Security Code Review – String Search Patterns For Authorization Vulnerabilities

These are the questions and the search criteria I use to identify authorization vulnerabilities in the code beyond web.config <authorization> node.

  • How does the code protect access to page classes?

Attributes

Search for PrincipalPermission attributes. If there is no match, the code does not perform standard authorization checks.

findstr /S /I "PrincipalPermission" *.cs

Empirical checks

Search for empirical IsInRole calls. If there is no match, the code does not perform standard authorization checks.

findstr /S /I "IsInRole" *.cs

Rolemanager

Search for empirical IsUserInRole calls for Rolemanager API. If there is no match, the code does not perform standard authorization checks.

findstr /S /I "IsUserInRole" *.cs

  • Does the code use Server.Transfer?

When the code uses Server.Transfer it may improve performance but potentially it may pose a threat of elevation of privileges, more info is here Performance Gain - Security Risk

findstr /S /I "Transfer" *.cs