Description
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration.
Potential Impact
Access Control
Gain Privileges or Assume Identity
Mitigations & Prevention
Use the least privilege principle.
Related Weaknesses
Frequently Asked Questions
What is CWE-556?
CWE-556 (ASP.NET Misconfiguration: Use of Identity Impersonation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
How can CWE-556 be exploited?
Attackers can exploit CWE-556 (ASP.NET Misconfiguration: Use of Identity Impersonation) to gain privileges or assume identity. This weakness is typically introduced during the Implementation, Operation phase of software development.
How do I prevent CWE-556?
Key mitigations include: Use the least privilege principle.
What is the severity of CWE-556?
CWE-556 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.