A web.config file includes an authorization section and the authorization rules do not include a rule to deny access to all users or a rule to deny access to anonymous users. ASP.NET evaluates authorization rules in a top-down order until a rule is satisfied. Authorization rules include a default allow all rule that is evaluated last. An attacker could potentially gain access to protected resources due to the missing deny rule.
Recommendation
Resolve this issue by adding a deny rule to deny access to anonymous users or all users as shown in the example below. This configuration grants access to users with the admin role and denies access to all other users:
Vulnerability ID: XIOB-U3PF-OONX-FPX6
Application Name: test
Vulnerability Link: https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/6119fcd6-5a74-48e8-aff8-092520138ef3/applications/5352360a-ecd4-4b7b-b40d-2e8af08acbea/vulns/XIOB-U3PF-OONX-FPX6
What Happened?
The configuration under location CustomerLogin.aspx in \web.config is missing a deny rule in the following section:
10: <system.web> 12: <allow users="*"/> 14: </system.web>
What's the risk?
A web.config file includes an authorization section and the authorization rules do not include a rule to deny access to all users or a rule to deny access to anonymous users. ASP.NET evaluates authorization rules in a top-down order until a rule is satisfied. Authorization rules include a default allow all rule that is evaluated last. An attacker could potentially gain access to protected resources due to the missing deny rule.
Recommendation
Resolve this issue by adding a deny rule to deny access to anonymous users or all users as shown in the example below. This configuration grants access to users with the admin role and denies access to all other users:
<authorization> <allow roles="admin"/> <deny users="*"/> </authorization>
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
http://msdn.microsoft.com/en-us/library/system.web.configuration.authorizationsection.aspx