4

Problem

I am creating a set of automated tests that require a username and password to be given to log on to the application to be tested. I have a function LogOnToApplication(string username, string password) that takes the log on info as strings, and logs on to the application. Currently, I am defining two strings as such:

string username = "username";
string password = "supersecretpassword";

And passing to my function with

utilities.LogOnToApplication(username, password);

This works just fine for the purpose of my tests, but I know that doing this in this manner is risky and insecure. These tests are widely distributed, and setting my tests up this way could easily lead to a security breach.

Question

What is the best method to remove the username and password strings from my code? I have thought about creating a separate file to store this info in, and pulling from the file when the information is needed, but this really does not solve the problem, it just relocates the sensitive information.

Pseudo Sudo
  • 1,402
  • 3
  • 16
  • 34
  • Use some kind of encryption for your strings. That is the most simple and secure way. – lokusking Aug 09 '16 at 18:15
  • if you widely distribute the tests, everyone that wants to run them will need the username and password. Not necessarily in plain text, but the program will need them, and you can reverse engineer them out. – elyashiv Aug 09 '16 at 18:15
  • 1
    turn your servers into docker images and start them up before you run your automated tests, and stop them when you're done. That way it really doesn't matter about passwords in the development environment... – Meirion Hughes Aug 09 '16 at 18:20
  • not sure this is possible. are you sure you need to widely distribute tests that connect with too much privileges to your server? – elyashiv Aug 09 '16 at 18:54
  • @lokusking how does one encrypt strings? – Pseudo Sudo Aug 09 '16 at 19:02
  • @nate have a look [here](http://stackoverflow.com/questions/38816004/simple-string-encryption-without-dependencies/38816208#38816208) – lokusking Aug 09 '16 at 19:28
  • @lokusking if I have to type the string there in order to run the `encrypt` method on it.. how does this help solve the issue of having the password hard coded? – Pseudo Sudo Aug 09 '16 at 19:30
  • You password is not clear-text any longer. this improves security. You still have an hardcoded passwors, but it is wrong as long as it its enrypted – lokusking Aug 09 '16 at 19:32
  • @lokusking im sorry, i must be misunderstanding something... in your linked example, you have this line: `var topSecret = "This is%&/(/ TopSecret 111!!";`... the password right there is clear text, right? How can I use this example to get the clear text password out of my code? Thats my entire issue. – Pseudo Sudo Aug 09 '16 at 19:35
  • Thats the way to do it. For sure dont use the cleat-text password. Encrypt one first, then set it. From my example `4ZSA4aiA4amA4bOA4KCA4amA4bOA4KWA4KaA4K+A4KiA4K+A4KCA4ZSA4a+A4bCA4ZOA4aWA4aOA4bKA4aWA4bSA4KCA4LGA4LGA4LGA4KGA4KGA` would be your password – lokusking Aug 09 '16 at 19:37
  • if you really want to encrypt, you can do it with a encryption algorithm - http://stackoverflow.com/questions/273452/using-aes-encryption-in-c-sharp for example. – elyashiv Aug 10 '16 at 05:40

2 Answers2

0

You could put them in the App.Config file under AppSettings and get them with ConfigurationManager

Settings code:

<appSettings>
  <add key="username" value="lol" />
  <add key="password" value="hunter2" />
</appSettings>

and to access them 

var username = ConfigurationManager.AppSetting["username"];
var password = ConfigurationManager.AppSetting["password"];
James Ralston
  • 1,170
  • 8
  • 11
  • well, it would be out of the application. The specifics of the test are note really given, but they could be made specific to the user running the test, or at the very least changeable. They need to come from somewhere. Credentials such as api tokens etc should be put in the config. Its the same place a DB connection string is put, and I would deem that pretty sensitive. – James Ralston Aug 09 '16 at 18:38
  • correct and pretty sensitive doesn't guaranty security. – elyashiv Aug 09 '16 at 18:44
  • true, but in most cases having access to the config file would mean having access to the machine and admin rights (if file permissions are set that way.) Ideally this would be paired with some host specific credentials. – James Ralston Aug 09 '16 at 18:47
0

As I wrote in the comments, I don't think the exact thing you want to do is possible. in some point your program will need to run the line utilities.LogOnToApplication(username, password); where username and password are plain strings. If the program is running on my computer I can connect a debugger and get the data. There are ways to make it harder, but this battle is fought between hackers and games developers, and the loser is the side you are trying to join.

The safest thing will be to rethink about the testing - do you really need them "widely distributed"? if no, don't.

There are some ways to make it harder to get the u/p, it all depends on how much effort you are willing to put into this.

elyashiv
  • 3,623
  • 2
  • 29
  • 52