...
Non Compliant code example:
| Code Block | ||
|---|---|---|
| ||
class BankOperation{
//the account balance has already been retrieved from the database and stored in the foll variable
Integer balance = 5000;
public BankOperation() {
//invoke java.lang.Object.getClass to get class instance
Class clazz = getClass();
//shows the class of the instantiated object
System.out.println(clazz);
Method m;
try {
m = clazz.getMethod(balance.toString(), (Class[])null);
m.invoke(this, (Object[])null) ;
} catch (Exception e) {
//e.printStackTrace();
}
}
public void getBalance() {
System.out.println("The current balance is: $" + balance);
}
}
//this class has been written by the attacker
public class SubClass extends BankOperation {
public void getBalance() {
//The attacker can change his account balance to any value he wants.
InputStreamReader input = new InputStreamReader(System.in);
BufferedReader reader = new BufferedReader(input);
System.out.print(" Enter balance: ");
try {
balance = Integer.parseInt(reader.readLine());
} catch (IOException e) {
//e.printStackTrace();
}
System.out.println("The balance is: "+balance);
}
public static void main(String[] args) {
SubClass subclass = new SubClass();
subclass.getBalance();
}
}
|
...
This compliant solution can be achieved by using the keyword final, thus ensuring that the sensitive class cannot be extended.
| Code Block | ||
|---|---|---|
| ||
final class BankOperation{
//normal coding...
}
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ33-J | high | probable | high | P3 P6 | L3 L2 |
Automated Detection
TODO
Related Vulnerabilities
...