אליק לוין

עולמו של יועץ ממיקרוסופט

Security Code Inspection - First Look For What To Look For

I found it extremely productive to first look for strings in the code. But what strings to look for? And how to look for the strings? Looking into the source files?

My good friend FindStr is of great help here:

So first let's find what to look for inside the compiled assemblies:

Ildasm.exe secureapp.dll /text | findstr ldstr

This should produce all the strings found in the assembly

This is what I've got using it:

Wouldn't it trigger you think of authorization data doing roundtrip thus vulnerable to tampering and elevation of privileges?

Wouldn't it trigger you think there is some custom authentication mechanism that potentially could be vulnerable thus enabling identity spoofing?

 

Wouldn't it trigger you think.....

 

So once you have these strings you use same FindStr to find actual source files to inspect:

findstr /S /M /I /d:c:\projects\yourweb "StringOfInterestGoesHere" *.cs

Cheers

פורסם: Jan 03 2007, 02:22 PM by alikl | with 2 comment(s)
תגים:, , ,

תוכן התגובה

alik levin's כתב/ה:

It's Between Your Ears Why? Because "Security is man-vs-man and humans are intelligent." - more about

# February 14, 2007 7:11 AM

alik levin's כתב/ה:

Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog.

# March 20, 2007 11:15 PM