diff --git a/csharp/ql/src/Security Features/CWE-285/MVC.cs b/csharp/ql/src/Security Features/CWE-285/MVC.cs
index 58575993482..291c4544456 100644
--- a/csharp/ql/src/Security Features/CWE-285/MVC.cs
+++ b/csharp/ql/src/Security Features/CWE-285/MVC.cs
@@ -5,7 +5,7 @@ public class ProfileController : Controller {
...
}
- // GOOD: The `Authorize` tag is used.
+ // GOOD: The `Authorize` attribute is used.
[Authorize]
public ActionResult Delete(int id) {
...
diff --git a/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp
index a81e71a8da9..d65d6010a2f 100644
--- a/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp
+++ b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp
@@ -5,8 +5,8 @@
-Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authentication checks
-to ensure that they cannot be used by arbitrary users.
+Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authorization checks
+to ensure that they cannot be used by malicious actors.
@@ -14,9 +14,9 @@ to ensure that they cannot be used by arbitrary users.
Ensure that proper authorization checks are made for sensitive actions.
-For WebForms applications, the authorazation tag in Web.config XML files
+For WebForms applications, the authorization tag in Web.config XML files
can be used to implement access control. The System.Web.UI.Page.User property can also be
-used to verify a user's roles.
+used to verify a user's role.
For MVC applications, the Authorize attribute can be used to require authorization on specific
action methods.
@@ -25,7 +25,7 @@ action methods.
-In the following WebForms example, the case marked BAD has no authorization checks; whereas the
+In the following WebForms example, the case marked BAD has no authorization checks whereas the
case marked GOOD uses User.IsInRole to check for the user's role.
@@ -33,22 +33,22 @@ case marked GOOD uses User.IsInRole to check for the user's role.
The following Web.config file uses the authorization tag to deny access to anonymous users,
-in a location> tag to have it apply to a specific path.
+in a location tag to have that configuration apply to a specific path.
In the following MVC example, the case marked BAD has no authorization
-checks; whereas the case marked GOOD uses the Authorize attribute.
+checks whereas the case marked GOOD uses the Authorize attribute.
-Page.User Property - Microsoft Learn
-Control authorization permissions in an ASP.NET application - Microsoft Learn
-Simple authorization in ASP.NET Core - Microsoft Learn
+Page.User Property - Microsoft Learn.
+Control authorization permissions in an ASP.NET application - Microsoft Learn.
+Simple authorization in ASP.NET Core - Microsoft Learn.
diff --git a/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
index dccb72e01ce..52c02c05445 100644
--- a/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
+++ b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
@@ -1,6 +1,6 @@
/**
* @name Missing function level access control
- * @description Sensitive actions should have authorization checks to prevent them from being used by arbitrary users.
+ * @description Sensitive actions should have authorization checks to prevent them from being used by malicious actors.
* @kind problem
* @problem.severity warning
* @security-severity 7.5