Tuesday, June 25, 2019

FxCop on the beat

This blog makes heavy use of these web pages.
https://docs.microsoft.com/en-us/visualstudio/code-quality/install-fxcop-analyzers?view=vs-2019
https://docs.microsoft.com/en-us/visualstudio/code-quality/use-roslyn-analyzers?view=vs-2019
https://docs.microsoft.com/en-us/visualstudio/code-quality/fxcop-rule-port-status?view=vs-2019

I was talking to our security guy yesterday and discussing development tools that can aid in making applications more secure. He was telling me about a $50,000 tool he wanted to buy (that's the educational discount) and I was telling him about FxCop which is free and integrates into Visual Studio. It's from Microsoft, who have extensive experience in writing insecure code.

Let's focus on SQL Injection, which is one of my pet peeves. Until recently, I had a colleague who, despite having a Masters degree, still didn't understand the dangers of SQL Injection. Maybe I should have explained it to him by logging onto his educational system and entering my name as "';DROP TABLE Students;". Let's create a project that uses FxCop and break a few rules.

Create a new C# Console project called FxCop. I'm using Visual Studio 2019 and targeting Framework 4.6.2.

Once we have the project, we need to add FxCop.

  • Navigate Tools -> Nuget Package Manager -> Package Manager Console
  • In the Packet Manager Console execute "Install-Package Microsoft.CodeAnalysis.FxCopAnalyzers"

This installs some Analyzers which you can see if you expand the project's Dependencies node


Now let's go break some rules. I'm going to write a sub main that has two types of dependency injections - one via the command's constructor and one via the CommandText property. This will generate two different warnings.


using System.Data.SqlClient;

namespace FxCop
{
    class Program
    {
        static void Main(string[] args)
        {
            string SQL = "SELECT * FROM Person.person WHERE FirstName='" + args[0] + "'";
            using (SqlConnection oConn = new SqlConnection("SomeConnectionString"))
            {
                using (SqlCommand oComm = new SqlCommand(SQL, oConn))
                {
                    oComm.ExecuteScalar();
                }

                using (SqlCommand oComm = new SqlCommand())
                {
                    oComm.Connection = oConn;
                    oComm.CommandText = SQL;
                }
            }
        }
    }
}

In Visual Studio the underlined text looks more like this, but you get the idea.


The error list window shows the two warnings that FxCop has generated.


FxCop has detected that I'm about to assign a string of questionable provenance to the CommandText property of a SqlCommand. If someone chose to run this application with a parameter of ';DROP TABLE Person.person; I would have been hacked.

Reading through the list of rules that FxCop checks for, you start to realize how many attack vectors there are even in a simple application. SQL, XML, XAML, deserializers, process.start, HTML, XSLT, and many other technologies we commonly use can all be exploited.

No comments:

Post a Comment