BartWullems's blog is a platform for sharing insights and expertise in Microsoft technologies, software development best practices, and programming tutorials. Through articles, code samples, and technical discussions, BartWullems offers insights into building scalable, maintainable, and performant software applications using Microsoft technologies such as .NET, Azure, and Visual Studio. Readers can learn about design patterns, development techniques, and tooling recommendations to enhance their skills and productivity as Microsoft developers. Additionally, BartWullems provides updates on the latest developments in Microsoft ecosystem, community events, and industry trends to help developers stay informed and engaged in the Microsoft developer community.

The Art of Simplicity

A legacy ASP.NET MVC application had a silent security bug caused by the framework's filter deduplication behavior. When the same attribute type (with AllowMultiple = false) was registered both as a global filter and as a controller-level attribute, ASP.NET MVC silently discarded the global filter, keeping only the more-specific controller-level one. The intended layered authorization (global baseline + controller-specific permission check) collapsed into just the controller-level check, leaving the specific permission unvalidated — a Broken Access Control vulnerability (OWASP Top 10 #1). The fix involved setting AllowMultiple = true on the attribute, auditing all filter type collisions, and documenting the behavior in internal guidelines.

The silent filter: How an ASP.NET MVC quirk became a security leak