- In the console application, locate the App.config file. This is the file that contains the sensitive data.
- If you open the App.config file, you will see that, within the appSettings tag, there is a key added called Secret. This information should probably not be in the App.config to start off with. The problem here is that it might be checked into your source control. Imagine that on GitHub?
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,
Version=v4.6.1"/>
</startup>
<appSettings>
<add key="name" value="Dirk"/>
<add key="lastname" value="Strauss"/>
<add key="Secret" value="letMeIn"/>
</appSettings>
</configuration>
- To overcome this vulnerability, we need to move the sensitive data out of the App.config file into another file. To do this, we specify a path to a file that will contain the sensitive data we want to remove from the App.config file.
<appSettings file="C: empsecretsecret.config">:
You might be wondering why not simply just encrypt the information. Well, that is a given really. The reason this value is in plain text is just to demonstrate a concept here. You would probably encrypt this value anyway in a real-world situation. You would not, however, want this sensitive information sitting on a server in a code repository somewhere, even if it is encrypted. Be safe, move it out of your solution.
- When you have added the path to the secure file, remove the key containing the sensitive information:
- Navigate to the path you specified in the App.config file property. Create yoursecret.config file and open it up for editing:
- Inside this file, repeat the appSettings section and add the Secret key to it. What happens now is that, when your console application runs, it reads the appSettings section in your solution and finds the reference to the secret file. It then looks for the secret file and merges it with the App.config in your solution:
- To see that this merge works, add a reference to your console application.
- Search for and add System.Configuration to your references:
- When you have added the reference, your solution references will list System.Configuration.
- To the top of your Program.cs file, add the following using statement:
using System.Configuration;
- Add the following code to read the Secret key setting from your App.config file. Only this time, it will read the merged file, which is made up of your App.config and your secret.config file:
string sSecret = ConfigurationManager.AppSettings["Secret"];
Console.WriteLine(sSecret);
Console.ReadLine();
- Run your console application, and you will see that the sensitive data has been read from the secret.config file, which was merged with the App.config file at runtime:
