ASP.NET Misconfiguration: Use of Identity Impersonation

Incomplete Variant

Structure: Simple

Description

Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.

Extended Description

The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration.

Common Consequences 1

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Potential Mitigations 1

Phase: Architecture and Design

Use the least privilege principle.

Modes of Introduction

Implementation

Operation

Related Weaknesses

ChildOf:

Incorrect Privilege Assignment (CWE-266)