How to lock down paths in ASP.NET MVC?

by

Take a look at Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute.

You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute…

Quote

MVC uses routes and does not map URLs to physical file locations like WebForms, PHP and traditional web servers. Therefore using web.config will definitely open a security hole in your site.

The product team will have a communication if this changes in the future, but for now it is without exception the rule.

Examples:

Start with the default ASP.Net MVC project (internet/intranet).

Edit the web.config adding:

<location path="Home">
  <system.web>
    <authorization>
      <deny users="*">
    </authorization>
  </system.web>
</location>

Run the project, by default you will use the Default route /Home/Index and you see content, simply bypassing the web.config with no changes to the default template. Why? Because the ASP.Net pipeline is comparing the URL requested to the location specified in the web.config. However, after the Authorization Event has been executed in the pipeline the routing taking place (Default routing or custom routing) and allows access to the supposedly restricted area.

Additionally, any MVC Redirect() will also by-pass the same security measures as again the routing takes place after the Authorization Pipeline Event.

I don’t think anyone should accept sorta working security. Do it correctly the first time, don’t be lazy and use something that wasn’t designed to be used with a specific technology.

More Related Contents:

  1. ASP.NET MVC 4 Web API Authentication with Membership Provider
  2. ASP.NET MVC Forms Authentication + Authorize Attribute + Simple Roles
  3. ASP.NET MVC – Authenticate users against Active Directory, but require username and password to be inputted
  4. What does the Web.Config file do in the views folder of a MVC project
  5. upgrading from MVC4 to MVC5
  6. Prevent IIS from serving static files through ASP.NET pipeline
  7. deploying AntiforgeryToken Error
  8. MVC Forms LoginUrl is incorrect
  9. Using Ajax.BeginForm with ASP.NET MVC 3 Razor
  10. ASP.NET MVC Html.DropDownList SelectedValue
  11. Should services always return DTOs, or can they also return domain models?
  12. How to validate uploaded file in ASP.NET MVC?
  13. ASP.NET MVC custom routing for search
  14. Crystal Reports in ASP.NET MVC
  15. ASP.NET MVC 4 intercept all incoming requests
  16. How to change type of id in Microsoft.AspNet.Identity.EntityFramework.IdentityUser
  17. ASP.NET MVC – TempData – Good or bad practice
  18. Why do we use ViewModels?
  19. DateTime (date and hour) validation with Data Annotation
  20. MVC Datatype Currency trigger numeric keypad
  21. Web Config Transform not working
  22. OwinStartup not firing
  23. Does Razor syntax provide a compelling advantage in UI markup?
  24. How to get current controller and action from inside Child action?
  25. Where are @Json.Encode or @Json.Decode methods in MVC 6?
  26. Routing in Asp.net Mvc 4 and Web Api
  27. MVC 2 AreaRegistration Routes Order
  28. How do I populate a dropdownlist with enum values?
  29. Visual Studio 2013 – No Visual Basic/Visual C# Web Templates Installed
  30. How can I create a route constraint of type System.Guid?

Leave a Comment