How to fix authorization bypass vulnerability in ASP.NET?

Question

1.00/5 (1 vote)

See more:

I want to fix authorization bypass vulnerability in asp.net

Below are the steps done:
Security Team has changed the URL accessible to Admin Role after logging as Maker Role.
After that they changed the http response status code from 302 to 200 OK.
While doing so application logged out but the user data is still there and hence the hacker can access the user details present even after logging out.

What I have tried:

I have already set session checking and it works if the Admin URL is taken after logging as Maker. But if URL changed to a non privileged Role after logging in and then if the http response status code changed from 302 to 200 OK application logs out but the details remain there.
Session is cleared during the log out button click as below but still data accessed on navigating to log out page by changing the http response code from 302 to 200 OK

string ReturnPage = "Login.aspx";
       string PostBackUrl = FTS_Common.GetMessage("CONSOLE_PAYMENTHUBURL");
       PostBackUrl = PostBackUrl + ReturnPage;
       Session.Abandon();
       Response.Redirect(PostBackUrl);

Posted 24-Jul-22 17:27pm

Member 7513082

Updated 25-Jul-22 19:08pm

v5

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2022-07-24T23:04:00

Solution 1

You fix the vulnerability by fixing the vulnerable code.

Unfortunately, since you haven't provided any details of your code, nor a clear description of the vulnerability, we can't help you to do that. All we can do is point you to the generic advice on the topic:

A01 Broken Access Control - OWASP Top 10:2021[^]

Posted 24-Jul-22 23:04pm

Richard Deeming

Comments

Member 7513082 25-Jul-22 23:17pm

I need to prevent the data access done after navigating to log out page by changing the http response status code from 302 to 200 OK
In the log out button click i am doing as below: session is cleared before redirecting: but still data accessed
string ReturnPage = "Login.aspx";
string PostBackUrl = FTS_Common.GetMessage("CONSOLE_PAYMENTHUBURL");
PostBackUrl = PostBackUrl + ReturnPage;
Session.Abandon();
Response.Redirect(PostBackUrl);