Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Permission Manipulation
Abstract
Allowing user input to directly alter permissions may enable an attacker to access otherwise protected system resources.
Explanation
Permission manipulation errors occur when an attacker is able to modify a value used in determining permissions within an application.
Example 1: The following code uses input from a file to determine the
In this scenario, if the user is able to control the XML file used to retrieve the data, they control what permissions may be demanded by the system.
Example 1: The following code uses input from a file to determine the
FileIOPermissions required in the application.
...
String permissionsXml = GetPermissionsFromXmlFile();
FileIOPermission perm = new FileIOPermission(PermissionState.None);
perm.FromXml(permissionsXml);
perm.Demand();
...
In this scenario, if the user is able to control the XML file used to retrieve the data, they control what permissions may be demanded by the system.
desc.dataflow.dotnet.permission_manipulation