C
C#ā€¢14mo ago
McBacon

āœ… Securily transporting password in .NET Framework 4.6.1

Hi. I've faced a checkmarx issue complaining that I did not erase a string containing password from the memory. The C# code fragment looks like this: ... string password = GenerateTemporaryPassword(); string token = await UserManager.GeneratePasswordResetToken(user.Id); await UserManager.ResetPasswordAsync(user.Id, token, temporaryPassword); ... GenerateTemporaryPassword() is a method returning generated string based on GUID and special signs. So the checkmarx complains when invoking the above method and assigning the result to simple string variable. My questions are: 1. Does it make sense to convert it to SecurePassoword (I know it should't be use in .NET Core and it's not the best, but I am asking anyway to be sure) considering the fact I must pass a string to ResetPasswordAsync method? Is the ResetPasswordAsync handling the plain string security well? 2. Are there any other ideas or soulutions you would recommend fot the above issue? Is there any fully secure way to handle this? Maybe accessing the assembler level?
8 Replies
Unknown User
Unknown Userā€¢14mo ago
Message Not Public
Sign In & Join Server To View
McBacon
McBaconOPā€¢14mo ago
@TeBeClone By my computer's memory dump you mean memory dump on the server where the application is deployed? That's most probably hard to get, but right if someone's get it it's done. I don't understand that statement wdym? Is it a joke I don't get xD? I haven't even found anything on how to clear a string from memory. It always says that it should be left to GC
Unknown User
Unknown Userā€¢14mo ago
Message Not Public
Sign In & Join Server To View
McBacon
McBaconOPā€¢14mo ago
I've contacted my mamager about it - found that there was already similar problem marked "not exploitable" Thanks for your input Btw borderline sarcasm? Never heard of it
Unknown User
Unknown Userā€¢14mo ago
Message Not Public
Sign In & Join Server To View
McBacon
McBaconOPā€¢14mo ago
Yeah, sarcasm I am of course aware of, but borderline no thx for explaining Have a good day bro šŸ™‚ And Thanks again
Bailey
Baileyā€¢14mo ago
Hi, I know its a bit late (seeing it's already solved). maybe you can use this info. strings clearing and changing leaves the data in memory until it is really cleaned. So in theory an attacker can install a program which scans the memory. MS has a sollution but I really do not know how good it is namely: SecureString
Unknown User
Unknown Userā€¢14mo ago
Message Not Public
Sign In & Join Server To View
Want results from more Discord servers?
Add your server