csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-or-broken-authorization
    message: Anonymous access shouldn't be allowed unless explicit by design. Access
      control checks are missing and potentially can be bypassed. This finding
      violates the principle of least privilege or deny by default, where access
      should only be permitted for a specific set of roles or conforms to a
      custom policy or users.
    severity: INFO
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe:
        - "CWE-862: Missing Authorization"
      cwe2021-top25: true
      cwe2022-top25: true
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
        - https://cwe.mitre.org/data/definitions/862.html
        - https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0
      subcategory:
        - vuln
      technology:
        - .net
        - mvc
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    patterns:
      - pattern: |
          [AllowAnonymous]
          public class $CLASS : Controller {
            ...
          }
      - pattern-inside: |
          using Microsoft.AspNetCore.Mvc;
          ...
      - pattern-not: |
          [Authorize]
          public class $CLASS : Controller {
            ...
          }
      - pattern-not: |
          [Authorize(Roles = ...)]
          public class $CLASS : Controller {
            ...
          }
      - pattern-not: |
          [Authorize(Policy = ...)]
          public class $CLASS : Controller {
            ...
          }

Examples

missing-or-broken-authorization.cs

using Microsoft.AspNetCore.Mvc;

// ruleid: missing-or-broken-authorization
[AllowAnonymous]
public class AtLeast21Controller : Controller
{
    public IActionResult Index() => View();
}

// ok: missing-or-broken-authorization
[Authorize(Roles = "LegalAdultGroup")]
public class AtLeast21Controller : Controller
{
    public IActionResult Index() => View();
}

// ok: missing-or-broken-authorization
[Authorize(Policy = "AtLeast21")]
public class AtLeast21Controller : Controller
{
    public IActionResult Index() => View();
}