CRV2 AuthorizationWeaknesses

From OWASP
Revision as of 05:54, 1 August 2013 by EoinKeary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Authorisation in .NET MVC 4

The usage of filters is recommended when authorisation is being implemented in MVC 4 .NET MVC 3 introduced a method in global.asax called RegisterGlobalFilters.The can be used to DEFAULT DENY access to URL's in the application.


   public static void RegisterGlobalFilters(GlobalFilterCollection filters)
   {
       filters.Add(new HandleErrorAttribute());
       filters.Add(new System.Web.Mvc.AuthorizeAttribute());
   }

Is is recommended when reviewing MVC3/4 .NET to take a look at how authorisation is being implemented. The line above, filters.Add(new System.Web.Mvc.AuthorizeAttribute()); pretty much default denies access to any request without a valid session. If this is implemented we may need to provide unauthorised access to certain pages such as a registration page, public welcome page or a login page. How do we do this?

AllowAnonymous is used to provide access to public pages with no valid session required. The code may look like this:

   [AllowAnonymous]
   public ActionResult LogMeIn(string returnUrl)

One must be careful that the pages which have AllowAnonymous enabled are actually designed for public consumption.