2

is it possible to secure Strings in C# to prevent... i call it "String Attacks"?

Here is a sample:

...
const String username = "friend";
const String password = "letmein";
String encoded = Convert.ToBase64String(Encoding.GetEncoding("ISO-8859-1").GetBytes(username + ":" + password));

WebRequest request = WebRequest.Create("http://xxx.xxx.xxx.xxx/");
WebResponse response = request.GetResponse();

Stream dataStream = response.GetResponseStream();  
StreamReader reader = new StreamReader(dataStream); 
string responseFromServer = reader.ReadToEnd(); 

lbl_status.Text = responseFromServer;

reader.Close();  
response.Close();
...

If i compile & run it, with Sysinternals Process Explorer i can read the stored Strings.

Sysinternals Process Explorer Screenshot

Is there a way to encrypt the Strings?

Greetings mok

mok liee
  • 217
  • 2
  • 10
  • 4
    @AlexRiabov And how do you think HTTPS is going to prevent Process Explorer from seeing the strings? – mason Jul 10 '18 at 13:57
  • Protect when? At runtime? In the source code? – Camilo Terevinto Jul 10 '18 at 13:57
  • 1
    Check https://stackoverflow.com/questions/1570422/convert-string-to-securestring for further securing. – Afonso Jul 10 '18 at 13:58
  • 4
    That's why you should never hardcode passwords in source code. Use a configuration fle instead and encrypt that, asking the user for the password for decryption. Even better, just ask the user for HTTP password directly and don't even save it. – Alejandro Jul 10 '18 at 13:59
  • 1
    Start by building a threat model. **Who is the attacker and who is being attacked?** If your "attacker" is the owner of the computer -- they are not an attacker of their own computer. They own the machine and every bit on it is theirs to see. If they are an attacker of *someone else's resource* then yes you have a problem. But *build a proper threat model* so that you know what the attack is, and so on. – Eric Lippert Jul 10 '18 at 14:00
  • 1
    Irrespective of how you obfuscate that string in your binary your calling an HTTP URL so Fiddler et al will tell me exactly whats sent to the endpoint. It will do the same for HTTPS if I configure it to. – Alex K. Jul 10 '18 at 14:01
  • @mason, you're right, I was confused by WebRequest, which seems to be absolutely unrelated to the question – Alex Riabov Jul 10 '18 at 14:01
  • 2
    That said, I'm pretty sure you did zero research on this question, because you have not mentioned the aptly named **SecureString** class. **Please do some amount of research before you ask here**. Like typing the nouns in your question into a search engine. – Eric Lippert Jul 10 '18 at 14:02
  • 1
    @EricLippert `SecureString` is not going to help here, as it only protects secrets in memory, but not when the password is hardcoded. Process Explorer can still see the plain text like before, or if it's obfuscated in some way, a decompiler can do the rest. – Alejandro Jul 10 '18 at 14:07
  • @EricLippert sorry my friend, i research definitely! Every PlainText u can see in this String Tab with Process Explorer. – mok liee Jul 10 '18 at 14:11

1 Answers1

1

Thanks @Alejandro!

The Answer to my Question is "NO".

That's why you should never hardcode passwords in source code.

mok liee
  • 217
  • 2
  • 10