Ebay - Advertisement

Tuesday, July 27, 2010

AES 256 Encryption & Decryption using C# - The short way

More organizations today understand that sensitive information should be stored encrypted in their repositories (Examples: user passwords, credit cards, SSN etc). Also there are regulations and security standards such as the PCI:DSS which requires the encryption of credit card numbers.
Thus, developers in such organizations encounter the issues of encryption frequently and are required to find appropriate solutions. There are a lot of ways to encrypt/decrypt information by using buld-in .NET libraries for encryption.
I decided to present you here the shortest way that i found for doing that.

The following code is an example of the short way to encrypt/decrypt data using AES algorithm.
Please notice that in this example i stored the encryption key in the code, but of course in the real life the key should be stored in a secure repository with appropriate ACL privileges.

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using System.Security.Cryptography;

namespace aes3
    class aes3
        static void Main(string[] args)

           RijndaelManaged  AesEncryption = new RijndaelManaged();
           string plainStr = "AES me"; // The text that would be encrypted
           AesEncryption.KeySize = 256; // 192, 256
           AesEncryption.BlockSize = 128;
           AesEncryption.Mode = CipherMode.CBC;
           AesEncryption.Padding = PaddingMode.PKCS7;

           // The key should be generated prior and also should be stored in secure repository
            // with appropriate ACL priviledges.
           string keyStr = "cGFzc3dvcmQAAAAAAAAAAA==";
           string ivStr = "cGFzc3dvcmQAAAAAAAAAAA==";
           byte[] ivArr = Convert.FromBase64String(keyStr);
           byte[] keyArr = Convert.FromBase64String(ivStr);
           AesEncryption.IV = ivArr;  
           AesEncryption.Key = keyArr;
           // This array will contain the plain text in bytes
           byte[] plainText = ASCIIEncoding.UTF8.GetBytes(plainStr);

           // Creates Symmetric encryption and decryption objects   
           ICryptoTransform crypto = AesEncryption.CreateEncryptor();
           ICryptoTransform decrypto = AesEncryption.CreateDecryptor();
           // The result of the encrypion and decryption
           byte[] cipherText = crypto.TransformFinalBlock(plainText, 0, plainText.Length);
           byte[] decryptedText =  decrypto.TransformFinalBlock(cipherText,0,cipherText.Length);

            Console.Write("The plain text\"{0}\" in the encrypted format is:{1} \n",plainStr,Convert.ToBase64String(cipherText));
            Console.Write("The encrypted text \"{0}\" is decrypted to: {1}",Convert.ToBase64String(cipherText), ASCIIEncoding.UTF8.GetString(decryptedText));

Wednesday, June 9, 2010

Avoiding SQL Injection attacks in stored procedures that must be dynamic

No doubt that stored procedures which use dynamic construction of queries by string concatenation technique are vulnerable to SQL injection attacks. In order to prevent the attack, stored procedures should not use such technique and the sql statements should be written as a part of the T-SQL syntax with sql parameters.

However, under certain circumstances the use of dynamic construction is not avoidable.For example in Microsoft SQL Server you cannot write a T-SQL stored procedure which contains parameters such as table or a column name. In this case you must interpolate it into the SQL string using the string concatenation technique.

So what is the solution for this issue?

Very simple, actually there are two ways to do it as follows:
1. Using the quotename() function which was added in sql 7. The function takes two parameters: the first is a string, and the second is a pair of delimiters to wrap the string in. The default for the second parameter is []. Thus, quotename('table_name') returns [table_name]. quotename() takes care of nested delimiters, so if table name like table]_name, quotename() will return [table]]_name]
The following example demonstrates how treat the table_name in order to avoid the SQL Injection attack:

@table_name NVARCHAR(30)
IF CHARINDEX (']',@table_name,1 ) > 0
                                SET @error1='Error'
                                RAISERROR( @error1 ,11,1 );       
                SET @sql='TRUNCATE TABLE ' + quotename(@table_name)
                EXEC sp_executesql @sql

2. Using the [] characters in order to indicate that the table or the column name is an object. In such case if the attacker injects the following query in the table_name paramater as follows: sometable';drop table users --, the database will raise the following error :Cannot find the object "';drop table users --'" because it does not exist or you do not have permissions.
The following example demonstrates how treat the table_name in order to avoid the SQL Injection attack:
@table_name NVARCHAR(30)
IF CHARINDEX (']',@table_name,1 ) > 0
                                SET @error1='Error'
                                RAISERROR( @error1 ,11,1 );       
                SET @sql='TRUNCATE TABLE [' + @table_name + ']'
                EXEC sp_executesql @sql

Monday, May 31, 2010

Tabnabbing - an example

The example:

Saturday, May 29, 2010

Improper Authentication Mechanism in 3Com Wireless8760 Dual Radio 11a/b/g Poe Access Point

Recently i found the following vulnerability in the 3Com Wireless8760 web administration interface: If one user is authenticated to the web interface, other users can access to internal pages without further authentication. That means that one opened session is enough between the user and web administration , and other users can also access to the web administration interface.

Malicious user can wait until ones logins to the interface and then he can access and administer 3Com Wireless8760 Access Point without further authentication. Among different operations the malicious user can cause to Denial of Service (Dos) attack to the entire network by changing the configuration such as IP addresses.

Wednesday, May 26, 2010

Man infects himself with computer virus

University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus. The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards. Read More...

Monday, May 24, 2010

Fiddler GZIP Issue

Recenly, I found that the GZIP zip/unzip feature in fiddler does not work properly. There are applications which are based on HTTP protocol and also zip HTTP Requests and Responses with GZIP format. So I decided to write some script using Fiddler Script Editor for converting and extracting Requests that are in GZIP format. Here is the code, copy this to the CustomRules.js file (Rules---->Customize Rules)
public static ContextAction("GZIP Request")
       function GZIPRequest(oSessions:Session[]){
       public static ContextAction("UNGZIP Request")
       function UNGZIPRequest(oSessions:Session[]){
              var oBody = System.Text.Encoding.UTF8.GetString(Utilities.GzipExpand(oSessions[oSessions.Length-1].requestBodyBytes));
public static ContextAction("GZIP Response")
       function GZIPResponse(oSessions:Session[]){
public static ContextAction("UNGZIP Response")
       function UNGZIPResponse(oSessions:Session[]){  
              var oBody = System.Text.Encoding.UTF8.GetString(Utilities.GzipExpand(oSessions[oSessions.Length-1].responseBodyBytes));
After copying this code, and saving it in the CustomRules.js files, select one of the HTTP Requests which are in GZIP format, right click and... here it is...you will have 4 options: GZIP Request, GZIP Response, UNGZIP Response, UNGZIP Request Have fun ;-)

Saturday, May 22, 2010

ATM Clickjacking

Fraudsters can install another keypad by covering the original existing ATM keypad. The 'new' keypad contains a memory block which can store PAN (credit card number) and PIN code while the customer tries to get money out of the ATM.

In such way, fraudsters can obtain credit card numbers and PIN codes and succeed in their frauds.

Why i called that as ATM clickjacking? Because it is very similar to webpage clickjacking definition. The user thinks that he clicks on legitimate link or button while actually he clicks on hidden functionality which performs unintended malicious operations.

Tuesday, May 18, 2010

OWASP TOP 10 - 2010 Released

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.

Ten most popular application security flaws