Checkmarx heap inspection vulnerability WebAPI

Question

I've built an ASP.NET WebAPI 2 application and one of my controllers have a method that allow users do login, something like this:

[Route("login")]
[HttpPost]
[SwaggerOperation(Tags = new[] { "ACCOUNT" })]
[SwaggerResponse(HttpStatusCode.OK, Type = typeof(ReturnModel<AccountModel, HttpStatusCode>))]
public HttpResponseMessage Login([FromBody]LoginDto userData)
{
   ReturnModel<AccountModel, HttpStatusCode> returnObj = new ReturnModel<AccountModel, HttpStatusCode>();

   try
   {
      returnObj = accountService.Login(userData.UserLogin, userData.UserPassword);

      if (returnObj.Success)
      {
         ...
      }
      else 
      {
         ...
      }

      return Request.CreateResponse(returnObj.StatusCode, returnObj);
   }
   catch (Exception ex)
   {
      LogUtil.Error(ex);
      return Request.CreateResponse(HttpStatusCode.InternalServerError, returnObj);
   }
}

LoginDto class:

public class LoginDto
{
   [Required]
   public string UserLogin { get; set; }

   [Required]
   public string UserPassword { get; set; }
}

After a vulnerability check with Checkmarx tool, i received a report that says:

Method Index at line 55 of //***/Controllers/AccountController.cs defines UserPassword, which is designated to contain user passwords. However, while plaintext passwords are later assigned to UserPassword, this variable is never cleared from memory.

I know that strings are immutable and stays in memory for an undetermined time.

The tool (checkmarx) have a suggestion that says:

Specific Recommendations - .NET:

- Instead of storing passwords in immutable strings, prefer to use an encrypted memory object, such as SecureString or ProtectedData.

I found other suggestions that also say me to use SecureString instead string to manipulate/store user passwords, but i think that this only applies to MVC or WPF applications, i can't figure out how can i apply this on an ASP.NET WebAPI 2 context, where i have to expose a language agnostic service.

Anyone have any suggestion about how can i achieve this level of security (or even if it's possible) on an ASP.NET WebAPI 2?

https://stackoverflow.com/questions/4463821/is-there-any-benefit-to-using-securestring-in-asp-net — Dave M, Apr 24 '18 at 19:45
@DaveM, thank you for the link, but i think that this is not exactly the same scenario. In my case, i don't know who are the API clients (Angular, IOS, Android...). My main concern is, how can i do a SecureString implementation, or apply the same concept for UserPassword in a REST API that has to be language agnostic (or if it's possible)? — Paulo Douglas, Apr 24 '18 at 20:01
The API client has no bearing on the issue, the request comes into your application as http no matter what the client is. You are already language agnostic no matter how your web api is implemented — Dave M, Apr 24 '18 at 20:09
@DaveM, but to achieve this with SecureString, i have to pass the password from the client to the server without using of string (in WPF for example, you have this type on the client). The SecureString implementation suggests that i have to post information from the client to the server for every typed character. If i use string in this proccess in any way (maybe sending one post for typed character), i'll have the password on a string in memory again, even fragmented... — Paulo Douglas, Apr 24 '18 at 20:17
IMHO, you cannot "solve" the issue, you can only minimize exposure. I have hte same issue with "sending over/across the wire".. the Oauth2 client_secret. For the http-request, it has to be a string. So the most I can do.. is keep this secret value (as a securestring in dotnet, as a char[] array in java) as long as I can......then I convert-to-string, use the value (and then I destroy/overwrite the securestring / char[] array)..and I null out the string in my code......even though that does not do much (but it shows in code that I tried/cared)............ — granadaCoder, Apr 20 '20 at 17:37

Checkmarx heap inspection vulnerability WebAPI

0 Answers0