CS.AUTH.NOATTR

Possible missing authorization check

The CS.AUTH.NOATTR checker flags ASP.NET Controllers/PageModels that do not perform an authorization check by using the [Authorize] or [AllowAnonymous] attribute.

Vulnerability and risk

When code doesn't apply access control checks, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.

Vulnerable code example

1
2
3
4
5
6
  using System;
  using System.Web;
  using System.Web.Mvc;public class AdministrationController : Controller
  {
      public ActionResult ViewSensitiveInformation() { }
  }

In this example, the AdministrationController has no [Authorize] attribute, so any user can potentially call its action ViewSensitiveInformation.

Fixed code example 1

1
2
3
4
5
6
7
8
9
  using System;
  using System.Web;
  using System.Web.Mvc;
   
  [Authorize(Roles = "Administrator")]
  public class AdministrationController : Controller
  {
      public ActionResult ViewSensitiveInformation() { }
  }

By adding the [Authorize] attribute, only users with administrative privileges can access the information returned by ViewSensitiveInformation.

Fixed code example 2

1
2
3
4
5
6
7
8
9
  using System;
  using System.Web;
  using System.Web.Mvc;
   
  public class AdministrationController : Controller
  {
      [Authorize(Roles = "Administrator")]
      public ActionResult ViewSensitiveInformation() { }
  }

By adding the [Authorize] attribute, only users with administrative privileges can access the information returned by ViewSensitiveInformation.

External guidance

• CWE-862: Missing Authorization
• OWASP A2:2017 Broken Authentication
• OWASP A1:2021 Broken Access Control
• Role-based authorization in ASP.NET Core