ASP.NET Misconfiguration: Use of Identity Impersonation

ASP.NET's identity impersonation feature allows an application to execute code using the security permissions of the requesting user or a specific account defined in its configuration. While this can be useful for delegated access, it often results in the application running with far higher privileges than it needs to perform its core functions, violating the principle of least privilege. This creates a significant security risk because if the application is compromised, an attacker inherits these elevated privileges. This can lead to unauthorized access to files, databases, or other system resources that should be off-limits, dramatically increasing the potential impact of a breach.