Searching Memory for Secrets with WinHex

By Paladion

July 19, 2005

In November 2003, Abhishek wrote how we were seeing a lot of plain text passwords lying around in the memory of critical applications. A year later, Sangita explained how this issue affects web applications in the pages of Palisade.

Today, it is still one of the most common vulnerabilities we discover in our application security tests.

How do we discover this vulnerability? It's quite simple, really.

We use WinHex , though any memory viewing tool with search features should do. WinHex lets you view the memory of any process and search through it.


After we log out of the application session, we fire up WinHex and ask it to open the browser's memory. We zoom into the data space used by that session by searching for keywords specific to the session. Our favorite is to search for the password itself. Once WinHex focuses the sights on the right space, we skim through it to see what's still lying around. Honestly, in 90% of the cases, the password is still there!

The risk of passwords lying in memory is that anyone who has access to the computer when the browser window is still open can grab the password, even if SSL is used.

The solution is to reset the password variable after it is posted to the server, or better still to reset it after posting its salted hash to the server. Here's what the Appsec FAQ has to say about salted hashes:

How does the salted MD5 technique work?

Here is how the salted MD5 technique works: the database stores a MD5 hash of the password. (MD5 hash is a cryptographic technique in which the actual value can never be recovered.) When a client requests for the login page, the server generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated.

Tags: Uncategorized