Working as a security consultant on many time-bound projects, I found that the most reliable way to achieve a higher rate of successfully identified vulnerabilities is to review the source code. Source code review is a far more effective way than black-box testing if you know the tactics and methods. In addition, mapping each case you find and preparing a black-box method solution to identify vulnerabilities can help you create your own methodology to search for the issues.
This time I will explain how to look for broken access controls and Insecure Direct Object References (IDORs) in .NET applications by walking through the source code.
This blog post is based on the research made by Yurii Sanin
Most of .NET applications have the Model-View-Controller (MVC) architecture design. MVC is a design pattern used to decouple user-interface (view), data (model), and application logic (controller). As a user of the web application you directly communicate with the controllers by executing GET, POST, PUT... HTTP request:
POST /Account/UpdateInfo HTTP/1.1
Host: domain.com
Content-Type: application/x-www-form-urlencoded
Cookie: __RequestVerificationToken=Value1; ASP.NET_SessionId=Value2; .ASPXAUTH=Value3
Content-Length: 647
firstName=Pavel&secondName=Shabarkin
Where the /Account is the name of the controller and /UpdateInfo is the public action of the controller (class). All public functions within the controller are accessible for an authenticated user from the web application (except naming with prefixed underscore such as: _updateInfo).
Here is a pseudocode to demonstrate how the information from the HTTP request (relates to the code in the application) correlates with the code in the application:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Data;
using System.Data.SqlClient;
using System.Web.UI;
namespace ApplicationMvc.Controllers {
[Authorize]
public class AccountController : Controller {
[HttpPost]
public ActionResult UpdateInfo(FormCollection collection){
}
}
}
For more details, you can check the official .NET documentation:
The authorization model in the .NET framework is quite a big topic to cover in one article. The .NET framework develops several different ways to implement the authorization (today we focus on the simple authorization model):