/* goodG2B() - use goodsource and badsink */
private static void GoodG2B(HttpRequest req, HttpResponse resp)
{
string data;
using (SecureString securePwd = new SecureString())
{
using (SecureString secureUser = new SecureString())
{
for (int i = 0; i < "AP@ssw0rd".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("AP@ssw0rd"[i]);
}
for (int i = 0; i < "user".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("user"[i]);
}
/* FIX: Set data to a hash of credentials */
{
string salt = "ThisIsMySalt";
using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider())
{
string credentialsToHash = secureUser.ToString() + ":" + securePwd.ToString();
byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, credentialsToHash));
byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer);
data = IO.ToHex(hashedCredsAsBytes);
}
}
}
}
CWE315_Cleartext_Storage_in_Cookie__Web_71b.GoodG2BSink((Object)data, req, resp);
}
/* goodB2G() - use badsource and goodsink */
private static void GoodB2G(HttpRequest req, HttpResponse resp)
{
string data;
using (SecureString securePwd = new SecureString())
{
using (SecureString secureUser = new SecureString())
{
for (int i = 0; i < "AP@ssw0rd".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("AP@ssw0rd"[i]);
}
for (int i = 0; i < "user".Length; i++)
{
/* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */
securePwd.AppendChar("user"[i]);
}
/* POTENTIAL FLAW: Set data to credentials (without hashing or encryption) */
data = secureUser.ToString() + ":" + securePwd.ToString();
}
}
CWE315_Cleartext_Storage_in_Cookie__Web_71b.GoodB2GSink((Object)data, req, resp);
}
