Config Files Wildcard Allow Users
Description
Detects overly permissive authorization settings in .NET configuration files where all users are allowed access using wildcard (*) configuration. This misconfiguration can expose protected resources to unauthorized users by bypassing access controls.
Detection Strategy
• Scan .NET configuration files for XML authorization elements
• Look for <authorization> sections that contain <add> elements
• Check if the <add> element has both accessType='Allow' and users='*' attributes
• Report a vulnerability if wildcard (*) user access is configured
Vulnerable code example
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="*" /> <!-- VULNERABLE: Overly permissive rule allows all users, making subsequent deny rules ineffective -->
<add accessType="Deny" users="*" />
</authorization>...✅ Secure code example
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" /> <!-- Disable anonymous access for better security -->
<basicAuthentication enabled="true" />
</authentication>...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.