3

I'd like to ask for some advice on the app security when it comes to getting the password from the user and storing it.

I'm developing a tool using .NET Core (console project) and Selenium WebDriver to automate a process on a website, which requires authentication, and my concerns are following:

1. Getting the password from the user (using console) and securely handle it

2. Storing the password in a secure manner

Regarding the first point:

  • I've found an answer on SO pointing out that using SecureString doesn't fully prevent sensitive data to be read as at some point it has to be converted to/from normal string. I have come across the solution for getting user input from console using SecureStrings, but according to what's written here SecureStringToBSTR has to be used to handle the sensitive data in a secure way. However, SecureStringToBSTR is not included in .NET Core, because it's available only for Windows thus I'm stuck.

As for the second point:

  • I cannot hash the password as it has to be restored. At first I wanted to use platform specific solutions and check the current platform in the app, but after a research I found out that there's API only for DPAPI for Windows, there's no API for KeyChain in MacOS (there's some workaround) and Linux doesn't have a unified way of storing sensitive data at all. The only solution I can think of is to force the user to generate public/private keys (using for example RSA which is available on all platforms, encrypt the password using public key and require private key to retrieve the password. Then I would store the encrypted password either in appsettings.json or as an Environmental variable as desribed here. Unfortunately Azure Key Vault is not free

I am aware that there are many questions similar to this, but:

  • I couldn't find any regarding storing passwords, most sources focus on hashing them, however, it doesn't apply to described use case
  • Virtually all are focused on ASP.NET Core MVC

Thanks in advance for the hints.

Camilo Terevinto
  • 31,141
  • 6
  • 88
  • 120
Łukasz Sypniewski
  • 602
  • 1
  • 10
  • 19
  • Are you certain that the service you are interacting with on behalf of your users does not provide some sort of OAuth interface? – Luke Joshua Park Oct 18 '18 at 22:26
  • @LukeJoshuaPark Unfortunately no, there's no OAuth, no API. I've just checked just to be 100% sure. I need to use a browser to automate the process. – Łukasz Sypniewski Oct 18 '18 at 22:32
  • Uhhhh. Are you sure? Why do you need to use a browser vs just make the requests the browser makes yourself? – Luke Joshua Park Oct 18 '18 at 22:35
  • @LukeJoshuaPark Maybe I'm missing something, but I know two ways of filling the userName and password fields on that website: detect the proper textfields, simulate user input and perform click action on a relevant button. The second one (which I've just found) is that the fields can be filled in by calling appropriate JS function in a browser console. After seeing your question I assume it might be possible to perform the logging in manually and check what requests the browser has fired, am I right? – Łukasz Sypniewski Oct 18 '18 at 22:51
  • I might be misunderstanding, but it seems like you want to log one of your users into their account with a 3rd party provider, correct? If this is the case, I don't understand at all why you want to involve the browser? Simply make the same HTTP request from your own code? Does that make sense or have I misunderstood? – Luke Joshua Park Oct 19 '18 at 01:03
  • @LukeJoshuaPark No, there's no third party provider. After checking out the requests made by a browser it turns out that some random data is added to a header, even for the same combination of username and password the generated data is always different, so I guess I have to use the primitive method of authentication using a browser. – Łukasz Sypniewski Oct 19 '18 at 07:29
  • That really isn't the way to solve the problem. – Luke Joshua Park Oct 19 '18 at 07:35

0 Answers0