A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
Modes of Introduction:
– Implementation
Integrity, Other: Unexpected State, Varies by Context
Phase: Implementation
Description:
Make the cloneable() method final.
Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in its enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Medium
Confidentiality: Read Application Data
“Inner Classes” data confidentiality aspects can often be overcome.
Phase: Implementation
Description:
Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.
Phase: Implementation
Description:
Inner Classes do not provide security. Warning: Never reduce the security of the object from an outer class, going to an inner class. If an outer class is final or private, ensure that its inner class is private as well.
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.
Mobile code, such as a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects’ state and behavior by adversaries who have access to the same virtual machine where your program is running.
Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final.
Modes of Introduction:
– Implementation
Likelihood of Exploit: High
Integrity: Modify Application Data
The object could potentially be tampered with.
Confidentiality: Read Application Data
The object could potentially allow the object to be read.
Phase: Implementation
Description:
Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: Medium
CWE-345
CWE-669
CWE-669
CWE-79
Integrity, Availability, Confidentiality, Other: Execute Unauthorized Code or Commands, Alter Execution Logic, Other
Executing untrusted code could compromise the control flow of the program. The untrusted code could execute attacker-controlled commands, read or modify sensitive resources, or prevent the software from functioning correctly for legitimate users.
Phase: Implementation
Description:
Perform proper forward and reverse DNS lookups to detect DNS spoofing.
This is only a partial solution since it will not prevent your code from being modified on the hosting site or in transit.
Phase: Architecture and Design, Operation
Description:
Phase: Architecture and Design
Description:
Phase: Architecture and Design, Operation
Description:
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Phase: Architecture and Design, Operation
Effectiveness: Limited
Description:
The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.
The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.
Modes of Introduction:
– Implementation
Integrity: Modify Application Data
The contents of the data structure can be modified from outside the intended scope.
Phase: Implementation
Description:
Declare the method private.
Phase: Implementation
Description:
Clone the member data and keep an unmodified version of the data private to the object.
Phase: Implementation
Description:
Use public setter methods that govern how a private member can be modified.
Assigning public data to a private array is equivalent to giving public access to the array.
Modes of Introduction:
– Implementation
Integrity: Modify Application Data
The contents of the array can be modified from outside the intended scope.
Phase: Implementation
Description:
Do not allow objects to modify private members of a class.
The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does.
Modes of Introduction:
– Implementation
Confidentiality: Read Application Data
Phase: Architecture and Design, Implementation
Description:
Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs
The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.
Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor.
Modes of Introduction:
– Implementation
Likelihood of Exploit: Medium
Access Control: Bypass Protection Mechanism
A class that can be cloned can be produced without executing the constructor. This is dangerous since the constructor may perform security-related checks. By allowing the object to be cloned, those checks may be bypassed.
Phase: Implementation
Description:
If you do make your classes clonable, ensure that your clone method is final and throw super.clone().
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.
Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.
Modes of Introduction:
– Implementation
Likelihood of Exploit: High
Confidentiality: Read Application Data
an attacker can write out the class to a byte stream, then extract the important data from it.
Phase: Implementation
Description:
In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
Phase: Implementation
Description:
Make sure to prevent serialization of your objects.
Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
Modes of Introduction:
– Implementation
Confidentiality: Read Application Data
Integrity: Modify Application Data
Phase: System Configuration
Description:
The application configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages.