Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
[Authorize]
attribute with the use of an [AllowAnonymous]
attribute at the class or method level.[Authorize]
attribute to a class or a method. Additionally, the specified authorization requirement of an application class or method can be bypassed by adding the [AllowAnonymous]
attribute. When both are specified, the [AllowAnonymous]
attribute takes precedence and bypasses the [Authorize]
attribute. This can result in the arbitrary and anonymous access of sensitive data and actions by an attacker.[AllowAnonymous]
attribute at the class level overriding an [Authorize]
attribute set on the method. The secretAction()
method does not require authorization despite having the [Authorize]
attribute.Example 2: The following example shows the
...
[AllowAnonymous]
public class Authorization_Test
{
[Authorize]
public IActionResult secretAction()
{
}
}
...
[AllowAnonymous]
attribute at the class level of a superclass overriding an [Authorize]
attribute set on the method of a subclass. Due to the inherited class Inherit_AA
having the [AllowAnonymous]
attribute, the secretAction()
method does not require authorization despite specifying the [Authorize]
attribute.Example 3: The following shows the
...
[AllowAnonymous]
public abstract class Inherit_AA
{
}
public class Authorization_Test:Inherit_AA
{
[Authorize]
public IActionResult secretAction()
{
}
}
...
[AllowAnonymous]
attribute overriding an [Authorize]
attribute at the method level with inheritance. Due to the inherited method secretAction()
having the [AllowAnonymous]
attribute, the secretAction()
method does not require authorization despite specifying the [Authorize]
attribute on the overriding method.
...
public abstract class Inherit_AA
{
[AllowAnonymous]
public abstract IActionResult secretAction()
{
}
}
public class Authorization_Test:Inherit_AA
{
[Authorize]
public override IActionResult secretAction()
{
}
}
...
<apex:page controller="accessControl">
<apex:pageBlock >
<apex:pageBlockSection >
<apex:outputText value="Survey Name: "/>
<apex:inputText value="{!surveyName}"/>
</apex:pageBlockSection>
<apex:pageBlockSection >
<apex:outputText value="New Name: "/>
<apex:inputText value="{!newSurveyName}"/>
</apex:pageBlockSection>
<apex:pageBlockSection >
<apex:commandButton value="Update" action="{!updateName}"/>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:page>
public String surveyName { get; set; }
public String newSurveyName { get; set; }
public PageReference updateName() {
Survey__c s = [SELECT Name FROM Survey__c WHERE Name=:surveyName];
s.Name = newSurveyName;
update s;
PageReference page = ApexPages.currentPage();
page.setRedirect(true);
return page;
}
String canned_acl = request.getParameter("acl");
CreateBucketRequest createBucketRequest = CreateBucketRequest.builder()
.bucket("foo")
.acl(canned_acl)
.createBucketConfiguration(CreateBucketConfiguration.builder().locationConstraint(region.id()).build())
.build();
acl
parameter to be selected from a limited set, an attacker can set it to public-read-write
and grant full anonymous access to the bucket.
...
String selectedInvoice = request.getParameter("invoiceDate");
...
AmazonSimpleDBClient sdbc = new AmazonSimpleDBClient(appAWSCredentials);
GetAttributesResult sdbResult = sdbc.getAttributes(new GetAttributesRequest("invoices", selectedInvoice));
...
Example 1
generates a list of invoices that belong to the current user, an attacker might bypass this behavior to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
id = this.getIntent().getExtras().getInt("id");
cursor = db.query(Uri.parse(invoices), columns, "id = ? ", {id}, null, null, null);
...
id
. Although the query generates a list of invoice identifiers that belong to the current user, an attacker might bypass this behavior to request any desired invoice. Because the code in this example does not ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.DirectoryEntry de
using an anonymous bind.
...
de = new DirectoryEntry("LDAP://ad.example.com:389/ou=People,dc=example,dc=com");
...
de
will be performed without authentication and access control. An attacker may be able to manipulate one of these queries in an unexpected way to gain access to records that would otherwise be protected by the directory's access control mechanism.ldap_simple_bind_s()
to bind anonymously to an LDAP directory.
...
rc = ldap_simple_bind_s( ld, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
...
}
...
ld
will be performed without authentication and access control. An attacker may be able to manipulate one of these queries in an unexpected way to gain access to records that would otherwise be protected by the directory's access control mechanism.DirContext ctx
using an anonymous bind.
...
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);
...
ctx
will be performed without authentication and access control. An attacker may be able to manipulate one of these queries in an unexpected way to gain access to records that would otherwise be protected by the directory's access control mechanism.
...
$ldapbind = ldap_bind ($ldap, $dn, $password = "" );
...