dll中的安全漏洞(或者我错了吗?) [英] Security Flaw in dll (or am I wrong?)
问题描述
HI NG
ASP.NET项目构建了一个非常讨厌的dll文件。
在我的一些代码隐藏文件中,我有一个私有字符串,这是我的SQL
服务器连接字符串,例如:
public class myClass
{
private string sqlSvrConStr =" Data Source = blablabla";
public myClass()
{
}
}
当我编译项目并在记事本中打开dll我能够
读取sqlSvrConStr - 它不漂亮,可能需要一段时间才能找到b $ b $但是它确实存在!!!
>
我也能找到一些我的SQL命令字符串和其他对象
我在代码中使用 - 这是你的一个dll的正常行为
实际上可以在文本中看到代码???
男人我变得紧张了!!
-Kevin
这是设计的。你需要使用一个加密字符串文字的混淆器。
Google for.NET obfuscator,其中大多数都不是免费的。
-Oleg 。
" Kevin Steffer [MCP]" < KS ****** @ gmail.com>在消息中写道
news:11 ********************** @ o13g2000cwo.googlegr oups.com ...HI NG
我在我的VS.NET 2003中的ASP.NET项目构建的dll文件上做了一个非常讨厌的发现。
在我的一些代码隐藏文件中,我有一个私有字符串,这是我的SQL
服务器连接字符串,例如:
公共类myClass
{
私有字符串sqlSvrConStr =" ;数据源= blablabla" ;;
公共myClass()
{
}
当我编译项目并在记事本中打开dll时我能够读取sqlSvrConStr - 它不漂亮,它可能需要一段时间才能找到它但是它还有.......
我也能够找到我的一些SQL命令字符串和其他对象
我在代码中使用 - 这是一个dll的正常行为,你实际上可以看到文本中的代码???
<男人,我变得紧张了!
-Kevin
嗯,你也可以在C ++代码中对硬编码字符串进行反向工程。
除了.NET程序集之外,它们更容易阅读,有什么区别?
BTW,为了让你更加紧张,你应该看看Reflector:
http://www.aisto.com/roeder/dotnet/
为了安全起见,您应该使用DPAPI将连接字符串存储在配置文件中加密
。 Dominick有一些工具:
http://www.leastprivilege.com/PermaL...8-6ff79a60e43f
-Brock
DevelopMentor
http://staff.develop.com/ballen
HI NG
我在我的VS.NET 2003中的ASP.NET项目构建的dll文件上做了一个非常讨厌的发现。在我的一些代码隐藏文件中,我有一个私有字符串,这是我的SQL
服务器连接字符串,例如:
公共类myClass
{
private string sqlSvrConStr =" Data Source = blablabla";
public myClass()
{
}
}当我编译项目并打开dll时记事本我能够读取sqlSvrConStr - 它不漂亮,可能需要一段时间才能找到但它在那里!!!
我也能找到我在代码中使用的一些SQL命令字符串和其他
对象 - 这是正常的一个dll的行为,你实际上可以看到文本中的代码???
男人我变得紧张了!!
-Kevin
我也会感到紧张,如果互联网上的某个人能够抓住我的
DLL。现在这将是一个安全问题!
-
HTH,
Kevin Spencer
Microsoft MVP
..Net开发人员
歧义具有一定的品质。
" Kevin Steffer [MCP] QUOT; < KS ****** @ gmail.com>在消息中写道
news:11 ********************** @ o13g2000cwo.googlegr oups.com ...HI NG
我在我的VS.NET 2003中的ASP.NET项目构建的dll文件上做了一个非常讨厌的发现。
在我的一些代码隐藏文件中,我有一个私有字符串,这是我的SQL
服务器连接字符串,例如:
公共类myClass
{
私有字符串sqlSvrConStr =" ;数据源= blablabla" ;;
公共myClass()
{
}
当我编译项目并在记事本中打开dll时我能够读取sqlSvrConStr - 它不漂亮,它可能需要一段时间才能找到它但是它还有.......
我也能够找到我的一些SQL命令字符串和其他对象
我在代码中使用 - 这是一个dll的正常行为,你实际上可以看到文本中的代码???
<男人,我变得紧张了!
-Kevin
HI NG
I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.
In some of my codebehind files i have a private string that is my SQL
Server connection string for example:
public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}
When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it''s not pretty and it might take a while to
find BUT IT''S THERE!!!
I am also able to find some of my SQL Command strings and other objects
I use in the code - is this of normal behavior of a dll that you
actually can see the code in text???
Man I''m getting nervous!!
-Kevin
解决方案
It''s by design. You need to use an obfuscator that encrypts string literals.
Google for ".NET obfuscator", most of them are not free though.
-Oleg.
"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...HI NG
I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.
In some of my codebehind files i have a private string that is my SQL
Server connection string for example:
public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}
When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it''s not pretty and it might take a while to
find BUT IT''S THERE!!!
I am also able to find some of my SQL Command strings and other objects
I use in the code - is this of normal behavior of a dll that you
actually can see the code in text???
Man I''m getting nervous!!
-Kevin
Well, you could also reverse engineer hard coded string in C++ code too.
Other than .NET assemblies being slightly easier to read, what''s the difference?
BTW, to make you even more nervous, you should check out Reflector:
http://www.aisto.com/roeder/dotnet/
To be secure you should store the connection string in your config file encrypted
with DPAPI. Dominick has some tools for this:
http://www.leastprivilege.com/PermaL...8-6ff79a60e43f
-Brock
DevelopMentor
http://staff.develop.com/ballen
HI NG
I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.
In some of my codebehind files i have a private string that is my SQL
Server connection string for example:
public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}
When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it''s not pretty and it might take a while to
find BUT IT''S THERE!!!
I am also able to find some of my SQL Command strings and other
objects I use in the code - is this of normal behavior of a dll that
you actually can see the code in text???
Man I''m getting nervous!!
-Kevin
I''d be nervous too, if somehow someone on the Internet could get hold of my
DLLs. Now THAT would be a security issue!
--
HTH,
Kevin Spencer
Microsoft MVP
..Net Developer
Ambiguity has a certain quality to it.
"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...HI NG
I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.
In some of my codebehind files i have a private string that is my SQL
Server connection string for example:
public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}
When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it''s not pretty and it might take a while to
find BUT IT''S THERE!!!
I am also able to find some of my SQL Command strings and other objects
I use in the code - is this of normal behavior of a dll that you
actually can see the code in text???
Man I''m getting nervous!!
-Kevin
这篇关于dll中的安全漏洞(或者我错了吗?)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!