.NET Application Code Review (C#)

R3zk0n · October 2, 2025

API   Cloud   Security   Windows
Contents

    Theory

    # Properties and Encapsulation
Before we start to explain properties, you should have a basic understanding of "Encapsulation".

The meaning of Encapsulation, is to make sure that "sensitive" data is hidden from users. To achieve this, you must:
  + declare fields/variables as private
  + provide public get and set methods, through properties, to access and update the value of a private field
  
The get method returns the value of the variable name.
The set method assigns a value to the name variable. The value keyword represents the value we assign to the property.

    Tools

    Use dnSpy debugger to decompile the .NET source code.

    • https://github.com/dnSpyEx/dnSpy

    For Windows use Visual Studio.

    • Compiling code –> Build –> Build Solution

    Determine the correct version to decompile (x64, x86).

    For C and C#: https://github.com/david-a-wheeler/flawfinder

    Assemblies

    What is an Assembly? https://www.c-sharpcorner.com/UploadFile/78607b/what-is-assembly/

    DotNetNuke

    • httpcontext.Request.Cookies
    • DeserializeHashTableXml

    Allow Easier Debugging

    • .NET process already optimised
    • https://github.com/dnSpy/dnSpy/wiki/Making-an-Image-Easier-to-Debug

    Reduce Optimisations at Runtime

    Specific assembly attributes that reduce optimisation

    Change From:
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]

Change To:
[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default | DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]

    https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.debuggableattribute.debuggingmodes?redirectedfrom=MSDN&view=netframework-4.7.2

    https://docs.microsoft.com/en-gb/archive/blogs/rmbyers/debuggingmodes-ignoresymbolstoresequencepoints

    Navigating through vulnerability

    • Set breakpoints in potentially vulnerable function
    • Navigate through the call stack to identify logic flaws and implementations
    • Navigate through local variables at certain breakpoints +

    Twitter, Facebook