Page security

Discussion in 'ASP .Net Security' started by Jon, Feb 8, 2006.

  1. Jon

    Jon Guest

    Hello all.

    Just after some help with handling page security.

    I'm writing an app that has a number of companies. Each company has a number
    of employees, standard stuff.

    If I have a user who is a member of one company, they can request to see all
    the that companie employees, however, if they hack they query string so that
    the company ID is now not the company ID they belong to, they can see all the
    employees for another company, bad!

    How can this be stopped so that a ' Not enough Permissions' style error
    occurs?

    I'm using forms authentication and have set up the SiteIdentity and
    SitePrincial objects.

    I'm also interested in any kind of address encryption or masking.

    Thanks all,

    JY
     
    Jon, Feb 8, 2006
    #1
    1. Advertising

  2. Hi,

    assign roles to your users like "ComanyA"

    do a role check before they access the customer data.

    Set up the roles in AuthenticateRequest - and use Page.User.IsInRole later.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello all.
    >
    > Just after some help with handling page security.
    >
    > I'm writing an app that has a number of companies. Each company has a
    > number of employees, standard stuff.
    >
    > If I have a user who is a member of one company, they can request to
    > see all the that companie employees, however, if they hack they query
    > string so that the company ID is now not the company ID they belong
    > to, they can see all the employees for another company, bad!
    >
    > How can this be stopped so that a ' Not enough Permissions' style
    > error occurs?
    >
    > I'm using forms authentication and have set up the SiteIdentity and
    > SitePrincial objects.
    >
    > I'm also interested in any kind of address encryption or masking.
    >
    > Thanks all,
    >
    > JY
    >
     
    Dominick Baier [DevelopMentor], Feb 8, 2006
    #2
    1. Advertising

  3. Jon

    Jon Guest

    Hi Doninick,

    Thanks for that.

    What about a situation where the user may be looking at data that is related
    to companyA, such as tasks, where the Company information is not supplied?

    Thanks,

    Jon

    "Dominick Baier [DevelopMentor]" wrote:

    >
    > Hi,
    >
    > assign roles to your users like "ComanyA"
    >
    > do a role check before they access the customer data.
    >
    > Set up the roles in AuthenticateRequest - and use Page.User.IsInRole later.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hello all.
    > >
    > > Just after some help with handling page security.
    > >
    > > I'm writing an app that has a number of companies. Each company has a
    > > number of employees, standard stuff.
    > >
    > > If I have a user who is a member of one company, they can request to
    > > see all the that companie employees, however, if they hack they query
    > > string so that the company ID is now not the company ID they belong
    > > to, they can see all the employees for another company, bad!
    > >
    > > How can this be stopped so that a ' Not enough Permissions' style
    > > error occurs?
    > >
    > > I'm using forms authentication and have set up the SiteIdentity and
    > > SitePrincial objects.
    > >
    > > I'm also interested in any kind of address encryption or masking.
    > >
    > > Thanks all,
    > >
    > > JY
    > >

    >
    >
    >
     
    Jon, Feb 9, 2006
    #3
  4. Hi,

    can you elaborate?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Doninick,
    >
    > Thanks for that.
    >
    > What about a situation where the user may be looking at data that is
    > related to companyA, such as tasks, where the Company information is
    > not supplied?
    >
    > Thanks,
    >
    > Jon
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> assign roles to your users like "ComanyA"
    >>
    >> do a role check before they access the customer data.
    >>
    >> Set up the roles in AuthenticateRequest - and use Page.User.IsInRole
    >> later.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hello all.
    >>>
    >>> Just after some help with handling page security.
    >>>
    >>> I'm writing an app that has a number of companies. Each company has
    >>> a number of employees, standard stuff.
    >>>
    >>> If I have a user who is a member of one company, they can request to
    >>> see all the that companie employees, however, if they hack they
    >>> query string so that the company ID is now not the company ID they
    >>> belong to, they can see all the employees for another company, bad!
    >>>
    >>> How can this be stopped so that a ' Not enough Permissions' style
    >>> error occurs?
    >>>
    >>> I'm using forms authentication and have set up the SiteIdentity and
    >>> SitePrincial objects.
    >>>
    >>> I'm also interested in any kind of address encryption or masking.
    >>>
    >>> Thanks all,
    >>>
    >>> JY
    >>>
     
    Dominick Baier [DevelopMentor], Feb 9, 2006
    #4
  5. Jon

    Jon Guest

    Hi Dominick,

    Yeah sure.

    This is my database: Company -< Projects -< Tasks (-< = one - many)

    If I a user from CompanyB tries to view CompanyA projects, I can catch that
    in the Page.User.IsInRole("CompanyA") method, as you explained in your
    previos post.

    However, if the user from CompanyB tries to view a Task from CompanyA, (by
    hacking the querystring), it will appear. Now although the Task is linked to
    a Company, via Projects, at the point the user views a SINGLE Task, the
    Compnay to which it is linked to is not availible, so the
    Page.User.IsInRole() method woundn't satisfy.

    My basic problem is not allowing a user to see information that belongs to a
    Company, but is associated to it via a link table etc.

    Does that help?

    Thanks.

    Jon





    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > can you elaborate?
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi Doninick,
    > >
    > > Thanks for that.
    > >
    > > What about a situation where the user may be looking at data that is
    > > related to companyA, such as tasks, where the Company information is
    > > not supplied?
    > >
    > > Thanks,
    > >
    > > Jon
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hi,
    > >>
    > >> assign roles to your users like "ComanyA"
    > >>
    > >> do a role check before they access the customer data.
    > >>
    > >> Set up the roles in AuthenticateRequest - and use Page.User.IsInRole
    > >> later.
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Hello all.
    > >>>
    > >>> Just after some help with handling page security.
    > >>>
    > >>> I'm writing an app that has a number of companies. Each company has
    > >>> a number of employees, standard stuff.
    > >>>
    > >>> If I have a user who is a member of one company, they can request to
    > >>> see all the that companie employees, however, if they hack they
    > >>> query string so that the company ID is now not the company ID they
    > >>> belong to, they can see all the employees for another company, bad!
    > >>>
    > >>> How can this be stopped so that a ' Not enough Permissions' style
    > >>> error occurs?
    > >>>
    > >>> I'm using forms authentication and have set up the SiteIdentity and
    > >>> SitePrincial objects.
    > >>>
    > >>> I'm also interested in any kind of address encryption or masking.
    > >>>
    > >>> Thanks all,
    > >>>
    > >>> JY
    > >>>

    >
    >
    >
     
    Jon, Feb 9, 2006
    #5
  6. Hi,

    well i guess you have to somehow do an access check in your application -
    simply changing the query string is lame of course :))

    Change the architecture somehow that you will be able to link the task to
    a company and check that before retrieving the record...

    Sorry can't give you a better advise without looking at the db/code myself...

    HTH

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick,
    >
    > Yeah sure.
    >
    > This is my database: Company -< Projects -< Tasks (-< = one - many)
    >
    > If I a user from CompanyB tries to view CompanyA projects, I can catch
    > that in the Page.User.IsInRole("CompanyA") method, as you explained in
    > your previos post.
    >
    > However, if the user from CompanyB tries to view a Task from CompanyA,
    > (by hacking the querystring), it will appear. Now although the Task is
    > linked to a Company, via Projects, at the point the user views a
    > SINGLE Task, the Compnay to which it is linked to is not availible, so
    > the Page.User.IsInRole() method woundn't satisfy.
    >
    > My basic problem is not allowing a user to see information that
    > belongs to a Company, but is associated to it via a link table etc.
    >
    > Does that help?
    >
    > Thanks.
    >
    > Jon
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> can you elaborate?
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi Doninick,
    >>>
    >>> Thanks for that.
    >>>
    >>> What about a situation where the user may be looking at data that is
    >>> related to companyA, such as tasks, where the Company information is
    >>> not supplied?
    >>>
    >>> Thanks,
    >>>
    >>> Jon
    >>>
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>
    >>>> Hi,
    >>>>
    >>>> assign roles to your users like "ComanyA"
    >>>>
    >>>> do a role check before they access the customer data.
    >>>>
    >>>> Set up the roles in AuthenticateRequest - and use
    >>>> Page.User.IsInRole later.
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hello all.
    >>>>>
    >>>>> Just after some help with handling page security.
    >>>>>
    >>>>> I'm writing an app that has a number of companies. Each company
    >>>>> has a number of employees, standard stuff.
    >>>>>
    >>>>> If I have a user who is a member of one company, they can request
    >>>>> to see all the that companie employees, however, if they hack they
    >>>>> query string so that the company ID is now not the company ID they
    >>>>> belong to, they can see all the employees for another company,
    >>>>> bad!
    >>>>>
    >>>>> How can this be stopped so that a ' Not enough Permissions' style
    >>>>> error occurs?
    >>>>>
    >>>>> I'm using forms authentication and have set up the SiteIdentity
    >>>>> and SitePrincial objects.
    >>>>>
    >>>>> I'm also interested in any kind of address encryption or masking.
    >>>>>
    >>>>> Thanks all,
    >>>>>
    >>>>> JY
    >>>>>
     
    Dominick Baier [DevelopMentor], Feb 9, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    371
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,439
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    344
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    165
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    323
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page