I wonder if authorization rules I’ve applied to a directory of website could be bypassed ? I mean someone could ( by using any trick or hack ) just get access to the resources without having privileges ?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I wonder if authorization rules I’ve applied to a directory of website could be bypassed ? I mean someone could ( by using any trick or hack ) just get access to the resources without having privileges ?
If it were possible, we (the ASP.NET team) would be forced to patch it. We advertise that developers can use URL-based authorization to secure WebForms pages reliably.
You must not use URL-based authorization to secure MVC actions or other things that go through the Routing pipeline. This is because it is very easy to get into a situation where a particular MVC controller or action can be accessed via multiple URLs, and it’s often too difficult to figure out every single permutation and shut it down via config. See the link Eric posted for more info.