5

Checkmarx reported a Heap inspection vulnerability regarding having a string for a Password property. This property is part of a model, which gets bound when submitting a login form. Is there a way in ASP.NET MVC to use anything else other than regular string to bind password from the form?

So far I have tried changing the property type to char [] or SecureString, but in that case the form doesn't bind the data to it.

public class LoginModel
{
    [Required]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [Required]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [Display(Name = "Remember me?")]
    public bool RememberMe { get; set; }
}
Ryan Searle
  • 1,597
  • 1
  • 19
  • 30
Dasha Finch
  • 121
  • 2
  • 2
  • 4
  • 8
    If a hacker has access to your web server's memory, you have different problems already. – CodeCaster Nov 24 '16 at 15:02
  • SecureString is the best way to achieve it, but you will just waste your time... it's terrifically rare, almost impossible in healthy environments. – Pawel Maga Nov 24 '16 at 15:04
  • 3
    Related: [Is SecureString ever practical in a C# application?](http://stackoverflow.com/questions/26190938/is-securestring-ever-practical-in-a-c-sharp-application), [Heap Inspection Security Vulnerability](http://stackoverflow.com/questions/30341327/heap-inspection-security-vulnerability). – CodeCaster Nov 24 '16 at 15:04
  • @PawelMaga, how would I use SecureString in this context? I have tried simply changing the Passowrd property type to SecureString, but then it stops binding and I get validation errors that it is not a valid value. – Dasha Finch Nov 24 '16 at 15:14
  • @DashaFinch create you custom model binder or use some backing fields. – Pawel Maga Nov 24 '16 at 15:22
  • Think of it this way. Does all the other APIs (such as password hasing) that need this value work with SecureString? Then by all means, go with SecureString and tick that box. If not, then you will still need to read that value into memory as either a string or a byte array and the value is still put on the heap so a SecureString won't really help. – Karl-Johan Sjögren Jan 02 '21 at 08:33

2 Answers2

5

Rename password field to something else... like "alienSecurity" and that's it CheckMarx will not able to catch it :)

Petter Friberg
  • 21,252
  • 9
  • 60
  • 109
Rushikesh Joshi
  • 127
  • 1
  • 5
1

Use SecureString instead of String.

A SecureString instance provides more data protection than a String. When creating a string from a character-at-a-time source, String creates multiple intermediate in memory, whereas SecureString creates just a single instance.

Garbage collection of String objects is non-deterministic. In addition, because its memory is not pinned, the garbage collector will make additional copies of String values when moving and compacting memory. In contrast, the memory allocated to a SecureString object is pinned, and that memory can be freed by calling the Dispose method.

https://msdn.microsoft.com/en-us/library/system.security.securestring(v=vs.110).aspx

Dhruv Singh
  • 2,185
  • 2
  • 11
  • 17