.NET Misconfiguration: Use of Impersonation
This vulnerability occurs when a .NET application is configured to run with impersonation, potentially granting it excessive system-level permissions that attackers could exploit.
In .NET applications, impersonation allows the server-side code to execute using the identity of the client user who made the request. Instead of handling authentication within the application code, it relies on credentials passed from the web server (like IIS). This means the application operates with the same file system and resource permissions as that specific user, shifting access control responsibility entirely to the underlying NTFS settings. While this can simplify code by outsourcing authorization checks, it creates significant risk. If an attacker compromises a user account or finds a way to escalate privileges, the application will act on those elevated permissions. This configuration essentially bypasses the application's own security layers, making it dependent on correct filesystem permissions and opening paths to unauthorized data access or system manipulation.
Impact: Gain Privileges or Assume Identity