Code Inspection - First Look For What To Look For

Reposted from Security Code Inspection - First Look For What To Look For for further reuse on this blog.

I found it extremely productive to first look for strings in the code. But what strings to look for? And how to look for the strings? Looking into the source files?

My good friend FindStr is of great help here:

So first let's find what to look for:

Ildasm.exe secureapp.dll /text | findstr ldstr

This is what I've got using it:

Wouldn't it trigger you think of authorization data doing roundtrip thus vulnerable to tampering and elevation of privileges?

Wouldn't it trigger you think there is some custom authentication mechanism that potentially could be vulnerable thus enabling identity spoofing?

 

Wouldn't it trigger you think.....

 

So once you have these strings you use same FindStr to find actual files to inspect:

findstr /S /M /I /d:c:\projects\yourweb "StringOfInterestGoesHere" *.cs

Cheers

Published 20 March 07 10:13 by alikl

Comments

# alik levin's said on March 26, 2007 10:04 AM:

In my previous post, Code Inspection - First Look For What To Look For , I've described how to look for

# alik levin's said on March 31, 2007 4:04 PM:

Here are couple of techniques I used for searching hints of SQL Injections in .Net apps. The basic approach

# alik levin's said on April 18, 2007 1:47 PM:

Imagine if security was cool like Silverlight .... But security is not that cool, so the biggest challenge

# alik levin's said on July 6, 2007 4:49 PM:

Are you using Typed DataSet as DTO (data transfer object) ? Are you building distributed systems where

# alik levin's said on December 1, 2007 9:16 AM:

DIR /S /B /A:-D I use simple DIR command to generate file lists. It serves me in many scenarios. For

# alik levin's said on January 24, 2008 8:38 AM:

How to streamline the process of capturing security flaws during security code review? How to save time

# alik levin's said on March 17, 2008 10:56 AM:

Want to quickly check your ASP.NET Web application for Cross Site Scripting (XSS) vulnerability ? It

# ACE Team - Security, Performance & Privacy said on July 24, 2008 4:17 PM:

"The hardest thing of all is to find a black cat in a dark room, especially if there is no cat."

New Comments to this post are disabled

Search

This Blog

. My Personal Blog .

.Net Performance How To's

.Net Security How To's

Design Patterns

Impactful

Lifecycle Phases

Popular

Tools

Syndication

Page view tracker