URL Tampering - Prevent unauthorized page.

Question

User-1024101449 posted

Hi,

How to prevent when the user changing the file name in the URL.?

For example,

User user shall be access only http://10.120.10.67/Login.aspx (by default).

But, he should not access other page which is not authorized page.

How to restrict in aspx page.

Answer 1

User753101303 posted

Hi,

You are rolling your own authentication system? If using out of the box features you define authorizations as shown here :  https://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

Answer 2

User-1024101449 posted

Thanks for your reply.

i am using sitemap path menu and this will be enable based on the roles.

i have mentioned my role which is defined in web.config below.

<location path="AdminMenu">
<system.web>
<authorization>
<allow roles="ADM"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="USER1MENU">
<system.web>
<authorization>
<allow roles="ADM,USER1"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="HomeMenu">
<system.web>
<authorization>
<allow roles="ADM,USER1,USER2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

if USER1 and USER2 trying to access admin menu then it should not  allow the page to enter (if they trying to tamper in URL).

How to restrict this in the code.?

Answer 3

User753101303 posted

To me you really shouldn't need any additional code for doing this. AdminMenu is a folder? If not what if using AdminMenu.aspx instead ?

Answer 4

User-1024101449 posted

Sorry. 

AdminMenu is not a folder. it is a page. like below.

i have changed to SearchPage instead of AdminMenu...

<location path="Searchpage.aspx">
<system.web>
<authorization>
<allow roles="ADM"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="user1.aspx">
<system.web>
<authorization>
<allow roles="ADM,USER1"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Home.aspx">
<system.web>
<authorization>
<allow roles="ADM,USER1,USER2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Role "ADM"  can able to access all the pages.

Role "User1" can able to access only "user1.aspx" and "Home.aspx"

Role "User2" can able to access only "Home.aspx"

like the above i want allow/deny pages based on the roles.

Answer 5

User753101303 posted

And what happens if you add <clear/> first Inside your <authorization> section to make sure the issue is that you inherit from other rules.

Else I'll give this a try but to me it should just work fine without any additional code and this is the last difference I can see with what I'm usually doing. Show perhaps all roles for the user on the protected page. You are 100% sure  the account you are using is not part of the ADM role ?

Answer 6

User-1024101449 posted

Thanks for your reply.

The ADM,USER1,USER2 will be comming from database. 

This will be declaring in master page. see my code how i am fetching the role.

Dim arr As String() = {Session("RoleType")}
HttpContext.Current.User = New GenericPrincipal(HttpContext.Current.User.Identity, arr)

then this will linking with sitemap path. that's all.

In that case what i have to do..?

Answer 7

User-1024101449 posted

Finally i found the solution. code is below.

Dim roles As String() = Session(Accesstype)
HttpContext.Current.User = New GenericPrincipal(HttpContext.Current.User.Identity, roles)
If Not (Me.Page.User.IsInRole("ADM")) Then
Response.Redirect("UnAuthorizedAccess.aspx")
End If