Performance Gain - Security Risk

Reposted from Performance Gain - Security Risk

Good intention for better performance may lead to flawed design and bring in more security risks.

Consider the following ASPX page:

Here is why it cannot be accessed:

When trying to navigate there you get:

Great, love URL authorization!!

Now let's examine another ASPX page:

When navigating to this page you surprisingly get this:

The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module

Security part is here https://msdn2.microsoft.com/en-us/library/ms998375.aspx

Performance part is here https://msdn2.microsoft.com/en-us/library/ms998549.aspx 

Performance and Security has never been good friends - fortunately we have J.D. who is bridging the two letting us enjoy both.

Enjoy

Comments

• Anonymous
  April 09, 2007
  Server.Transfer raises ThreadAbortException,so it may be faster, but not scalable.There are also other disadvantages like you mentioned.

• Anonymous
  April 09, 2007
  Anatoly, thanks for comment! In my post i did not try to show Server.Transfer as disadvatageous one - not at all. I tried to make one aware what Server.Trasnfer may cause as a result of flawed design. BTW,  - you have very nice blog

• Anonymous
  January 21, 2008
  Care about performance? Do you write your code with performance in mind? Want little help to spot performance

• Anonymous
  July 24, 2008
  These are the questions and the search criteria I use to identify authorization vulnerabilities in the