We are developing a big MVC application and the numbers of published end-points (Controller Actions) -audit properly assigned authorization attributes - are getting out of hand.
In WinForms, each aspx file is the end-point, so I can easily audit files and folders. Things in MVC are different. I am looking for a tool based on reflection that searches actions in all controllers available in the solution and give me a list with assigned [Authorize] attribute. Is such tool or technique available?
If such tool is not available, how can I audit the security attack surface of an MVC application? A new developer can easily add an action to a controller class (we have many controllers, can't inspect them manually) and the action become available to public.
View Complete Post