CS.AUTH.NOATTR

Possible missing authorization check

The CS.AUTH.NOATTR checker flags ASP.NET Controllers/PageModels that do not perform an authorization check by using the [Authorize] or [AllowAnonymous] attribute.

Vulnerability and risk

When code doesn't apply access control checks, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.

Vulnerable code example

1  using System;
2  using System.Web;
3  using System.Web.Mvc;public class AdministrationController : Controller
4  {
5      public ActionResult ViewSensitiveInformation() { }
6  }

In this example, the AdministrationController has no [Authorize] attribute, so any user can potentially call its action ViewSensitiveInformation.

Fixed code example 1

1  using System;
2  using System.Web;
3  using System.Web.Mvc;
4   
5  [Authorize(Roles = "Administrator")]
6  public class AdministrationController : Controller
7  {
8      public ActionResult ViewSensitiveInformation() { }
9  }

By adding the [Authorize] attribute, only users with administrative privileges can access the information returned by ViewSensitiveInformation.

Fixed code example 2

1  using System;
2  using System.Web;
3  using System.Web.Mvc;
4   
5  public class AdministrationController : Controller
6  {
7      [Authorize(Roles = "Administrator")]
8      public ActionResult ViewSensitiveInformation() { }
9  }

By adding the [Authorize] attribute, only users with administrative privileges can access the information returned by ViewSensitiveInformation.