The access control of an application must be properly implemented in order to restrict access to resources to authorized entities otherwise this
could lead to vulnerabilities:
Granting correct permissions to users, applications, groups or roles and defining required permissions that allow access to a resource is
sensitive, must therefore be done with care. For instance, it is obvious that only users with administrator privilege should be authorized to
add/remove the administrator permission of another user.
Ask Yourself Whether
- Granted permission to an entity (user, application) allow access to information or functionalities not needed by this entity.
- Privileges are easily acquired (eg: based on the location of the user, type of device used, defined by third parties, does not require approval
- Inherited permission, default permission, no privileges (eg: anonymous user) is authorized to access to a protected resource.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
At minimum, an access control system should:
- Use a well-defined access control model like RBAC or ACL.
- Entities' permissions should be reviewed regularly to remove permissions that are no longer needed.
- Respect the principle of least privilege ("an entity has access
only the information and resources that are necessary for its legitimate purpose").
Sensitive Code Example
Implements IIdentity ' Sensitive, custom IIdentity implementations should be reviewed
Implements IPrincipal ' Sensitive, custom IPrincipal implementations should be reviewed
<System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> ' Sensitive. The access restrictions enforced by this attribute should be reviewed.
Private Shared Sub CheckAdministrator()
Dim MyIdentity As WindowsIdentity = WindowsIdentity.GetCurrent() ' Sensitive
HttpContext.User = ... ' Sensitive: review all reference (set and get) to System.Web HttpContext.User
Dim domain As AppDomain = AppDomain.CurrentDomain
domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal) ' Sensitive
Dim identity As MyIdentity = New MyIdentity() ' Sensitive
Dim MyPrincipal As MyPrincipal = New MyPrincipal(MyIdentity) ' Sensitive
Thread.CurrentPrincipal = MyPrincipal ' Sensitive
domain.SetThreadPrincipal(MyPrincipal) ' Sensitive
Dim principalPerm As PrincipalPermission = New PrincipalPermission(Nothing, "Administrators") ' Sensitive
Dim handler As SecurityTokenHandler = ...
Dim identities As ReadOnlyCollection(Of ClaimsIdentity) = handler.ValidateToken() ' Sensitive, this creates identity
' Sensitive: review how this function uses the identity and principal.
Private Sub modifyPrincipal(ByVal identity As MyIdentity, ByVal principal As MyPrincipal)
This rule is deprecated, and will eventually be removed.