0

I have MVC model where I declare a property Password with DataType annotation as DataType.Password.

Veracode scan points out the line with that property declaration.

That property is getting its value assigned from a login page.

I saw examples of using SecureString. But how can I change the declaration of my property in the model and map it to the login page?

This is the property declaration:

[DataType(DataType.Password)]
public string Password {get;set;}

Then in the code, I use that property to log in to the application.

HOw can I change the declaration, so I fix the Veracode error?

gene
  • 2,098
  • 7
  • 40
  • 98
  • *"I saw examples of using `SecureString`."* - hold your horses and think for a bit. does the "password" input field in the html provide any kind of built-in security which mitigates cwe-316? on a c# .net for desktop (wpf), you have [`PasswordBox`](https://learn.microsoft.com/en-us/dotnet/api/system.windows.controls.passwordbox?view=windowsdesktop-6.0) which automagically provides you with `SecureString` to work with. additionally, can you feed `SecureString` into the database for storage without having a plain text somewhere? – Bagus Tesa Jun 26 '22 at 05:42
  • you should take a look on QA titled [Safe use of SecureString for login form](https://stackoverflow.com/q/14449579/4648586). most code analyzer will freak out whenever you have the keyword "password" in your code - including but not limited to micro focus' [tag:fortify]. – Bagus Tesa Jun 26 '22 at 05:44
  • I'm using MVC and Veracode points to the line when I'm declaring the Password property. I read the suggested articles, but that didn't give me solution on how to handle the issue – gene Jun 26 '22 at 15:26

0 Answers0