/* Good1() change the switch to switch(8) */
private void Good1()
{
switch (8)
{
case 7:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.WriteLine("Benign, fixed string");
break;
default:
using (HashAlgorithm sha512 = new SHA512CryptoServiceProvider())
{
/* FIX: Secure cryptographic hashing algorithm (SHA-512) */
byte[] textWithUTF8 = Encoding.UTF8.GetBytes("Test Input"); /* INCIDENTAL FLAW: Hard-coded input to hash algorithm */
byte[] textWithReversibleHash = sha512.ComputeHash(textWithUTF8);
IO.WriteLine(IO.ToHex(textWithReversibleHash));
}
break;
}
}
/* goodB2G() - use badsource and goodsink*/
private void GoodB2G(HttpRequest req, HttpResponse resp)
{
string data;
data = ""; /* initialize data in case there are no cookies */
/* Read data from cookies */
{
HttpCookieCollection cookieSources = req.Cookies;
if (cookieSources != null)
{
/* POTENTIAL FLAW: Read data from the first cookie value */
data = cookieSources[0].Value;
}
}
for (int k = 0; k < 1; k++)
{
/* FIX: Hash data before storing in registry */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true);
key.CreateSubKey("CWEparent");
key = key.OpenSubKey("CWEparent", true);
key.CreateSubKey("TestingCWE");
key = key.OpenSubKey("TestingCWE", true);
key.SetValue("CWE", secureData);
}
}
}
/* goodB2G() - use badsource and goodsink */
private void GoodB2G()
{
string data;
data = ""; /* Initialize data */
{
/* read user input from console with ReadLine */
try
{
/* POTENTIAL FLAW: Read data from the console using ReadLine */
data = Console.ReadLine();
}
catch (IOException exceptIO)
{
IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading");
}
}
/* FIX: Hash data before storing in registry */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true);
key.CreateSubKey("CWEparent");
key = key.OpenSubKey("CWEparent", true);
key.CreateSubKey("TestingCWE");
key = key.OpenSubKey("TestingCWE", true);
key.SetValue("CWE", secureData);
}
}
/* goodB2G() - use BadSource and GoodSink */
public static void GoodB2GSink(byte[] dataSerialized)
{
try
{
string data;
var binForm = new BinaryFormatter();
using (var memStream = new MemoryStream())
{
memStream.Write(dataSerialized, 0, dataSerialized.Length);
memStream.Seek(0, SeekOrigin.Begin);
data = (string)binForm.Deserialize(memStream);
}
/* FIX: Hash data before storing in registry */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true);
key.CreateSubKey("CWEparent");
key = key.OpenSubKey("CWEparent", true);
key.CreateSubKey("TestingCWE");
key = key.OpenSubKey("TestingCWE", true);
key.SetValue("CWE", secureData);
}
}
catch (SerializationException exceptSerialize)
{
IO.Logger.Log(NLog.LogLevel.Warn, "SerializationException in deserialization", exceptSerialize);
}
}
/// <summary>
/// Encrypts the specified text.
/// </summary>
/// <param name="text">The text.</param>
/// <param name="key">The key.</param>
/// <returns>String.</returns>
/// <exception cref="ArgumentException">Thrown when text was null, empty, or white space.</exception>
/// <exception cref="ArgumentException">Thrown when key was null, empty, or white space.</exception>
/// <exception cref="ArgumentException">Thrown when unable to create AES crypto object.</exception>
public String Encrypt(String text, String key)
{
if (String.IsNullOrEmpty(text))
{
throw new ArgumentException(Strings.TheTextMustHaveAValue, nameof(text));
}
if (String.IsNullOrEmpty(key))
{
throw new ArgumentException(Strings.KeyMustHaveAValue, nameof(key));
}
var buffer = Encoding.UTF8.GetBytes(text);
using (var hash = new SHA512CryptoServiceProvider()) {
var aesKey = new Byte[24];
Buffer.BlockCopy(hash.ComputeHash(Encoding.UTF8.GetBytes(key)), 0, aesKey, 0, 24);
using (var aes = Aes.Create()) {
if (aes == null)
{
throw new NullReferenceException(Strings.UnableToCreateAESCryptoObject);
}
aes.Key = aesKey;
using (var encryptor = aes.CreateEncryptor(aes.Key, aes.IV))
using (var resultStream = new MemoryStream()) {
using (var aesStream = new CryptoStream(resultStream, encryptor, CryptoStreamMode.Write))
using (var plainStream = new MemoryStream(buffer)) {
plainStream.CopyTo(aesStream);
}
var result = resultStream.ToArray();
var combined = new Byte[aes.IV.Length + result.Length];
Array.ConstrainedCopy(aes.IV, 0, combined, 0, aes.IV.Length);
Array.ConstrainedCopy(result, 0, combined, aes.IV.Length, result.Length);
return(Convert.ToBase64String(combined));
}
}
}
}
public string Decrypt(string value, string key)
{
value.ThrowIfNullOrEmpty(nameof(value));
var combined = Convert.FromBase64String(value);
var buffer = new byte[combined.Length];
var hash = new SHA512CryptoServiceProvider();
var aesKey = new byte[24];
Buffer.BlockCopy(hash.ComputeHash(Encoding.UTF8.GetBytes(key)), 0, aesKey, 0, 24);
using (var aes = Aes.Create())
{
if (aes == null)
{
throw new ArgumentException("Parameter must not be null.", nameof(aes));
}
aes.Key = aesKey;
var iv = new byte[aes.IV.Length];
var ciphertext = new byte[buffer.Length - iv.Length];
Array.ConstrainedCopy(combined, 0, iv, 0, iv.Length);
Array.ConstrainedCopy(combined, iv.Length, ciphertext, 0, ciphertext.Length);
aes.IV = iv;
using (var decryptor = aes.CreateDecryptor(aes.Key, aes.IV))
using (var resultStream = new MemoryStream())
{
using (var aesStream = new CryptoStream(resultStream, decryptor, CryptoStreamMode.Write))
using (var plainStream = new MemoryStream(ciphertext))
{
plainStream.CopyTo(aesStream);
}
return(Encoding.UTF8.GetString(resultStream.ToArray()));
}
}
}
/* goodB2G() - use badsource and goodsink */
private void GoodB2G(HttpRequest req, HttpResponse resp)
{
string data;
while (true)
{
data = ""; /* initialize data in case there are no cookies */
/* Read data from cookies */
{
HttpCookieCollection cookieSources = req.Cookies;
if (cookieSources != null)
{
/* POTENTIAL FLAW: Read data from the first cookie value */
data = cookieSources[0].Value;
}
}
break;
}
while (true)
{
/* FIX: Hash data before storing in a file */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
File.WriteAllText(@"C:\Users\Public\WriteText.txt", secureData.ToString());
}
break;
}
}
public static string Encrypt(this string text, string key)
{
if (string.IsNullOrEmpty(key))
{
throw new ArgumentException("Key must have valid value.", nameof(key));
}
if (string.IsNullOrEmpty(text))
{
throw new ArgumentException("The text must have valid value.", nameof(text));
}
var buffer = Encoding.UTF8.GetBytes(text);
var hash = new SHA512CryptoServiceProvider();
var aesKey = new byte[24];
Buffer.BlockCopy(hash.ComputeHash(Encoding.UTF8.GetBytes(key)), 0, aesKey, 0, 24);
using (var aes = Aes.Create()) {
if (aes == null)
{
throw new ArgumentException("Parameter must not be null.", nameof(aes));
}
aes.Key = aesKey;
using (var encryptor = aes.CreateEncryptor(aes.Key, aes.IV))
using (var resultStream = new MemoryStream()) {
using (var aesStream = new CryptoStream(resultStream, encryptor, CryptoStreamMode.Write))
using (var plainStream = new MemoryStream(buffer)) {
plainStream.CopyTo(aesStream);
}
var result = resultStream.ToArray();
var combined = new byte[aes.IV.Length + result.Length];
Array.ConstrainedCopy(aes.IV, 0, combined, 0, aes.IV.Length);
Array.ConstrainedCopy(result, 0, combined, aes.IV.Length, result.Length);
return(Convert.ToBase64String(combined));
}
}
}
/* goodG2B() - use goodsource and badsink */
private void GoodG2B(HttpRequest req, HttpResponse resp)
{
string dataCopy;
{
string data;
using (SecureString securePwd = new SecureString())
{
using (SecureString secureUser = new SecureString())
{
for (int i = 0; i < "AP@ssw0rd".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("AP@ssw0rd"[i]);
}
for (int i = 0; i < "user".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("user"[i]);
}
/* FIX: Set data to a hash of credentials */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
string credentialsToHash = secureUser.ToString() + ":" + securePwd.ToString();
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, credentialsToHash));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
}
}
dataCopy = data;
}
{
string data = dataCopy;
/* NOTE: potential incidental issues with not setting secure or HttpOnly flag */
/* POTENTIAL FLAW: Store data directly in cookie */
resp.AppendCookie(new HttpCookie("auth", data));
}
}
public Upload Create(string fname, byte[] file, int owner)
{
Random rnd = new Random();
Upload upload = new Upload()
{
Name = fname,
Date = DateTime.Now.AddDays(rnd.Next(-100, 100)),
Owner = owner,
Sha256 = _csp.ComputeHash(file)
};
if (!_context.Uploads.Any(x =>
x.Sha256.SequenceEqual(upload.Sha256)))
{
upload.Blob = file;
}
_context.Uploads.Add(upload);
_context.SaveChanges();
return(upload);
}
private byte[] computeHashKey(string keyData)
{
byte[] keyBytes = Encoding.ASCII.GetBytes(textBoxEncryptionKey.Text);
HashAlgorithm hashAlgorithm;
if (comboBoxHashAlgorithm.Text == "SHA-256")
{
hashAlgorithm = new SHA256CryptoServiceProvider();
return(hashAlgorithm.ComputeHash(keyBytes));
}
else if (comboBoxHashAlgorithm.Text == "SHA-512")
{
hashAlgorithm = new SHA512CryptoServiceProvider();
return(hashAlgorithm.ComputeHash(keyBytes));
}
else
{
hashAlgorithm = new MD5CryptoServiceProvider();
return(hashAlgorithm.ComputeHash(keyBytes));
}
}
public override void Bad()
{
switch (7)
{
case 7:
using (HashAlgorithm sha = new SHA512CryptoServiceProvider())
{
/* FLAW: SHA512 with no salt */
byte[] textWithoutSaltBytes = Encoding.UTF8.GetBytes("hash me");
byte[] hashedBytes = sha.ComputeHash(textWithoutSaltBytes);
sha.Clear();
IO.WriteLine(IO.ToHex(hashedBytes));
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.WriteLine("Benign, fixed string");
break;
}
}
// --------------------------------------------------------------------------------------
//170830 para hashear novamente o identifierID (que vem como hash5 mas foi facilmente decriptado)
// em: https://stackoverflow.com/questions/43042428/sha256-is-returning-invalid-characters-in-the-hash
//
static string GetHash(string input)
{ //SHA512 sha512Hash = SHA512.Create(); NullReferenceException: Object reference not set to an instance of an object
//Em https://stackoverflow.com/questions/30055358/md5-gethash-work-only-in-unity-editor :
//MD5.Create() doesn't return an object on Unity Android when the Stripping Level is set to Micro mscorlib, but 'new MD5CryptoServiceProvider()' does.
var sha512Hash = new SHA512CryptoServiceProvider();
// Convert the input string to a byte array and compute the hash.//
byte[] data = sha512Hash.ComputeHash(Encoding.UTF8.GetBytes(input));
// Create a new Stringbuilder to collect the bytes and create a string.
StringBuilder sBuilder = new StringBuilder();
// Loop through each byte of the hashed data and format each one as a hexadecimal string.
for (int i = 0; i < data.Length; i++)
{
sBuilder.Append(data[i].ToString("x2"));
}
// Return the hexadecimal string.
return(sBuilder.ToString());
}
/*Hash a string using SAH512.*/
public static string HashString(string toHash)
{
using (SHA512CryptoServiceProvider sha = new SHA512CryptoServiceProvider())
{
byte[] dataToHash = Encoding.UTF8.GetBytes(toHash);
byte[] hashed = sha.ComputeHash(dataToHash);
// Create a new Stringbuilder to collect the bytes
// and create a string.
StringBuilder sBuilder = new StringBuilder();
// Loop through each byte of the hashed data
// and format each one as a hexadecimal string.
for (int i = 0; i < hashed.Length; i++)
{
sBuilder.Append(hashed[i].ToString("x2"));
}
return(sBuilder.ToString());
}
}
/// <summary>
///
/// </summary>
/// <param name="Path"></param>
/// <param name="Uppercase"></param>
/// <param name="Error"></param>
/// <returns></returns>
public static string FILEtoSHA512(string Path, bool Uppercase = false, string Error = Constants.ErrorMessage)
{
try
{
if (File.Exists(Path))
{
using SHA512 SHA512 = new SHA512CryptoServiceProvider();
using FileStream Stream = File.OpenRead(Path);
byte[] Hash = SHA512.ComputeHash(Stream);
return(Uppercase == false?BitConverter.ToString(Hash).Replace("-", "").ToLowerInvariant() : BitConverter.ToString(Hash).Replace("-", "").ToUpperInvariant());
}
else
{
return(Error);
}
}
catch
{
return(Error + Constants.ErrorTitle + "HH-FTS4!)");
}
}
private static byte[] CalculateHash(string password, ref byte[] salt)
{
if (!salt.Any(v => v != 0))
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(salt);
}
byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
byte[] hashPlaintext = new byte[salt.Length + passwordBytes.Length];
passwordBytes.CopyTo(hashPlaintext, 0);
salt.CopyTo(hashPlaintext, passwordBytes.Length);
SHA512CryptoServiceProvider sha = new SHA512CryptoServiceProvider();
byte[] hash = sha.ComputeHash(hashPlaintext);
return(hash);
}
/* goodB2G() - use badsource and goodsink */
public static void GoodB2GSink(string data)
{
/* FIX: Hash data before storing in a file */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
File.WriteAllText(@"C:\Users\Public\WriteText.txt", secureData.ToString());
}
}
/// <summary>
/// 计算SHA-512码
/// </summary>
/// <param name="word">字符串</param>
/// <param name="toUpper">返回哈希值格式 true:英文大写,false:英文小写</param>
/// <returns></returns>
public static string Hash_SHA_512(string word, bool toUpper = true)
{
try
{
SHA512CryptoServiceProvider SHA512CSP = new SHA512CryptoServiceProvider();
byte[] bytValue = Encoding.UTF8.GetBytes(word);
byte[] bytHash = SHA512CSP.ComputeHash(bytValue);
SHA512CSP.Clear();
//根据计算得到的Hash码翻译为SHA-1码
string sHash = "", sTemp = "";
for (int counter = 0; counter < bytHash.Length; counter++)
{
long i = bytHash[counter] / 16;
if (i > 9)
{
sTemp = ((char)(i - 10 + 0x41)).ToString();
}
else
{
sTemp = ((char)(i + 0x30)).ToString();
}
i = bytHash[counter] % 16;
if (i > 9)
{
sTemp += ((char)(i - 10 + 0x41)).ToString();
}
else
{
sTemp += ((char)(i + 0x30)).ToString();
}
sHash += sTemp;
}
//根据大小写规则决定返回的字符串
return(toUpper ? sHash : sHash.ToLower());
}
catch (Exception ex)
{
throw new Exception(ex.Message);
}
}
private static byte[] Encrypt(byte[] data, out byte[] key)
{
key = Hash(data);
if (key is null)
{
throw new ArgumentException("Key must have valid value.", nameof(key));
}
if (data is null)
{
throw new ArgumentException("The text must have valid value.", nameof(data));
}
byte[] buffer = data;
SHA512CryptoServiceProvider hash = new SHA512CryptoServiceProvider();
byte[] aesKey = new byte[24];
Buffer.BlockCopy(hash.ComputeHash(key), 0, aesKey, 0, 24);
using Aes aes = Aes.Create();
if (aes == null)
{
throw new ArgumentException("Parameter must not be null.", nameof(aes));
}
aes.Key = aesKey;
using ICryptoTransform encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
using MemoryStream resultStream = new MemoryStream();
using (CryptoStream aesStream = new CryptoStream(resultStream, encryptor, CryptoStreamMode.Write))
{
using MemoryStream plainStream = new MemoryStream(buffer);
plainStream.CopyTo(aesStream);
}
byte[] result = resultStream.ToArray();
byte[] combined = new byte[aes.IV.Length + result.Length];
Array.ConstrainedCopy(aes.IV, 0, combined, 0, aes.IV.Length);
Array.ConstrainedCopy(result, 0, combined, aes.IV.Length, result.Length);
return(combined);
}
public static string Hash(string text, HashingMode mode)
{
var textBytes = Encoding.UTF8.GetBytes(text);
byte[] hashBytes;
switch (mode)
{
case HashingMode.SHA_1:
var SHA1 = new SHA1CryptoServiceProvider();
hashBytes = SHA1.ComputeHash(textBytes);
break;
case HashingMode.SHA_2_256:
var SHA2_256 = new SHA256CryptoServiceProvider();
hashBytes = SHA2_256.ComputeHash(textBytes);
break;
case HashingMode.SHA_2_512:
var SHA2_512 = new SHA512CryptoServiceProvider();
hashBytes = SHA2_512.ComputeHash(textBytes);
break;
//case HashingMode.SHA_3_256:
// var SHA3_256 = new Sha3Digest(256);
// SHA3_256.Update(Convert.ToByte(textBytes));
// SHA3_256.DoFinal(hashBytes);
// break;
//case HashingMode.SHA_3_256:
// var SHA3_512 = new Sha3Digest(512);
// break;
default:
var SHA_default = new SHA1CryptoServiceProvider();
hashBytes = SHA_default.ComputeHash(textBytes);
break;
}
var hash = HelperFunctions.FromByteToHex(hashBytes);
return(hash);
}
/* goodB2G() - use badsource and goodsink */
private void GoodB2G(HttpRequest req, HttpResponse resp)
{
string dataCopy;
{
string data;
using (SecureString securePwd = new SecureString())
{
using (SecureString secureUser = new SecureString())
{
for (int i = 0; i < "AP@ssw0rd".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("AP@ssw0rd"[i]);
}
for (int i = 0; i < "user".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("user"[i]);
}
/* POTENTIAL FLAW: Set data to credentials (without hashing or encryption) */
data = secureUser.ToString() + ":" + securePwd.ToString();
}
}
dataCopy = data;
}
{
string data = dataCopy;
/* FIX: Hash data before storing in cookie */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
resp.AppendCookie(new HttpCookie("auth", data));
}
}
protected override void Seed(DatabaseContext context)
{
var sha512CryptoProvider = new SHA512CryptoServiceProvider();
var user = new UserEntity
{
Username = "******",
PasswordHash = sha512CryptoProvider.ComputeHash(Encoding.ASCII.GetBytes("Password123")),
IsActive = true,
//Role = "Admin",
CreateDate = DateTime.Now,
LastUpdateDate = DateTime.Now,
Profile = new UserProfileEntity
{
FirstName = "John",
LastName = "Doe",
EmailAddress = "*****@*****.**",
CreateDate = DateTime.Now,
LastUpdateDate = DateTime.Now
},
CreatedBy = new List <IssueEntity>
{
new IssueEntity
{
Type = "Bug",
Status = "InProgress",
Priority = "High",
Title = "Test Issue Title",
Description = "Test Issue Description",
CreateDate = DateTime.Now,
LastUpdateDate = DateTime.Now
}
}
};
context.Users.Add(user);
base.Seed(context);
}
} //compute hash from arguments and return hash value as string
private static string GetSHA512Hash(string text)
{
//create variables for computing hash and making it a string
UnicodeEncoding UniCode = new UnicodeEncoding();
byte[] HashResult;
byte[] msg = UniCode.GetBytes(text);
SHA512 hashString = new SHA512CryptoServiceProvider();
string Str = "";
//compute hash with SHA512 module and format output as string
//convert bytes in HashResult to string values
HashResult = hashString.ComputeHash(msg);
foreach (byte x in HashResult)
{
Str += String.Format("{0:x2}", x);
}
//clear excess resource usage
hashString.Clear();
return(Str);
} //compute hash from arguments and return hash value as string
public static string Encrypt(this string text, string key)
{
var buffer = Encoding.UTF8.GetBytes(text);
var hash = new SHA512CryptoServiceProvider();
var aesKey = new byte[24];
Buffer.BlockCopy(hash.ComputeHash(Encoding.UTF8.GetBytes(key)), 0, aesKey, 0, 24);
using (var aes = Aes.Create())
{
aes.Key = aesKey;
using (var encryptor = aes.CreateEncryptor(aes.Key, aes.IV))
using (var resultStream = new MemoryStream())
{
using (var aesStream = new CryptoStream(resultStream, encryptor, CryptoStreamMode.Write))
using (var plainStream = new MemoryStream(buffer))
{
plainStream.CopyTo(aesStream);
}
var result = resultStream.ToArray();
var combined = new byte[aes.IV.Length + result.Length];
Array.ConstrainedCopy(aes.IV, 0, combined, 0, aes.IV.Length);
Array.ConstrainedCopy(result, 0, combined, aes.IV.Length, result.Length);
var resultado = Convert.ToBase64String(combined);
return(resultado);
}
}
}
private void GoodB2G1Sink(string data, HttpRequest req, HttpResponse resp)
{
if (goodB2G1Private)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.WriteLine("Benign, fixed string");
}
else
{
/* FIX: Hash data before storing in cookie */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
resp.AppendCookie(new HttpCookie("auth", data));
}
}
protected override PasswdBase Secret()
{
if (this.date.VersionHash == "")
{
throw new Exception("the VERSION is not set");
}
using (HMACSHA512 hash512 = new HMACSHA512()) {
using (RNGCryptoServiceProvider rnd = new RNGCryptoServiceProvider()) {
Random cntRnd = new Random();
CryExtInfo extra = new CryExtInfo();
extra.Count = cntRnd.Next(this.MinCount, this.MaxCount);
extra.Salt = new byte[64];
//fill the Randomize salt ,the Salt's length is
//512bit
rnd.GetNonZeroBytes(extra.Salt);
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) {
byte[] KeyBuffer = new byte[64];
rnd.GetNonZeroBytes(KeyBuffer);
KeyBuffer = sha512.ComputeHash(KeyBuffer);
extra.Key = KeyBuffer;
hash512.Key = KeyBuffer;
this.date.ExtraInfo = extra;
byte[] pwdBuffer;
byte[] pwdDate = Encoding.UTF8.GetBytes(this.Password);
//now we add the salt to the string
byte[] pwdWithSalt = new byte[pwdDate.Length + extra.Salt.Length];
Array.Copy(pwdDate, pwdWithSalt, pwdDate.Length);
Array.Copy(extra.Salt, 0, pwdWithSalt, pwdDate.Length, extra.Salt.Length);
pwdBuffer = hash512.ComputeHash(pwdWithSalt);
for (int i = 0; i <= extra.Count; i++)
{
pwdBuffer = hash512.ComputeHash(pwdBuffer);
}
this.date.Password = pwdBuffer;
}
}
}
return(this.date);
}
/* goodB2G() - use badsource and goodsink */
private void GoodB2G(HttpRequest req, HttpResponse resp)
{
string data;
while (true)
{
data = ""; /* initialize data in case id is not in query string */
/* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
{
if (req.QueryString["id"] != null)
{
data = req.QueryString["id"];
}
}
break;
}
while (true)
{
/* FIX: Hash data before storing in a file */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
File.WriteAllText(@"C:\Users\Public\WriteText.txt", secureData.ToString());
}
break;
}
}
/* goodB2G() - use badsource and goodsink */
private void GoodB2G()
{
string data;
while (true)
{
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = Environment.GetEnvironmentVariable("ADD");
break;
}
while (true)
{
/* FIX: Hash data before storing in registry */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true);
key.CreateSubKey("CWEparent");
key = key.OpenSubKey("CWEparent", true);
key.CreateSubKey("TestingCWE");
key = key.OpenSubKey("TestingCWE", true);
key.SetValue("CWE", secureData);
}
break;
}
}
/* goodB2G() - use badsource and goodsink*/
private void GoodB2G()
{
string data;
data = ""; /* Initialize data */
{
/* read user input from console with ReadLine */
try
{
/* POTENTIAL FLAW: Read data from the console using ReadLine */
data = Console.ReadLine();
}
catch (IOException exceptIO)
{
IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading");
}
}
for (int k = 0; k < 1; k++)
{
/* FIX: Hash data before storing in a file */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
File.WriteAllText(@"C:\Users\Public\WriteText.txt", secureData.ToString());
}
}
}
/* goodB2G() - use badsource and goodsink*/
private void GoodB2G(HttpRequest req, HttpResponse resp)
{
string data;
data = ""; /* initialize data in case id is not in query string */
/* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
{
if (req.QueryString["id"] != null)
{
data = req.QueryString["id"];
}
}
for (int k = 0; k < 1; k++)
{
/* FIX: Hash data before storing in registry */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
using (SecureString secureData = new SecureString())
{
for (int i = 0; i < data.Length; i++)
{
secureData.AppendChar(data[i]);
}
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true);
key.CreateSubKey("CWEparent");
key = key.OpenSubKey("CWEparent", true);
key.CreateSubKey("TestingCWE");
key = key.OpenSubKey("TestingCWE", true);
key.SetValue("CWE", secureData);
}
}
}
