/* goodG2B() - use goodsource and badsink */ private static void GoodG2B(HttpRequest req, HttpResponse resp) { string data = CWE315_Cleartext_Storage_in_Cookie__Web_61b.GoodG2BSource(req, resp); /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */ /* POTENTIAL FLAW: Store data directly in cookie */ resp.AppendCookie(new HttpCookie("auth", data)); }
/* goodB2G() - use badsource and goodsink */ private static void GoodB2G(HttpRequest req, HttpResponse resp) { string data = CWE315_Cleartext_Storage_in_Cookie__Web_61b.GoodB2GSource(req, resp); /* FIX: Hash data before storing in cookie */ { string salt = "ThisIsMySalt"; using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) { byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data)); byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer); data = IO.ToHex(hashedCredsAsBytes); } } resp.AppendCookie(new HttpCookie("auth", data)); }