Razor Pages Navigation
-
Is it possible to navigate a Razor web site without displaying the details in the URL
https://localhost:44351/UserDetails?**id=1**
The id=1 seems to be a security risk as changing the id will show another users details or is this caught by using API security (currently not implemented)
Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP
-
Is it possible to navigate a Razor web site without displaying the details in the URL
https://localhost:44351/UserDetails?**id=1**
The id=1 seems to be a security risk as changing the id will show another users details or is this caught by using API security (currently not implemented)
Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP
Make sure the currently logged-in user has access to the data they request. Things you shouldn't spend time doing | The ASP.NET Forums[^]
-
Is it possible to navigate a Razor web site without displaying the details in the URL
https://localhost:44351/UserDetails?**id=1**
The id=1 seems to be a security risk as changing the id will show another users details or is this caught by using API security (currently not implemented)
Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP
Insecure Direct Object Reference Prevention · OWASP Cheat Sheet Series[^]:
To be exploited, an IDOR issue must be combined with an Access Control issue because it's the Access Control issue that "allow" the attacker to access to the object for which he have guessed the identifier through is enumeration attack.
So long as you have proper access controls in place, and return the same error for accounts that the current user doesn't have permission to access as for accounts which don't exist, there shouldn't be any problems. Depending on what you're doing, you might be able to drop the querystring and deduce the record to display based on the currently logged-in user. Or you could replace the IDs with a Guid, which would be much harder to enumerate.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Make sure the currently logged-in user has access to the data they request. Things you shouldn't spend time doing | The ASP.NET Forums[^]
Thanks for the link - makes a lot of sense.
Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP
-
Insecure Direct Object Reference Prevention · OWASP Cheat Sheet Series[^]:
To be exploited, an IDOR issue must be combined with an Access Control issue because it's the Access Control issue that "allow" the attacker to access to the object for which he have guessed the identifier through is enumeration attack.
So long as you have proper access controls in place, and return the same error for accounts that the current user doesn't have permission to access as for accounts which don't exist, there shouldn't be any problems. Depending on what you're doing, you might be able to drop the querystring and deduce the record to display based on the currently logged-in user. Or you could replace the IDs with a Guid, which would be much harder to enumerate.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Access control is something I have not implemented yet, still working on the nuts and bolts.
Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP
-
Insecure Direct Object Reference Prevention · OWASP Cheat Sheet Series[^]:
To be exploited, an IDOR issue must be combined with an Access Control issue because it's the Access Control issue that "allow" the attacker to access to the object for which he have guessed the identifier through is enumeration attack.
So long as you have proper access controls in place, and return the same error for accounts that the current user doesn't have permission to access as for accounts which don't exist, there shouldn't be any problems. Depending on what you're doing, you might be able to drop the querystring and deduce the record to display based on the currently logged-in user. Or you could replace the IDs with a Guid, which would be much harder to enumerate.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
