אליק לוין

עולמו של יועץ ממיקרוסופט

This is How They Will Discover Secrets You Hide

If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog":

http://www.google.com/codesearch?q=%22initial+catalog%22&hl=en

If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio

Like this:

Ildasm.exe secureapp.dll /text | findstr ldstr

IL_000c: ldstr "RegisterUser"

IL_0027: ldstr "@userName"

IL_0046: ldstr "@passwordHash"

IL_003e: ldstr "Logon successful: User is authenticated"

IL_0050: ldstr "Invalid username or password"

IL_0001: ldstr "Server=AppServer;database=users; username='sa'; password=password"

How to get protected?

  • Do not hard code sensitive information.
  • Use windows authentication whenever possible thus avoiding managing credentials.
  • Use platform features to protect sensitive information.

Full how-to index here: http://msdn.microsoft.com/library/en-us/dnpag2/html/SecurityHowTosIndex.asp?frame=true

Cheers

פורסם: Dec 29 2006, 10:53 PM by alikl | with 2 comment(s)
תגים:, , ,

תוכן התגובה

alik levin's כתב/ה:

I found it extremely productive to first look for strings in the code. But what strings to look for?

# January 3, 2007 2:22 PM

alik levin's כתב/ה:

Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog.

# March 20, 2007 11:15 PM