Direct Object Reference – URL tampering : Code Review

Before worrying about direct object reference issues first check that your controllers and actions are secured.

Does every controller have [Authorize(XXX)] added to it? If not understand why

Then for those controllers missing [Authorize(XXX)] check each action has [Authorize(XXX)] applied to it. Again if this is missing ask why is it missing? Does it make sense for the action to support Anonymous Access?

Also search for [AllowAnonymous] in your *.cs files – again is this reasonable where it is has been applied.

At least at this point you are confident that everything that requires authorisation has it applied.

Next you need to think about what data is segregated and how it is segregated.

  • Do you have user profiles? Well presumably a user should not be able to view\edit some else’s profile
  • Do you have the concept of an organisation? well presumable a user in one organisation should not be able to see data for another organisation
  • Is it a multitenancy system?
  • And so on.

Once this exercise is completed look for code to check access rights where appropriate. Also certain operations may only be available depending on a records state. The code in your action should look something like below.

public ActionResult CompanyOrder(int id)

{

//// First check if the user is allowed to see the record. Check against the database that the user has access and if not throw an exception or retun httpnotfound() or something

CheckUserCanAccessOrder(User.Identity.Name, id);

//// Second check the order is in the correct status for the action. Perhaps in this case only orders that are “Open” can be accessed via CompanyOrder and if not throw an exception or retun httpnotfound() or somemthing

CheckOrderOpen(id);

//// now get order and return the correct view

 

The post logic is much the same only you will want to check that the  model is valid.

At least now if someone tampers with an id in a URL they get an error page as oppose to someone else’s data.

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s