Potential security breach in my website in mvc5

Question

1.00/5 (1 vote)

See more:

Hello there,

I had build a website and i have found a high security breach, could you please help me out?

After a successful login, the user clicks on a button in the home page which shows him the list of all the questions he asked to the experts. Now he clicks on any one of the question and that question Id is passed as a query string and opens the details of that question on to the other page. Now the user log out from the website.

Another user log into the website successfully, Now he copies the link(which was with question id as query string) from the browser history and paste into tab and then he can successfully see the details of that question. The breach here is that the second user can see the details of the question asked by first user, which must not be allow. I cannot pass username & password every time for any request from database. How do i fix this security breach?

Thanks,
Sumit

Posted 11-Jun-15 16:46pm

Sumit Bhargav

Add a Solution

Comments

jgakenhe 11-Jun-15 23:22pm

You probably need to save the username or userID to a Session cookie or other container to manage the state between pages. Then you'll need to display the results of each page by that username or userID, not by the questionID.

Here is a Code Project article that explains State Management in ASP.Net.

Sergey Alexandrovich Kryukov 11-Jun-15 23:51pm

It does not seem to make any sense. To start with, you need to describe in detail the expected behavior, what a user is supposed to access and what not.
—SA

Sumit Bhargav 12-Jun-15 0:54am

Hi, Thanks for the response.

suppose after a login i access for the following url

localhost:4870/user.aspx?questionid=123

you can see that user can access the details of this question id 123.

if i will login now with a different user , and then copy this url from history and paste in tab and click enter, it will still get me the detail. But the new user must not be able to see the detail because it was asked by first user.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Answer 1 · 2015-06-11T21:55:00

Solution 1

The most basic of all security principals is that you authorise that the logged in user can access any resource they have requested. In your user.aspx page you need to ensure the logged in user has access to the question referenced in the id. As you are using incremental IDs any user can just try them all randomly, so an extra bit of security would be to use GUIDs rather that ints, but as long as you verify the user has rights to access that question, using ints shouldn't be a problem.

Posted 11-Jun-15 21:55pm

F-ES Sitecore

Comments

Sumit Bhargav 12-Jun-15 4:38am

How do i provide access to the user for every question?
I cannot pass username and password for every database request.
Thanks

F-ES Sitecore 12-Jun-15 4:55am

You obviously know which user asked the question as you list the questions asked by the logged-in user, so when you retrieve a question to show, check the person who created the question is the same person as the one logged in, and if not show some kind of "access denied" message.

jdeep84 · Answer 2 · 2015-06-11T22:34:00

Hi Sumit,

I think you can have this fixed at Data Access layer, as you have mentioned you get the list of questions when user logs in. so i think you have some relations defined in user-questions table.

so simply while getting the question details, just add one more check if
provided question id is really belong to logged in user or not.

Hope this gives you some heads up.

Regards,