Performing Text Searches | Improving Web Application Security: Threats and Countermeasures

To assist the review process, check that you are familiar with a text search tool that you can use to locate strings in files. This type of tool allows you to quickly locate vulnerable code. Many of the review questions presented later in the chapter indicate the best strings to search for when looking for specific vulnerabilities.

You may already have a favorite search tool. If not, you can use the Find in Files facility in Visual Studio .NET or the Findstr command line tool, which is included with the Microsoft Windows operating system.

Note

If you use the Windows XP Search tool from Windows Explorer, and use the A word or phrase in the file option, check that you have the latest Windows XP service pack, or the search may fail. For more information, see Microsoft Knowledge Base article 309173, "Using the 'A Word or Phrase in the File' Search Criterion May Not Work."

Search for Hard-Coded Strings

Before you perform a detailed line-by-line analysis of your source code, start with a quick search through your entire code base to identify hard-coded passwords, account names , and database connection strings. Scan through your code and search for common string patterns such as the following: "key," "secret," "password," "pwd," and "connectionstring."

For example, to search for the string "password" in the Web directory of your application, use the Findstr tool from a command prompt as follows :

 findstr /S /M /I /d:c:\projects\yourweb "password" *.*

Findstr uses the following command-line parameters:

/S ” include subdirectories.
/M ” list only the file names.
/I ” use a case insensitive search.
/ D: dir ” search a semicolon-delimited list of directories. If the file path you want to search includes spaces, surround the path in double quotes.

Automating Findstr

You can create a text file with common search strings. Findstr can then read the search strings from the text file, as shown below. Run the following command from a directory that contains .aspx files.

 findstr /N /G:SearchStrings.txt *.aspx

/N prints the corresponding line number when a match is found. /G indicates the file that contains the search strings. In this example, all ASP.NET pages (*.aspx) are searched for strings contained within SearchStrings.txt.

ILDASM

You can also use the Findstr command in conjunction with the ildasm.exe utility to search binary assemblies for hard-coded strings. The following command uses ildasm.exe to search for the ldstr intermediate language statement, which identifies string constants. Notice how the output shown below reveals a hard-coded database connection and the password of the well known sa account.

 Ildasm.exe secureapp.dll /text  findstr ldstr       IL_000c:  ldstr      "RegisterUser"       IL_0027:  ldstr      "@userName"       IL_0046:  ldstr      "@passwordHash"       IL_0065:  ldstr      "@salt"           IL_008b:  ldstr      "Exception adding account. "       IL_000e:  ldstr      "LookupUser"       IL_0027:  ldstr      "@userName"           IL_007d:  ldstr      "SHA1"           IL_0097:  ldstr      "Exeception verifying password. "       IL_0009:  ldstr      "SHA1"       IL_003e:  ldstr      "Logon successful: User is authenticated"       IL_0050:  ldstr      "Invalid username or password"       IL_0001:  ldstr      "Server=AppServer;database=users; username='sa'                             password=password"

Note	Ildasm.exe is located in the \Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\bin folder. For more information about the supported command-line arguments, run ildasm.exe /? .