Vignesh Krishnan
Securing Request Data in .NET Framework C# Application
I have created a .NET Forms application. I send a request to the web API using the HTTP client. The request data will be visible and can be altered while injecting or hooking process of the application using the Echo Mirage tool. How can I prevent this issue in a .NET Framework application written in C#?
31 replies
Securing .NET Framework Applications Against SQL Injection: Unraveling Windows SSL Vulnerabilities
I have developed a .NET Framework 4.7.2 Windows application that utilizes a SQL Server database. In this application, I have employed the SQLClient package to establish connections to the database. The connection parameters include encryption, ensuring that queries in outbound traffic remain concealed from the Microsoft Network Monitor and Wireshark.
However, a vulnerability was discovered when employing the Echo Mirage tool, enabling SQL injection or hooking into the .NET app process on Windows. This allowed for the viewing and alteration of queries using the tool. Through my analysis of the SQL injection tool's traffic log, I identified three types of hooked modules: Windows Socket, OpenSSL, and Windows SSL.
When configuring Windows Sockets, I observed that the traffic protocol was TCP, and the queries were encrypted, providing a secure environment. However, configuring Windows SSL revealed a vulnerability. I could view and modify queries by injecting the process in Windows, and the protocol was displayed as "???" with source and destination set as 0.0.0.0.
I lack sufficient knowledge about Windows SSL and seek guidance on preventing this vulnerability. Any ideas or suggestions would be greatly appreciated.
33 replies