Hiding sensitive information in Episerver, inspired by the Junior Woodchucks' Guidebook

April fools! This blog post were published for April fools day (April 1st) 2021. Even if the programmeing language Whitespace is real, and the addon stores property values as Whitespace code in the database, I would not recommend this as a security measure.

Most people who know the Donald Duck universe, may at one time or another wanted a copy of the Junior Woodchucks' Guidebook owned by Huey, Dewey, and Louie. This guidebook, which was reportedly rescued from the ruins when the library in Alexandria burned down, appears to contain information and advice on every possible subject. I'm confident it contains a description of how sensitive information can be hidden by writing it in invisible ink!

In today's digital world, it may seem unlikely to pick up security measures from a book originating from before the Library of Alexandria burned down in the year 47 BC, but we can!

Whitespace

Exactly 18 years ago, the programming language Whitespace was introduced by Edwin Brady and Chris Morris. This is a programming language that only uses whitespace as syntax. More specific, only the characters space, tab and linefeeds are used. These three characters have in common that they are completely invisible - just like invisible ink!

An interesting detail about Whitespace is that all characters other than the three mentioned above should be ignored by the compiler. This means that Whitespace code can be mixed with other programming languages, or plain text - and can still be a valid Whitespace program! Because of this, it is a great choice if you want to create a polyglot. Sorry, polyglot was a digression. Back to the invisible ink!

To mark the 18th anniversary of the language Whitespace, I have created a new property type, SuperSecretString, for Episerver that stores texts as Whitespace code. The editors write plain text, as usual - but in the database the text is stored as Whitespace code. When Episerver retrieves the text to display it on a page, or in edit mode, the Whitespace code is compiled to return the original result.

So, what's the point, if no one notices any difference? Well, in the database the values are written as with invisible ink! If someone gains access to the database, no sensitive information will get lost. If someone prints your secrets on paper, no one will be able to see them!

Installation

So how does this work? Simply install the NuGet package from the official nuget.org feed, and for the selected properties that contain particularly sensitive information, add the attribute:
[BackingType (typeof (PropertySuperSecretString))], as follows:

[Display(Name = "Super secret string property")]
[BackingType(typeof(PropertySuperSecretString))]
public virtual string Secret { get; set; }

That's it! In Episerver edit mode, the property looks like any other text property.

Screenshot that shows a property of the type SuperSecretString in Episerver edit mode.

Inspect the database

To see what the values look like in the database, or rather to see that you cannot see them, run the following SQL query. The query will list all SuperSecretString properties, along with page id, page name, language code, property name, and the secret value.

SELECT 
    c.pkID, 
    cl.Name, 
    lb.LanguageID, 
    pd.Name, 
    cp.LongString 
FROM
    tblContent c, 
    tblContentLanguage cl, 
    tblLanguageBranch lb, 
    tblcontentProperty cp, 
    tblPropertyDefinition pd
WHERE 
    c.pkID = cp.fkContentID AND 
    c.pkID = cl.fkContentID AND 
    cl.fkLanguageBranchID = lb.pkID AND
    cp.fkPropertyDefinitionID = pd.pkID AND 
    pd.fkPropertyDefinitionTypeID IN
    (
        SELECT pkID
        FROM tblPropertyDefinitionType
        WHERE Name = 'Super Secret String'
    )
    AND cp.LongString IS NOT NULL

In SQL Management Studio, the property looks completely empty! Invisible!

Screenshot of SQL Management Studio showing a property apparently without any value

So. how can you retrieve the Whitespace code from the database? You will have to check the following setting that preserves line feeds, then restart SQL Management Studio.

Screenshot of settings in SQL Management Studio for presering linedfeeds when values are copied.

Now you can copy the value without SQL Management Studio removing the crucial line feeds. Regardless of your settings, this will of course work smoothly in Episerver CMS.

Screenshot showing how to copy a value from SQL Management Studio

Test with an interpreter

If you want to check how the invisible value is structured, you can use a Whitespace interpreter. There are several out there, but this is one of the better ones.

Screenshot of a Whitespace interpreter showing Whitespace code with syntax highlighting.

At the top left you see the Whitespace code itself, with syntax hightlighting. Space is marked pink, tab is purple, and line feeds are line feeds. To the right you see debug information, and the commands that the Whitespace code corresponds to. If you click «Run», you will see the output from the program at the bottom left. It will show the same as in Episerver edit mode.

Sample code

Feel free to test by copying the following code into the interpreter. Select all the contents of the box below, make sure you include ALL the lines (including the first space, and the last line feed), copy, paste into the interpreter and click «Run».

Did you paste the code into the interpreter and click "Run"? Was it fun?

Keep your secrets secret, install the module, and write your secrets with invisible ink!

For those interested, the source code is also available.

Found this post helpful? Help keep this blog ad-free by buying me a coffee! ☕