Let’s start with the most critical application weaknesses. These challenges get you the foundations of 1: Broken Access Control and 2: Cryptographic Failures
Broken Access Control
Access Control - Missing Function Level Access Control
CRUD features for user accounts should be allowed to a limited circle of people who have access to system maintenance. For this, a role-based authorization mechanism has been applied with the [Authorize (Roles =" Admin ")] attribute. The users without the "Admin" role won't get access to admin features since authorization middleware will restrict unauthorized requests.
Cross-site Request Forgery - Cross-site Request Forgery
The POST method is not protected against Cross-Site Request Forgery. The application does not differentiate between requests coming from the user's session or from another session. An attacker could therefore succeed in performing actions on behalf of other users. State-changing requests in particular, such as a password change or a purchase, are interesting to attackers.
The ValidateAntiForgeryToken attribute has been added above the POST method, so the application is properly protected against CSRF attacks. State-changing requests are properly protected this way. The application generates a unique and random token, and uses it to verify that the requests are legitimate.
- Cryptographic Failures Control Warrior Securecryptographic failures control warrior failures cryptographic warrior root authentication failures身份 indexing failures时报 数据 introduction awareness warrior updates vulnerabilities authentication injection warrior warrior hmv delphi cryptographic inference networks