Home
>
WinDev Forum
>
Topic
[WD] - Penetration Test Windev AAplication
Posted by pao
|
[WD] - Penetration Test Windev AAplication March 19, 2021 12:31PM |
Registered: 5 years ago Posts: 296 |
We have made one penetration test to one windev application and encounter the connection to the database details (user,password, server,etc...) in plain test in the memory.
We need to keep the connection open to work with the app as you can imagine. Anyone have tips, tricks or some other info regarding this issues?
Regards
Paulo Oliveira
We need to keep the connection open to work with the app as you can imagine. Anyone have tips, tricks or some other info regarding this issues?
Regards
Paulo Oliveira
|
Argus
Re: [WD] - Penetration Test Windev AAplication March 19, 2021 01:34PM |
2 things:
1- on Fabrice's advice, I have been using this windev component to protect software that needs it: [www.softprotect.fr]
It's an anti-debug system that is quite efficient. There is a test version before you buy.
2- If you want to specifically protect your connections strings and other password, yo need to have keep them CODED in your project source and decode them with a function when you use them. A simple utility on the side to code them and you are good to go.
Now, without the anti-debug system, it remains possible to see them decoded during the execution process, so it's not an either/or proposition, if you are serious about security
1- on Fabrice's advice, I have been using this windev component to protect software that needs it: [www.softprotect.fr]
It's an anti-debug system that is quite efficient. There is a test version before you buy.
2- If you want to specifically protect your connections strings and other password, yo need to have keep them CODED in your project source and decode them with a function when you use them. A simple utility on the side to code them and you are good to go.
Now, without the anti-debug system, it remains possible to see them decoded during the execution process, so it's not an either/or proposition, if you are serious about security
|
Re: [WD] - Penetration Test Windev AAplication March 19, 2021 02:46PM |
Registered: 5 years ago Posts: 296 |
Hi Argus, Thanks for your answer.
My main problem is with the connection information in memory after decoding.
I keep all this information encoded but i need to decode it to connect to the database and i didn't find any method the destroy that info in the memory after i connect to the db.
You can see in the image attched a lot info from the memory dump when may app is runnig.
Regards
Paulo Oliveira
My main problem is with the connection information in memory after decoding.
I keep all this information encoded but i need to decode it to connect to the database and i didn't find any method the destroy that info in the memory after i connect to the db.
You can see in the image attched a lot info from the memory dump when may app is runnig.
Regards
Paulo Oliveira
|
Re: [WD] - Penetration Test Windev AAplication March 20, 2021 02:17AM |
Registered: 4 years ago Posts: 33 |
Hi Paolo,
this is very interesting. I do not have a solution, but I am very interested in IT security.
I read an article about password managers a few days ago. They have the same issue, they store the passwords well crypted in their database, but the master password for their database is available in memory, so that an attacker would be able to open the database an extract all the passwords. In this article they came to the conclusion that this is due to the fact that in 4GL/5GL languages the developer does not care about garbage collection, but an automatic garbage collector does the job.
In this article they examanied the code of such a password manager developed in c#.
Even if the developer deleted the variable containing the password, the password was available in memory for 10 minutes and more. If I understood correctly, this is due to the fact that deleting the variable does not delete the value from memory, it tells only the operating system that this specific memory adress is available now, and it is a question of time when the operating system used this specific adress for new values (this article was complex, so I am not sure wheather I explained it for 100% correct).
In this article they described a scenario, where a malware can do a memory dump of a certain process on regular basis, and send it to a command and control server. So it is only a question of time when the bad guys receive passwords.
There is also a very interesting video doing the same with a web application:
[www.youtube.com]
Which tool did you use to analize the dump?
Regards
Stefan.
this is very interesting. I do not have a solution, but I am very interested in IT security.
I read an article about password managers a few days ago. They have the same issue, they store the passwords well crypted in their database, but the master password for their database is available in memory, so that an attacker would be able to open the database an extract all the passwords. In this article they came to the conclusion that this is due to the fact that in 4GL/5GL languages the developer does not care about garbage collection, but an automatic garbage collector does the job.
In this article they examanied the code of such a password manager developed in c#.
Even if the developer deleted the variable containing the password, the password was available in memory for 10 minutes and more. If I understood correctly, this is due to the fact that deleting the variable does not delete the value from memory, it tells only the operating system that this specific memory adress is available now, and it is a question of time when the operating system used this specific adress for new values (this article was complex, so I am not sure wheather I explained it for 100% correct).
In this article they described a scenario, where a malware can do a memory dump of a certain process on regular basis, and send it to a command and control server. So it is only a question of time when the bad guys receive passwords.
There is also a very interesting video doing the same with a web application:
[www.youtube.com]
Which tool did you use to analize the dump?
Regards
Stefan.
|
Argus
Re: [WD] - Penetration Test Windev AAplication March 20, 2021 07:45PM |
As it looks like you decoded your stuff into variables, the easiest thing to do is to put ANOTHER value in those vairiables JUST AFTER connecting.
Alternatively, you can also NOT use variable, but instead just decode on the fly, inside the connection instruction... And after the connexion, do a few code/decode operations so that the temporary variables are reused.
A third option is to NOT USE variable names that are clearly labelled (password, user_id), but v1,v2,v3, AND NOT use easily recognizable strings as password or user ID (by example, use a hash in hexadecimal), this way, neither the variable name nor the variable content are recognizable as of value.
Alternatively, you can also NOT use variable, but instead just decode on the fly, inside the connection instruction... And after the connexion, do a few code/decode operations so that the temporary variables are reused.
A third option is to NOT USE variable names that are clearly labelled (password, user_id), but v1,v2,v3, AND NOT use easily recognizable strings as password or user ID (by example, use a hash in hexadecimal), this way, neither the variable name nor the variable content are recognizable as of value.
|
Re: [WD] - Penetration Test Windev AAplication March 23, 2021 03:00PM |
Registered: 5 years ago Posts: 296 |
Hi received one answer from PCSOFT and it's something like this:
Unfortunately, there is no automatic encryption of passwords in memory. I advise you not to store the entire password. Use variables containing possibly encrypted pieces of password and redial the password only when in use.
Regards
Paulo Oliveira
Unfortunately, there is no automatic encryption of passwords in memory. I advise you not to store the entire password. Use variables containing possibly encrypted pieces of password and redial the password only when in use.
Regards
Paulo Oliveira
|
Re: [WD] - Penetration Test Windev AAplication March 23, 2021 03:03PM |
Registered: 5 years ago Posts: 296 |