Posts Tagged ‘Aspnet Core’

Security tips: Record level authorization in your .NET application

Record level authorization is to verify that users are permitted to access the records they want to view, update or delete. I should say that not all applications I worked on or reviewed had that requirement. The requirement for some of the applications I had worked with was to implement role based authorization where users with certain roles can access certain areas of the application while other applications I had worked on required record level authorization.

Example of a record based authorization would be a bank account, only the account holders should be able to access the account and manage the account. Another example, in an insurance system, the policy holder should be the only one who can submit a claim and accept a settlement.

How to test if the application is vulnerable?

If you are a tester and doing white box testing, there isn’t a recipe that tells you that the application is 100% coded correctly. Let’s show a simple example using ASP.NET MVC on how you can test your application. Let’s say we have a URL such as http://hostname/users/Details/1. Given that the default route is {controller}/{action}/{id}, we can tell that the controller name is UsersController, the action method name is Details and the record Id is 1.

If the application is supposed to implement record level authorization, the system shouldn’t allow you to access record id 100 if you don’t have access to it. This can easily be tested by replace 1 with 100 in the url (e.g. http://hostname/users/Details/100)

How about POST requests? You can test POST request using the edit action method (i.e. http://hostname/users/Edit/1). The record id is usually passed in the payload. You can use the F12 developer tools to see the parameters passed to the server.

You can try to modify the id in the DOM if you don’t want to use other tools. It is easier to use a tool like Burp or Fiddler to intercept the request and modify parameters.

If you were able to modify a record that your user shouldn’t have access to, the application should fail the test case.


Record level authorization is a must for some systems but it is not necessary a requirement for other systems. You need to clarify the requirement with client to make sure your test cases are based on the requirements. The vulnerability is catastrophic for high profile applications if a hacker can exploit it. As a tester, your test cases should cover record level authorization related requirements.

Categories: Security Tags: , ,

Debug Aspnet Core HTTP Error 502.5 – Process Failure

Today after upgrading an aspnet core 1.0 to 1.1 I was getting HTTP Error 502.5 – Process Failure

In your project web.config:

  • Enable stdoutLogEnabled (set it to true)
  • Set full path for stdoutLogFile and make sure that the “logs” folder already exists
  • Then hit F5


In my stdout file I got the following error:

The specified framework ‘Microsoft.NETCore.App’, version ‘1.1.0’ was not found.

– Check application dependencies and target a framework version installed at:

C:\Program Files\dotnet\shared\Microsoft.NETCore.App

– The following versions are installed:




– Alternatively, install the framework version ‘1.1.0’.

I was under the impression that I had already installed version 1.1.0. But it seems that I installed 1.0.3 instead J It was 1:00 AM LOL

Here is the trick part. When you go to to download .NET Core, the default selected tab is LTS instead of Current

Select Current and download the latest version of .NET Core SDK


Categories: Tags: ,