SlideShare a Scribd company logo

Defending Broken Access Control in .NET (39

Download as PPTX, PDF
S
Supriya G

This document discusses broken access control and how to prevent and remediate it. It begins by explaining the difference between authentication and authorization, and provides examples of each. It then discusses various access control policy types like role-based access control and how to implement authorization in ASP.NET using simple authorization, role-based authorization, policy-based authorization, and claims-based authorization. The document also covers preventing insecure direct object references, and remediating authorization issues through steps like invalidating tokens after logout and restricting access based on roles.

Software
1 of 18
Defending Broken Access Control in .NET By Supriya Golla Senior Cyber Security Analyst
What will be covered? Broken Access control Difference between Authentication and Authorization Example for Authentication and Authorization Improper Authorization Consequences Access control policy types Implementing policy in .NET Prevention of IDOR Remediation for Authorization References
Broken Access Control Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. Authorization is a process by which a server determines if the client has permission to use a resource or access a file. • These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. • Access control sounds like a simple problem but is insidiously difficult to implement correctly. • A web application’s access control model is closely tied to the content and functions that the site provides. • Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
What is Authentication and Authorization:  What You Know  What You Have  What You ARE Authorization is the process to determine whether the authenticated user has access to the specific resources. Broken Access Control
Broken Access Control Authentication and Authorization Difference Using Example: • Authentication should be used whenever you want to know exactly who is using or viewing your site. Web-login is University’s primary method of authentication. Students/Professor/Administrator need to authenticate to view the university information. • Authorization should be used whenever you want to control viewer access of certain pages. For example, University students are not authorized to view certain web pages dedicated to professors and administration. The authorization requirements for a site are typically defined in a website’s web.config file. Authorization verifies your rights to grant you access to resources such as information, databases, files, etc. Authorization usually comes after authentication which confirms your privileges to perform. In simple terms, it’s like giving someone official permission to do something or anything.
Broken Access Control Improper Authorization Consequences: • Privilege Escalation • Path Traversal • Sensitive data exposure • Presence of Insecure Direct Object Reference (IDOR) vulnerabilities
Broken Access Control Authorization is designed based on access control policy • Role Base Access Control (RBAC): In RBAC, access decisions are based on an individual's roles and responsibilities within the organization or user base. For instance, in a medical organization, the different roles of users may include those such as a doctor, nurse, attendant, patients, etc. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy and any relevant regulations (HIPAA, Gramm-Leach-Bliley, etc.). • Discretionary Access Control (DAC): DAC is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (username, password, hardware/software token, etc.). • Mandatory Access Control (MAC): MAC ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at. MAC is usually appropriate for extremely secure systems, including multilevel secure military applications or mission-critical data applications. • Permission Based Access Control: The key concept in Permission Based Access Control is the abstraction of application actions into a set of permissions. A permission may be represented simply as a string-based name, for example, "READ". Access decisions are made by checking if the current user has the permission associated with the requested application action.
Broken Access Control Authorization implementation in ASP.Net: ASP.NET Core authorization provides the following different models: • Simple authorization • Role-based authorization • Policy-based authorization • Claims Based Authorization
Broken Access Control Simple authorization: Authorization in MVC is controlled through the “AuthorizeAttribute” attribute and its various parameters. At its simplest, applying the “AuthorizeAttribute” attribute to a controller or action limits access to the controller or action to any authenticated user. • Authorization components, including the AuthorizeAttribute and AllowAnonymousAttribute attributes, are found in the Microsoft.AspNetCore.Authorization namespace. • This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
Broken Access Control Role-based authorization: Role-based authorization is a declarative way to restrict access to resources. You can specify the roles that the current user must be a member of to access a specified resource. The Authorize attribute enables you to restrict access to resources based on roles. It is a declarative attribute that can be applied to a controller or an action method. In the above code snippet members of the Administrator role or the PowerUser role can access the controller and the SetTime action
Broken Access Control Policy-based authorization: A policy-based security model decouples authorization and application logic and provides a flexible, reusable and extensible security model in ASP.NET Core. The policy-based security model is centered on three main concepts. These include policies, requirements, and handlers. An authorization policy consists of one or more requirements. It's registered as part of the authorization service configuration, in the Startup.ConfigureServices method: In the above example, an "AtLeast21" policy is created. It has a single requirement—that of a minimum age, which is supplied as a parameter to the requirement. An authorization handler is responsible for the evaluation of a requirement's properties. The authorization handler evaluates the requirements against a provided AuthorizationHandlerContext to determine if access is allowed.
Broken Access Control Applying the Policy: Once the policy has been registered, you can apply the policy in your controller or the controller’s action methods. If you were to apply the policy at the controller level, here’s how you would need to specify the policy. [Authorize(Policy = “AtLeast21”)] public class SecurityController: Controller { //Action methods } As you can see, instead of specifying roles in the [Authorize] attribute, you can specify the policy that you would like to apply. To apply a policy to an action method, you can take advantage of the Policy property of the Authorize attribute as shown in the code.
Broken Access Control Claims Based Authorization: Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be: The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access. First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices() in your Startup.cs file. In this case the EmployeeOnly policy checks for the presence of an EmployeeNumber claim on the current identity. You then apply the policy using the Policy property on the AuthorizeAttribute attribute to specify the policy name;
Broken Access Control You can then apply this policy at the controller level on the AuthorizeAttribute attribute as shown below. [Authorize(Policy = "EmployeeOnly")] public IActionResult SomeMethod() { //Write your code here }
Broken Access Control Prevention to IDOR: When you have a resource (object) which can be accessed by a reference (in the sample below this is the id) then you need to ensure that the user is intended to be there.
Broken Access Control Remediation:  Invalidate tokens and cookies after logout.  Forced login/logout after a password change.  Server-side resource restriction e.g. directories.  Restrict access to all resources basis roles.  Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.  Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.  Log access control failures, alert admins when appropriate (e.g. repeated failures).  Rate limit API and controller access to minimize the harm from automated attack tooling.  JWT tokens should be invalidated on the server after logout. Developers and QA staff should include functional access control unit and integration tests.
References:  https://owasp.org/www-project-top- ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control  https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Che at_Sheet.html  https://docs.microsoft.com/en- us/aspnet/core/security/authorization/introduction?view=aspnetcore- 3.1  https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authoriz ation_Cheat_Sheet.html
Thank You!!!

Recommended

Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33Rick Lemieux
 
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodInternational Journal of Engineering Inventions www.ijeijournal.com
 
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records vraopolisetti
 
Policy based access control
Policy based access controlPolicy based access control
Policy based access controlElimity
 
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Yury Bondarau
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
dos_security_final
dos_security_finaldos_security_final
dos_security_finalMichele Vincent
 
Sharing and security in Salesforce
Sharing and security in SalesforceSharing and security in Salesforce
Sharing and security in SalesforceSaurabh Kulkarni
 

Recommended

Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33Rick Lemieux
 
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodInternational Journal of Engineering Inventions www.ijeijournal.com
 
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records vraopolisetti
 
Policy based access control
Policy based access controlPolicy based access control
Policy based access controlElimity
 
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)Yury Bondarau
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
dos_security_final
dos_security_finaldos_security_final
dos_security_finalMichele Vincent
 
Sharing and security in Salesforce
Sharing and security in SalesforceSharing and security in Salesforce
Sharing and security in SalesforceSaurabh Kulkarni
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformWSO2
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
2010 db security
2010 db security2010 db security
2010 db securityWayne Evans
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforceSunil kumar
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
White Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityWhite Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityDan O'Dea
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...CSCJournals
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
 
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Aggregage
 
Database Security - IK
Database Security - IKDatabase Security - IK
Database Security - IKIlgın Kavaklıoğulları
 
PROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENTPROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENThardik soni
 
Get Ahead of your Next Security Breach
Get Ahead of your Next Security BreachGet Ahead of your Next Security Breach
Get Ahead of your Next Security BreachAbhishek Sood
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorizationzakieh alizadeh
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...Zara Nawaz
 

More Related Content

What's hot

Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformWSO2
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
2010 db security
2010 db security2010 db security
2010 db securityWayne Evans
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforceSunil kumar
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
White Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityWhite Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityDan O'Dea
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...CSCJournals
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
 
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Aggregage
 
PROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENTPROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENThardik soni
 
Get Ahead of your Next Security Breach
Get Ahead of your Next Security BreachGet Ahead of your Next Security Breach
Get Ahead of your Next Security BreachAbhishek Sood
 

What's hot (20)

Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware Platform
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and security
 
Data base security
Data base securityData base security
Data base security
 
2010 db security
2010 db security2010 db security
2010 db security
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforce
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
 
White Paper, The Basics Of Data Security
White Paper, The Basics Of Data SecurityWhite Paper, The Basics Of Data Security
White Paper, The Basics Of Data Security
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
Database security copy
Database security copyDatabase security copy
Database security copy
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
 
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...Certification Authority Monitored Multilevel and Stateful Policy Based Author...
Certification Authority Monitored Multilevel and Stateful Policy Based Author...
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
 
Database Security - IK
Database Security - IKDatabase Security - IK
Database Security - IK
 
PROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENTPROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENT
 
Get Ahead of your Next Security Breach
Get Ahead of your Next Security BreachGet Ahead of your Next Security Breach
Get Ahead of your Next Security Breach
 

Similar to Defending Broken Access Control in .NET (39

information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...Zara Nawaz
 
Database Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityDatabase Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityRaj vardhan
 
Please describe the process of the Implementation of Role-based access.docx
Please describe the process of the Implementation of Role-based access.docxPlease describe the process of the Implementation of Role-based access.docx
Please describe the process of the Implementation of Role-based access.docxellenj4
 
Access ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdfAccess ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdfanandshingavi23
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in aspOPENLANE
 
Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controldcervigni
 
CHAPTER 9 Design Considerations In this chapter you will
CHAPTER 9 Design Considerations In this chapter you willCHAPTER 9 Design Considerations In this chapter you will
CHAPTER 9 Design Considerations In this chapter you willJinElias52
 
Database Management System Security.pptx
Database Management System Security.pptxDatabase Management System Security.pptx
Database Management System Security.pptxRoshni814224
 
Enterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin BlockEnterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin Blockmcgurk
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingKaren Oliver
 
Using Custom Permissions to Simplify Security
Using Custom Permissions to Simplify SecurityUsing Custom Permissions to Simplify Security
Using Custom Permissions to Simplify SecurityDaniel Peter
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 

Similar to Defending Broken Access Control in .NET (39 (20)

S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
Database Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database SecurityDatabase Security Concepts | Introduction to Database Security
Database Security Concepts | Introduction to Database Security
 
Please describe the process of the Implementation of Role-based access.docx
Please describe the process of the Implementation of Role-based access.docxPlease describe the process of the Implementation of Role-based access.docx
Please describe the process of the Implementation of Role-based access.docx
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
 
Access ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdfAccess ControlThe term Access Control really alludes to the contr.pdf
Access ControlThe term Access Control really alludes to the contr.pdf
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in asp
 
Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_control
 
CHAPTER 9 Design Considerations In this chapter you will
CHAPTER 9 Design Considerations In this chapter you willCHAPTER 9 Design Considerations In this chapter you will
CHAPTER 9 Design Considerations In this chapter you will
 
Database Management System Security.pptx
Database Management System Security.pptxDatabase Management System Security.pptx
Database Management System Security.pptx
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
4_5949547032388570388.ppt
4_5949547032388570388.ppt4_5949547032388570388.ppt
4_5949547032388570388.ppt
 
Enterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin BlockEnterprise Library 3.0 Policy Injection Applicatoin Block
Enterprise Library 3.0 Policy Injection Applicatoin Block
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
Remote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal ThingRemote Access Policy Is A Normal Thing
Remote Access Policy Is A Normal Thing
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
Using Custom Permissions to Simplify Security
Using Custom Permissions to Simplify SecurityUsing Custom Permissions to Simplify Security
Using Custom Permissions to Simplify Security
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Iss lecture 6
Iss lecture 6Iss lecture 6
Iss lecture 6
 

Recently uploaded

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 

Recently uploaded (20)

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 

Defending Broken Access Control in .NET (39

  • 1. Defending Broken Access Control in .NET By Supriya Golla Senior Cyber Security Analyst
  • 2. What will be covered? Broken Access control Difference between Authentication and Authorization Example for Authentication and Authorization Improper Authorization Consequences Access control policy types Implementing policy in .NET Prevention of IDOR Remediation for Authorization References
  • 3. Broken Access Control Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. Authorization is a process by which a server determines if the client has permission to use a resource or access a file. • These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. • Access control sounds like a simple problem but is insidiously difficult to implement correctly. • A web application’s access control model is closely tied to the content and functions that the site provides. • Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 4. What is Authentication and Authorization:  What You Know  What You Have  What You ARE Authorization is the process to determine whether the authenticated user has access to the specific resources. Broken Access Control
  • 5. Broken Access Control Authentication and Authorization Difference Using Example: • Authentication should be used whenever you want to know exactly who is using or viewing your site. Web-login is University’s primary method of authentication. Students/Professor/Administrator need to authenticate to view the university information. • Authorization should be used whenever you want to control viewer access of certain pages. For example, University students are not authorized to view certain web pages dedicated to professors and administration. The authorization requirements for a site are typically defined in a website’s web.config file. Authorization verifies your rights to grant you access to resources such as information, databases, files, etc. Authorization usually comes after authentication which confirms your privileges to perform. In simple terms, it’s like giving someone official permission to do something or anything.
  • 6. Broken Access Control Improper Authorization Consequences: • Privilege Escalation • Path Traversal • Sensitive data exposure • Presence of Insecure Direct Object Reference (IDOR) vulnerabilities
  • 7. Broken Access Control Authorization is designed based on access control policy • Role Base Access Control (RBAC): In RBAC, access decisions are based on an individual's roles and responsibilities within the organization or user base. For instance, in a medical organization, the different roles of users may include those such as a doctor, nurse, attendant, patients, etc. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy and any relevant regulations (HIPAA, Gramm-Leach-Bliley, etc.). • Discretionary Access Control (DAC): DAC is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (username, password, hardware/software token, etc.). • Mandatory Access Control (MAC): MAC ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at. MAC is usually appropriate for extremely secure systems, including multilevel secure military applications or mission-critical data applications. • Permission Based Access Control: The key concept in Permission Based Access Control is the abstraction of application actions into a set of permissions. A permission may be represented simply as a string-based name, for example, "READ". Access decisions are made by checking if the current user has the permission associated with the requested application action.
  • 8. Broken Access Control Authorization implementation in ASP.Net: ASP.NET Core authorization provides the following different models: • Simple authorization • Role-based authorization • Policy-based authorization • Claims Based Authorization
  • 9. Broken Access Control Simple authorization: Authorization in MVC is controlled through the “AuthorizeAttribute” attribute and its various parameters. At its simplest, applying the “AuthorizeAttribute” attribute to a controller or action limits access to the controller or action to any authenticated user. • Authorization components, including the AuthorizeAttribute and AllowAnonymousAttribute attributes, are found in the Microsoft.AspNetCore.Authorization namespace. • This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.
  • 10. Broken Access Control Role-based authorization: Role-based authorization is a declarative way to restrict access to resources. You can specify the roles that the current user must be a member of to access a specified resource. The Authorize attribute enables you to restrict access to resources based on roles. It is a declarative attribute that can be applied to a controller or an action method. In the above code snippet members of the Administrator role or the PowerUser role can access the controller and the SetTime action
  • 11. Broken Access Control Policy-based authorization: A policy-based security model decouples authorization and application logic and provides a flexible, reusable and extensible security model in ASP.NET Core. The policy-based security model is centered on three main concepts. These include policies, requirements, and handlers. An authorization policy consists of one or more requirements. It's registered as part of the authorization service configuration, in the Startup.ConfigureServices method: In the above example, an "AtLeast21" policy is created. It has a single requirement—that of a minimum age, which is supplied as a parameter to the requirement. An authorization handler is responsible for the evaluation of a requirement's properties. The authorization handler evaluates the requirements against a provided AuthorizationHandlerContext to determine if access is allowed.
  • 12. Broken Access Control Applying the Policy: Once the policy has been registered, you can apply the policy in your controller or the controller’s action methods. If you were to apply the policy at the controller level, here’s how you would need to specify the policy. [Authorize(Policy = “AtLeast21”)] public class SecurityController: Controller { //Action methods } As you can see, instead of specifying roles in the [Authorize] attribute, you can specify the policy that you would like to apply. To apply a policy to an action method, you can take advantage of the Policy property of the Authorize attribute as shown in the code.
  • 13. Broken Access Control Claims Based Authorization: Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be: The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access. First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices() in your Startup.cs file. In this case the EmployeeOnly policy checks for the presence of an EmployeeNumber claim on the current identity. You then apply the policy using the Policy property on the AuthorizeAttribute attribute to specify the policy name;
  • 14. Broken Access Control You can then apply this policy at the controller level on the AuthorizeAttribute attribute as shown below. [Authorize(Policy = "EmployeeOnly")] public IActionResult SomeMethod() { //Write your code here }
  • 15. Broken Access Control Prevention to IDOR: When you have a resource (object) which can be accessed by a reference (in the sample below this is the id) then you need to ensure that the user is intended to be there.
  • 16. Broken Access Control Remediation:  Invalidate tokens and cookies after logout.  Forced login/logout after a password change.  Server-side resource restriction e.g. directories.  Restrict access to all resources basis roles.  Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.  Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.  Log access control failures, alert admins when appropriate (e.g. repeated failures).  Rate limit API and controller access to minimize the harm from automated attack tooling.  JWT tokens should be invalidated on the server after logout. Developers and QA staff should include functional access control unit and integration tests.
  • 17. References:  https://owasp.org/www-project-top- ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control  https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Che at_Sheet.html  https://docs.microsoft.com/en- us/aspnet/core/security/authorization/introduction?view=aspnetcore- 3.1  https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authoriz ation_Cheat_Sheet.html

Editor's Notes

  1. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.