I got Heap Inspection vulnerability issue in a security report when converting a SecureString password to string and then validate by the MembershipProvider function. I know that I should use char[] to handle password instead of string. But how can I pass char[] into the build-in function to avoid the issue?
public static string SecureStringToString(SecureString ss)
{
return Marshal.PtrToStringUni(Marshal.SecureStringToGlobalAllocUnicode(ss)); //<---Heap Inspection issue
}
...
Membership.ValidateUser(UserName, SecureStringToString(pwd));
But how can I pass [a SecureString] into the buil[t]-in function to avoid the issue?
You can't. Membership.ValidateUser
does not have an overload accepting a SecureString. Why? We don't know. Maybe the ASP.NET Membership framework was not designed for high-security systems where hardening code against heap inspection is a business requirement.
Thus, you only have two options:
Use a different (custom-built) user validation method or
accept the fact that the password will linger around on the heap for some time.