Security Code Review – String Search Patterns For Authorization Vulnerabilities
These are the questions and the search criteria I use to identify authorization vulnerabilities in the code beyond web.config <authorization> node.
- How does the code protect access to page classes?
Attributes
Search for PrincipalPermission attributes. If there is no match, the code does not perform standard authorization checks.
findstr /S /I "PrincipalPermission" *.cs
Empirical checks
Search for empirical IsInRole calls. If there is no match, the code does not perform standard authorization checks.
findstr /S /I "IsInRole" *.cs
Rolemanager
Search for empirical IsUserInRole calls for Rolemanager API. If there is no match, the code does not perform standard authorization checks.
findstr /S /I "IsUserInRole" *.cs
- Does the code use Server.Transfer?
When the code uses Server.Transfer it may improve performance but potentially it may pose a threat of elevation of privileges, more info is here Performance Gain - Security Risk
findstr /S /I "Transfer" *.cs