Click here to Skip to main content
15,901,373 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I want to fix authorization bypass vulnerability in asp.net

Below are the steps done:
Security Team has changed the URL accessible to Admin Role after logging as Maker Role.
After that they changed the http response status code from 302 to 200 OK.
While doing so application logged out but the user data is still there and hence the hacker can access the user details present even after logging out.

What I have tried:

I have already set session checking and it works if the Admin URL is taken after logging as Maker. But if URL changed to a non privileged Role after logging in and then if the http response status code changed from 302 to 200 OK application logs out but the details remain there.
Session is cleared during the log out button click as below but still data accessed on navigating to log out page by changing the http response code from 302 to 200 OK
string ReturnPage = "Login.aspx";
       string PostBackUrl = FTS_Common.GetMessage("CONSOLE_PAYMENTHUBURL");
       PostBackUrl = PostBackUrl + ReturnPage;
       Session.Abandon();
       Response.Redirect(PostBackUrl);
Posted
Updated 25-Jul-22 19:08pm
v5

1 solution

You fix the vulnerability by fixing the vulnerable code.

Unfortunately, since you haven't provided any details of your code, nor a clear description of the vulnerability, we can't help you to do that. All we can do is point you to the generic advice on the topic:

A01 Broken Access Control - OWASP Top 10:2021[^]
 
Share this answer
 
Comments
Member 7513082 25-Jul-22 23:17pm    
I need to prevent the data access done after navigating to log out page by changing the http response status code from 302 to 200 OK
In the log out button click i am doing as below: session is cleared before redirecting: but still data accessed
string ReturnPage = "Login.aspx";
string PostBackUrl = FTS_Common.GetMessage("CONSOLE_PAYMENTHUBURL");
PostBackUrl = PostBackUrl + ReturnPage;
Session.Abandon();
Response.Redirect(PostBackUrl);

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900