Skip to content

Securev Code Review in .NET

Firstly, one needs to be familiar with the tools one can use in order to perform text searching, following this one needs to know what to look for.

One could scan through the code looking for common patterns or keywords such as “User”, “Password”, “Pswd”, “Key”, “Http”, etc... This can be performed using the “Find in Files” tool in VS or using find string as follows: findstr /s /m /i /d:c:\projects\codebase\sec “http” *.*

HTTP Request Strings

Requests from external sources are obviously a key area of a security code review. We need to ensure that all HTTP requests received are data validated for composition, max and min length, and if the data falls within the realms of the parameter whitelist. Bottom-line is this is a key area to look at and ensure security is enabled.\

STRING TO SEARCH
request.accesstypes request.httpmethod request.cookies request.url
request.browser request.querystring request.certificate request.urlreferrer
request.files request.item request.rawurl request.useragent
request.headers request.form request.servervariables request.userlanguages
request.TotalBytes request.BinaryRead

HTML Output

Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation.

STRING TO SEARCH
response.write HttpUtility HtmlEncode UrlEncode
innerText innerHTML <%=

SQL & Database

Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determine if the application is vulnerable to SQL injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter, or OdbcParameter(System.Data.SqlClient). These are typed and treat parameters as the literal value and not executable code in the database.

STRING TO SEARCH
exec sp_ select from insert update
delete from where delete execute sp_ exec xp_
exec @ execute @ executestatement executeSQL
setfilter executeQuery GetQueryResultInXML adodb
sqloledb sql server driver Server.CreateObject
.Provider System.Data.sql ADODB.recordset New OleDbConnection
ExecuteReader DataSource SqlCommand Microsoft.Jet
SqlDataReader ExecuteReader SqlDataAdapter StoredProcedure

Cookies

Cookie manipulation can be key to various application security exploits, such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionality, as this would have a bearing on session security.

STRING TO SEARCH
System.Net.Cookie HTTPOnly document.cookie

machine.config

It is important that many variables in machine.config can be overridden in the web.config file for a particular application.

STRING TO SEARCH
validateRequest enableViewState enableViewStateMac validateRequest

HTML Tags

Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display and use of such tags within a web application.

STRING TO SEARCH
HtmlEncode URLEncode \ \
\ \ \ \
\ \ \ \
\ \ \<frame security \<iframe security

Input Controls

The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.

STRING TO SEARCH
htmlcontrols.htmlinputhidden webcontrols.hiddenfield webcontrols.hyperlink webcontrols.textbox
webcontrols.label webcontrols.linkbutton webcontrols.listbox webcontrols.checkboxlist
webcontrols.dropdownlist

Logging

Logging can be a source of information leakage. It is important to examine all calls to the logging subsystem and to determine if any sensitive information is being logged. Common mistakes are logging userID in conjunction with passwords within the authentication functionality or logging database requests which may contain sensitive data.

STRING TO SEARCH
log4net Console.WriteLine System.Diagnostics.Debug System.Diagnostics.Trace

WEB.config

The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application’s root directory. For ASP.NET applications, web.config contains information about most aspects of the application’s operation.

STRING TO SEARCH
requestEncoding responseEncoding Trace authorization
compilation webcontrols.linkbutton webcontrols.listbox webcontrols.checkboxlist
webcontrols.dropdownlist CustomErrors httpCookies httpHandlers
httpRuntime sessionState maxRequestLength Debug
forms protection appSettings ConfigurationSettings appSettings
connectionStrings authentication mode Allow Deny
Credentials identity impersonate timeout remote

global.asax

Each application has its own global.asax file if one is required. Global.asax sets the event code and values for an application using scripts. One must ensure that application variables do not contain sensitive information, as they are accessible to the whole application and to all users within it.

STRING TO SEARCH
Application_OnAuthenticateRequest Application_OnAuthorizeRequest Session_OnStart Session_OnEnd

Class Design

Public and Sealed relate to the design at class level. Classes that are not intended to be derived from should be sealed. Make sure all class fields are Public for a reason. Don’t expose anything that is not necessary

STRING TO SEARCH
Public Sealed

Threads and Concurrency

Locating code that contains multithreaded functions as concurrency issues can result in race conditions, which may result in security vulnerabilities. The Thread keyword is where new threads objects are created. Code that uses static global variables that hold sensitive security information may cause session issues. Code that uses static constructors may also cause issues between threads. Not synchronizing the Dispose method may cause issues if a number of threads call Dispose at the same time, this may cause resource release issues.

STRING TO SEARCH
Thread Dispose

Reflection and Serialization

Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If code contains sensitive data, does it need to be serialized?

STRING TO SEARCH
Serializable AllowPartiallyTrustedCallersAttribute GetObjectData System.Reflection
StrongNameIdentity StrongNameIdentityPermission

Storage

If storing sensitive data in memory, it is recommended to use the following.

STRING TO SEARCH
SecureString ProtectedMemory

Exceptions & Errors

Ensure that the catch blocks do not leak information to the user in the case of an exception. Ensure when dealing with resources that the finally block is used. Having trace enabled is not great from an information leakage perspective. Ensure customized errors are properly implemented

STRING TO SEARCH
catch finally trace enabled customErrors mode

Cryptography

If cryptography is used then is a strong enough cipher used, i.e. AES or 3DES? What size key is used? The larger the better. Where is hashing performed? Are passwords that are being persisted hashed? They should be. How are random numbers generated? Is the PRNG “random enough”?

STRING TO SEARCH
RNGCryptoServiceProvider SHA MD5 base64
DES RC2 System.Random Random
xor System.Security.Cryptography

Authorization, Assert & Revert

Bypassing the .Net code access security permission? Not a good idea. Below is a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.

STRING TO SEARCH
RequestMinimum RequestOptional Assert Debug.Assert
CodeAccessPermission MemberAccess ControlAppDomain UnmanagedCode
SkipVerification ControlEvidence SerializationFormatter ControlPrincipal
ControlDomainPolicy ControlPolicy

Legacy Methods

Some standard functions that should be checked in any context include the following

STRING TO SEARCH
printf strcpy