...
This noncompliant code example includes a hard-coded server IP address in a constant String.
| Code Block | ||
|---|---|---|
| ||
class IPaddress {
String ipAddress = new String("172.16.254.1");
public static void main(String[] args) {
//..
}
}
|
A malicious user can use the javap -c IPaddress command to disassemble the class and discover the hard-coded server IP address. The output of the disassembler reveals the server IP address 172.16.254.1 in clear text:
| Code Block |
|---|
Compiled from "IPaddress.java"
class IPaddress extends java.lang.Object{
java.lang.String ipAddress;
IPaddress();
Code:
0: aload_0
1: invokespecial #1; //Method java/lang/Object."<init>":()V
4: aload_0
5: new #2; //class java/lang/String
8: dup
9: ldc #3; //String 172.16.254.1
11: invokespecial #4; //Method java/lang/String."<init>":(Ljava/lang/String;)V
14: putfield #5; //Field ipAddress:Ljava/lang/String;
17: return
public static void main(java.lang.String[]);
Code:
0: return
}
|
...
This compliant solution retrieves the server IP address from an external file located in a secure directory. Exposure is further limited by clearing the server IP address from memory immediately after use.
| Code Block | ||
|---|---|---|
| ||
class IPaddress {
public static void main(String[] args) throws IOException {
char[] ipAddress = new char[100];
BufferedReader br = new BufferedReader(new InputStreamReader(
new FileInputStream("serveripaddress.txt")));
// Reads the server IP address into the char array,
// returns the number of bytes read
int n = br.read(ipAddress);
// Validate server IP address
// Manually clear out the server IP address
// immediately after use
for (int i = n - 1; i >= 0; i--) {
ipAddress[i] = 0;
}
br.close();
}
}
|
...
The user name and password fields in the SQL connection request are hard coded in this noncompliant code example.
| Code Block | ||
|---|---|---|
| ||
public final Connection getConnection() throws SQLException {
return DriverManager.getConnection(
"jdbc:mysql://localhost/dbName",
"username", "password");
}
|
...
This compliant solution reads the user name and password from a configuration file located in a secure directory.
| Code Block | ||
|---|---|---|
| ||
public final Connection getConnection() throws SQLException {
String username;
String password;
// Username and password are read at runtime from a secure config file
return DriverManager.getConnection(
"jdbc:mysql://localhost/dbName", username, password);
}
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC03-J | high | probable | medium | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description |
|---|---|---|---|
| Fortify | 1.0 | Password_Management Password_Management__Hardcoded_Password | Partially Implemented |
| Coverity | 1.0 | FB.DMI_CONSTANT_DB_ PASSWORD | Partially Implemented |
| PMD | 1.0 | AvoidUsingHardCodedIP | Partially Implemented |
Related Vulnerabilities
GERONIMO-2925, GERONIMO-1135 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.
...
11.2, Outbound Passwords: Keep Passwords out of Source Code | |
Unsafe Mobile Code: Database Access | |
9.4, Private Object State and Object Immutability |