Alik Levin's

Clarity, Technology, and Solving Problems | PracticeThis.com 

December, 2007

  • Alik Levin's

    Avoid Manipulating Passwords In Memory - It Is Easy To Reveal

    • 3 Comments

    Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal clear text passwords and what countermeasures to apply.

    Summary of steps:

    • Install WinDbg
    • Attach to process or open dump file
    • Load SOS .Net extensions for WinDbg
    • Enumerate threads
    • Enumerate objects in thread
    • Dump object's values
    • Countermeasures and guidelines

    Install WinDbg

    Download and install WinDbg as described in How to install Windbg and get your first memory dump.

    Attach to process or open dump file

    WinDbg can analyze both running processes and memory dumps which conveniently can be taken offsite for further investigation. I've created simple console application that accepts user name and password pair as its parameters and stores in local variables in memory:

    static void Main(string[] args)
    {
        string userName = Console.ReadLine();
        string password = Console.ReadLine();

        Console.ReadLine();
    }

    Compile and run the application. I called it SecretsInMemory. This is how it looks when running:

    image

    Attach WinDbg to the running application by opening File->Attach to a Process:

    image  

    and press Ok.

    Alternatively, we can create dump file - for detailed how-to refer to How to install Windbg and get your first memory dump.

    To Investigate resulting dump file in WinDbg open File->Open Crash Dump

    Load SOS .Net extensions for WinDbg

    To analyze .Net assemblies we need to load .Net extensions by typing .load sos and hitting Enter:

    image

    Enumerate threads

    Run !threads command to enlist available threads:

    image

    and then choose specific thread - use left most column for thread identification as follows ~[thread number goes here]s:

    image

    Enumerate objects in thread

    Use !dso command to dump all objects in the thread:

    image

    Dump object's values

    Use !do <object address> to dump specific object's values. Object address is a second column in the list generated by !dso command, the column named "Object" - just copy and paste it:

    image

    The password is revealed either by attaching to the process or analyzing a crash file that was taken offsite.

    Countermeasures and guidelines

    As rule of thumb avoid using custom built identification and authentication mechanisms and leverage those that the infrastructure offers - preferably Windows Integrated authentication. In case where all options exhausted and there is no other way but accept end user credentials, refer to the following article - Using Credential Management in Windows XP and Windows Server 2003. Techniques described in the article allow to leverage built in mechanism of accepting credentials from end user in more secure manner. It also keeps common familiar look and feel across custom application and built in Windows mechanisms leaving less room for end user confusion.

    My related posts:

    Other resources:

  • Alik Levin's

    ASP.NET AJAX Control Toolkit - Basic Sample For DynamicPopulate Control

    • 6 Comments

    How to dynamically populate the content of a control based on Web Service call triggered by another control? DynamicPopulate extender to the rescue:

    DynamicPopulate is a simple extender that replaces the contents of a control with the result of a web service or page method call. The method call returns a string of HTML that is inserted as the children of the target element.

    This post to summarize basic steps of using AJAX Control Toolkit's DynamicPopulate extender. Plus customer's case study of how it was implemented with ASP.NET Masterpage for performance and UX improvement.

    Summary of steps

    • Step 1 - Create ASP.NET Web Application
    • Step 2 - Add server side code
    • Step 3 - Add DynamicPopulate extender
    • Step 4 - Add client side script to use the extender behavior
    • Step 5 - Add client side event to invoke the client script
    • Step 6 - Test the solution

    Following section describes each step in details.

    "Then another ask came through - content page must update the sidebar that is part of the Master page...."
  • Step 1 - Create ASP.NET Web Application. Open Visual Studio 2008. Create new "ASP.NET Web Application" project, found under Web node in "New Project" dialog. Name it DynamicPopulateSample. Add site's Master Page by right clicking on the project in project explorer window, then "Add" ->  "New Item...", then choose "Master Page" template from the "New Item" dialog. Leave its default name. Drag Label control on the Master page from the Tool Box. The Label will be dynamically updated. Add new ASPX page by right clicking on the project in project explorer window, then "Add" -> "New Item....", then choose "Web Content Form". Specify it's Master Page by choosing Site1.Master. Name it default.aspx. Add two pure Html radio buttons to default.aspx. These will serve as a trigger to update the Label on the Master Page. Add AjaxControlToolkit.dll to the project's  bin folder and add reference to it.
  • Step 2 - Add server side code. Open default.aspx.cs code behind for default.aspx. Add the following function:
    [System.Web.Services.WebMethod]
    [System.Web.Script.Services.ScriptMethod]
    public static string GetHtml(string contextKey)
    {
        // A little pause to mimic a latent call
        // This is the place to perform server side
        // code like DB access
        System.Threading.Thread.Sleep(350);
    
        return String.Format("Persona: {0}", contextKey);
    }
  • Step 3 - Add DynamicPopulate extender. Register AjaxControlToolkit assembly inside the page. Add the following declaration right after <@Page...> directive 

    <%@ Register
       
    Assembly="AjaxControlToolkit"
       
    Namespace="AjaxControlToolkit"
       
    TagPrefix="ajaxToolkit"%>

    Add AJAX Script Manager to the page: 
    <asp:ScriptManager ID="ScriptManager1"runat="server"/>

    Add DynamicPopulateExtender control to the page:

      <ajaxToolkit:DynamicPopulateExtender
             
    ID="dp"BehaviorID="dp1"runat="server"
             
    TargetControlID="form1$Label1"
             
    ClearContentsDuringUpdate="true"
             
    ServiceMethod="GetHtml" />

    Notice TargetControlID is set to "form1$Label1". This is the Label control to be updated with the Html string returned by the server side code I described in Step 2. $ notation means nesting - read "Label1 control inside form1 control". It can be any nesting depth. Save your work and then view in browser to make sure that no exceptions generated.

  • Step 4 - Add client side script to use the extender behavior.  So far, there is Label1 to be updated and it is sitting in the Mater page. There is DynamicPopulateExtender that defines the behavior. There is server side code to handle the request. Now add client script that makes the request to the server:

    <script type="text/javascript">
            function
    updateDateKey(value) {
                var behavior = $find('dp1');
                if(behavior) {
                    behavior.populate(value);
                }
            }
            Sys.Application.add_load(function(){updateDateKey('Alik Levin');});
        </script>

    Notice initialization function call - the last row. It invokes the client side function to call into server side for the first time when the page is rendered into the browser for the first time.

  • Step 5 - Add client side event to invoke the client script. The last part is adding the event that triggers the client side code to be invoked and thus making call to the server. Locate Html radio buttons that were created during Step 1, add onclick events to call the client side function:
    <input type="radio" 
           name="rbFormat" 
           id="r0" 
           value='alik'
           onclick="updateDateKey(this.value);" 
           checked="checked" />click to set 'alik'<br/>
    <input type="radio" 
           name="rbFormat" 
           id="Radio1" 
           onclick="updateDateKey(this.value);"
           value='levin' />click to set 'levin'
  • Step 6 - Test the solution. Save your work and view in browser. Click on the radio buttons and you should see how the Label in master page gets updated with respective values. It all happens with small delays simulated on the server by Sleep function. I think it is cool.
    • Case Study

    I was asked by a customer to offer a solution for very responsive UX [User Experience] while avoiding annoying refresh of the web page. Natural answer was AJAX. The customer also asked to provide the solution for common look and feel. Master pages was my answer. Then another ask came through - content page must update the sidebar that is part of the Master page.... hmm A-ha! Use DynamicPopulateExtender.

    My Related posts

    Sample VS2008 project that demonstrates DynamicPopulateExtender can be found on my SkyDrive:

     

    Watch UX [User Experience] in the video below:


    Video: DynamicPopulateExtender Demo

    Enjoy.

  • Alik Levin's

    Basic HttpModule Sample (Plus Bonus Case Study - How HttpModule Saved Mission Critical Project's Life)

    • 1 Comments

    This post to describe basic steps to write HttpModule and how it rescued mission critical application from not hitting the dead line.

    HttpModule is the mechanism that facilitates implementing cross cutting logic for incoming ASP.NET requests. ASP.NET uses it extensively under the covers for its needs too - Session management, Authentication to mention a few. What I love most with HttpModules is that there is no need to alter the application itself - just implement IHttpModule interface and tweak web.config. That is all.

    Steps to build HttpModule

    • Step 1 Create Class Library
    • Step 2 Implement IHttpModule Interface
    • Step 3 Configure ASP.NET application to use HttpModule
    • Step 4 Test the application

    Next section describes each step in detail.

    "no need to alter the application itself - just implement IHttpModule interface and tweak web.config"
  • Step 1 Create Class Library. Fire up Visual Studio. Click "New Project" dialog, click "Visual Studio Solutions" choose "Blank Solution" and create empty solution. Name it HttpModuleSample. Right click on the solution in "Solution Explorer" and then click "Add", "New Project...". Choose "Class Library" template and name it MyHttpModuleLib. Delete default Class1.cs. Add reference to System.Web assembly.
  • Step 2 Implement IHttpModule Interface. Add new class to the project and call it MyHttpModule. Add using System.Web declaration. Implement the IhttpModule interface just add :IHtpModule and let Visual Studio implement it explicitly. Register for any of ASP.NET pipeline events - BeginRequest for example - in Init(...) method. Set break point in the event handler.

    image

  • Step 3 Configure ASP.NET application to use HttpModule. Right click on the solution in solution explorer and add new "ASP.NET Web Application" found under Web node in "Add New Project" dialog. Name it HttpModuleTestWeb. Open the application Web.Config file and add HttpModules node in case it is not already there: image Configure MyHttpModuleLib project output path to HttpModuleTestWeb's bin folder. To do so right click on MyHttpModuleLib and choose properties, go to Build section and then to "Output path" in out put section: image Build the solution. Ctrl+Shift+B.
  • Step 4 Test the application.  Set HttpModuleTestWeb as start up project and hit F5. You should hit the break point set inside the HttpModule even before the Web Application's page was accessed: image 

    Here I implement any logic I want to run before the page got hit. HttpModule serves as a filter or gatekeeper for incoming Http requests. Following case study explains how such approach saved mission critical application.

  • Case study

    Critical mission application was to go live in few days. The schedule was tight. All functional and integration tests went well. The last one was load and stress tests. During the the load test turned out that one of the network components was crashing as a result of memory leak. The component was sending http headers. We decided to configure the component to send the data in Query Strings instead Http Headers [making story short...]. We needed to find the way to teach the application to look the data in Query Strings instead Http Headers. HttpModule to the rescue!! We developed simple HttpModule that was hijacking the request, scrapping the Query String and setting the data inside Http Headers, where the application was looking for it. Heaven. Worked like magic.

    Caveats

    Adding Http Headers in .Net is not straight forward since the collection is read only. Reflection to the rescue! Following code explains how to hack Http Headers collection to make it writable - http://forums.asp.net/p/979853/1250479.aspx#1250479. Then we needed to drop the extra Query String before it got to the application. My search landed directly to ScottGu's RewriteUrl post - http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx. What's left is make reflection run faster by caching type's constructor as described here - http://weblogs.asp.net/bradygaster/archive/2003/11/26/39952.aspx

    My Related posts:

    Sample VS2008 project can be found on my SkyDrive:

  • Page 1 of 2 (6 items) 12