Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com 

March, 2007

  • Alik Levin's

    Security Code Inspection - Eternal Search For SQL Injection

    • 6 Comments

    Here are couple of techniques I used for searching hints of SQL Injections in .Net apps.

    The basic approach is described here http://msdn2.microsoft.com/en-us/library/ms998399.aspx. It is basically split into two major parts - preliminary scan and the detailed scan. The keyword is hotspot - find hotspot and  investigate it accordingly. Hotspot can be something around SQL injection or XSS. I personally like calling it hints rather hotspot.

    Here are some techniques I used during preliminary scan to find hints for SQL Injection:

     

    This technique allows to dump all the strings from compiled assemblies. It is very useful when looking for sensitive data in it but along the way one can recognize funny things:

    that can provide some hints for further investigation.

    ILDASM and FindStr are our friends with this technique. Resulting dump can be investigated using ... Outlook 2007 - Security .Net Code Inspection Using Outlook 2007:

     

    • Look inside source code

    This techniques assumes you one knows what to look for - it can be hints gathered from previous step or just finding all instances of OdbcCommand, OleDbCommand, OracleCommand, SqlCommand, SqlCeCommand usage.

    FindStr is of great help here and the syntax would look like : FindStr /S /M /I /d:c:\projects\yourweb "SqlCommand" *.cs

    from http://msdn2.microsoft.com/en-us/library/aa302437.aspx

    FindStr uses the following command-line parameters:

    • /S — include subdirectories.
    • /M — list only the file names. No actual matches displayed.
    • /I — use a case insensitive search.
    • /D:dir — search a semicolon-delimited list of directories. If the file path you want to search includes spaces, surround the path in double quotes.

    Incase where Visual Studio is at hand same result (I presume FindStr is used under the cover) can be achieved by pressing ctrl+shift+f. This command brings up "Find In Files" dialog box:

    and the result is:

    (file and the string match == FindStr /S /I /d:c:\projects\yourweb "SqlCommand" *.*)

    Looking at the match one can decide to look further into it or not.

     

    Run FxCop with ReviewSqlQueriesForSecurityVulnerabilities rule checked:

    Do not include any other checks - FxCop consumes tones of memory, and it may be a problem with large projects that include many DLL's.

    Seems like FxCop approach is most efficient since it knows how to get hold on those hints where XXXComand object is used and CommandText property includes string that was built dynamically.

     

    Do not fall in trap of false positives and false negatives - tools are great but the best tool is between your ears

    False positives  - it is situation when the tool finds the issue but from detailed inspection it is not. For example, FxCop spots the code like this:

    string sql = "SELECT NAME, DESCN FROM PRODUCT WHERE NAME ='" + searchCriteria + "'"

    SqlCommand cmd = new SqlCommand(sql, con);

    Is it a problem? Depends where searchCriteria value comes from - if it is user controlled then YES, otherwise not [sure].

    False negatives  - it is situation where the tool does not find anything but the problem actually exists and only manual detailed scan can reveal it.

    While false positives just consume more energy while manually inspecting the findings, false negatives leave bad stuff undiscovered, which is I think worse.

    Conclusion

    While tools are vital and usually boost the productivity when inspecting the code for security vulnerabilities, it is important to have right set of expectations from those tools - what it can and what it cannot do. Remember the best tool is between your ears (original version by JD

    :)

    Enjoy

  • Alik Levin's

    Different Ways To Get Hold On Certificates - Net FX 1.1, 2.0

    • 1 Comments

    Net FX 1.1:

    First, one need to export certificate to file (no private keys exported), from

    http://msdn2.microsoft.com/en-us/library/aa302408.aspx

    // TODO: Replace with a valid path to your certificate
    string certPath = @"C:\WSClientCert.cer"

    // create an X509Certificate object from the information
    // in the certificate export file and add it to the


    X509Certificate.CreateFromCertFile(certPath));

    Net FX 2.0:

    2.0 has new classes to get hold on cert directly from cert store, from http://msdn.microsoft.com/msdnmag/issues/07/03/netsecurity/default.aspx 

     

    static X509Certificate2 FindCertificate(
    StoreLocation location, StoreName name,
    X509FindType findType, string findValue)
    {
         X509Store store = new X509Store(name, location);
         try
         {
              // create and open store for read-only access
              store.Open(OpenFlags.ReadOnly);
              // search store
              X509Certificate2Collection col = store.Certificates.Find(findType, findValue,true);


              // return first certificate found
              return col[0];
         }
         // always close the store
         finally { store.Close(); }
    }

    Enjoy

  • Alik Levin's

    Lifetime Decision is Tomorrow

    • 0 Comments

    I am trying hard to post purely technical articles to my blog but today I am overwhelmed with strong personal feeling I want to share with the world - tomorrow I am going to negotiate the prices and conditions for the house of my dreams.

    I know it may taint my blog but I am taking this chance anyway - I guess next time such post I'll post next time I buy another house which will happen not very soon :).

    If you guys have some practical advice for me - shoot.

     

    Thanks and wish me luck

Page 1 of 9 (25 items) 12345»