs.microsoft.com/en- us/aspnet/core/security/authorization/introduction?view=aspnetcore- 3.1  https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authoriz ation_Cheat_Sheet.html

Editor's Notes

  • #4: Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.