Classic Security Mistake

Jeff mentions that MSN fell victim to a classic security mistake wherein a user's authentication credentials are checked on one page, then they are redirected to a new page, which doesn't check credentials (assuming that the user was redirected from the page that did), which allows a sly user to do all sorts of nasty things. This is a huge mistake that tons of application makes and the funny part about it is that the mistake is not rooted in the authentication checking done by the ASPX pages at all as you might assume. The problem is that the application's business logic layer let the request through, even though it was clearly invalid. If the people who coded this part of the MSN APIs had taken the time to code a proper business logic layer, it would have said something like this:

void UpdateAccount(string accountID, DataSet newInfo)
{
  if(IdentityContext.User.AccountID == accountID || IdentityContext.User.IsAdmin)
  {
     accountDB.UpdateAccount(accountID, newInfo);
  }
else
{
throw new AccessDeniedException();
} }

Two extra lines of code and a few curly braces later, you have prevented this mistake from ever happening again. Now, if some lazy UI coder forgets to add his authentication checks, instead of letting the sly users do as they may, the request throws an exception and all is well. If you have exception management code in place, this exception will get passed along to someone and they can go remind that lazy UI guy that he needs to do some basic security checks in his code (or in web.config) and you don't have to worry about waking up to any PR nightmares because of the lazy UI guys.

No Comments