Impersonating user credentials could allow an attacker to gain unauthorized access to protected resources.
Microsoft ASP.NET applications can impersonate the security context of the current user or the process that invoked them in order to execute privileged operations. Although impersonation contexts serve a variety of useful purposes, such as reducing the overall number of authentication attempts that must be made, a program that retains elevated privileges unnecessarily poses a risk to the overall security of the system. If an attacker exploits another vulnerability in the program while it is running in another security context, any unauthorized operations the attacker performs will be executed with the corresponding privileges.
Example 1: The following code example represents a typical use pattern for impersonating credentials using the WindowsIdentity.Impersonate()
method.
using System.Security.Principal;
...
//Get the identity of the current user
IIdentity contextId = HttpContext.Current.User.Identity;
WindowsIdentity userId = (WindowsIdentity)contextId;
//Temporarily impersonate
WindowsImpersonationContext imp = userId.Impersonate();
//Perform tasks using the caller's security context
DoSecuritySensitiveTasks();
//Clean up and restore our old security context
impersonate.Undo();
DoSecuritySensitiveTasks()
, the code attempts to restore the original security context, but if DoSecuritySensitiveTasks()
throws an exception, the Undo()
method will never be called and the program will continue to use the impersonated security context.
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[3] Standards Mapping - FIPS200 - (FISMA) AC
[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 520
[5] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[9] Security Practices: ASP.NET 2.0 Security Practices at a Glance Microsoft Corporation