public override void Bad(HttpRequest req, HttpResponse resp) { string data; using (SecureString securePwd = new SecureString()) { using (SecureString secureUser = new SecureString()) { for (int i = 0; i < "AP@ssw0rd".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("AP@ssw0rd"[i]); } for (int i = 0; i < "user".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("user"[i]); } /* POTENTIAL FLAW: Set data to credentials (without hashing or encryption) */ data = secureUser.ToString() + ":" + securePwd.ToString(); } } Hashtable dataHashtable = new Hashtable(5); dataHashtable.Add(0, data); dataHashtable.Add(1, data); dataHashtable.Add(2, data); CWE315_Cleartext_Storage_in_Cookie__Web_72b.BadSink(dataHashtable, req, resp); }
/* goodG2B() - use GoodSource and BadSink */ private static void GoodG2B(HttpRequest req, HttpResponse resp) { string data; using (SecureString securePwd = new SecureString()) { using (SecureString secureUser = new SecureString()) { for (int i = 0; i < "AP@ssw0rd".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("AP@ssw0rd"[i]); } for (int i = 0; i < "user".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("user"[i]); } /* FIX: Set data to a hash of credentials */ { string salt = "ThisIsMySalt"; using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) { string credentialsToHash = secureUser.ToString() + ":" + securePwd.ToString(); byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, credentialsToHash)); byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer); data = IO.ToHex(hashedCredsAsBytes); } } } } Hashtable dataHashtable = new Hashtable(5); dataHashtable.Add(0, data); dataHashtable.Add(1, data); dataHashtable.Add(2, data); CWE315_Cleartext_Storage_in_Cookie__Web_72b.GoodG2BSink(dataHashtable, req, resp); }