...
| Wiki Markup |
|---|
Hard coding sensitive information also increases the need to manage and accommodate changes to the code. For example, changing a hard -coded password in a fieldeddeployed program may require distribution of a patch \[[Chess 2007|AA. Bibliography#Chess 07]\]. |
...
This noncompliant code example uses includes a password field hard-coded server IP address in a constant String.
| Code Block | ||
|---|---|---|
| ||
class PasswordIPaddress { String passwordipAddress = new String("guest172.16.254.1"); public static void main(String[] args) { //.. } } |
A malicious user can use the javap -c PasswordIPaddress command to disassemble the class and discover the hard-coded passwordserver IP address. The output of the disassembler , as shown below, reveals the password guest reveals the server IP address 172.16.254.1 in clear text.:
| Code Block |
|---|
Compiled from "PasswordIPaddress.java" class PasswordIPaddress extends java.lang.Object{ java.lang.String passwordipAddress; PasswordIPaddress(); Code: 0: aload_0 1: invokespecial invokespecial #1; //Method java/lang/Object."<init>":()V 4: aload_0 5: new new #2; //class java/lang/String 8: dup 9: ldc ldc #3; //String guest172.16.254.1 11: invokespecial invokespecial #4; //Method java/lang/String."<init>":(Ljava/lang/String;)V 14: putfield putfield #5; //Field passwordipAddress:Ljava/lang/String; 17: return public static void main(java.lang.String[]); Code: 0: return } |
Compliant Solution
This compliant solution retrieves the password server IP address from an external file located in a secure directory. Exposure is further limited by clearing the password in server IP address from memory immediately after use.
| Code Block | ||
|---|---|---|
| ||
class PasswordIPaddress { public static void main(String[] args) throws IOException { char[] passwordipAddress = new char[100]; BufferedReader br = new BufferedReader(new InputStreamReader( new FileInputStream("credentialsserveripaddress.txt"))); // Reads the server passwordIP address into the char array, // returns the number of bytes read int n = br.read(passwordipAddress); // Validate server IP address // Decrypt password and validate Manually clear out the server IP address // immediately after use for (int i = n - 1; i >= 0; i--) { // Manually clear out the password immediately after use passwordipAddress[i] = 0; } br.close(); } } |
To further limit the exposure time of the sensitive passwordserver IP address, replace BufferedReader with a direct native input/output (NIO) buffer, which can be cleared immediately after use.
Noncompliant Code Example (Hard-Coded Database Password)
This noncompliant code example hard codes the The user name and password fields in the SQL connection request are hard coded in this noncompliant code example.
| Code Block | ||
|---|---|---|
| ||
public final Connection getConnection() throws SQLException {
return DriverManager.getConnection(
"jdbc:mysql://localhost/dbName",
"username", "password");
}
|
Note that the one-and-two argument java.sql.DriverManager.getConnection() methods can also be used incorrectly. Applets that contain similar code are also unacceptable because they may be executed in untrusted environments.
Compliant Solution
This compliant solution reads the user name and password from a configuration file located in a secure directory.
| Code Block | ||
|---|---|---|
| ||
public final Connection getConnection() throws SQLException {
char[] username = new char[16];
char[] password = new char[16];
// Username and password are read at runtime from a secure config file
return DriverManager.getConnection(
"jdbc:mysql://localhost/dbName",
username, password);
for (int i = username.length - 1; i >= 0; i--) {
username[i] = 0;
}
for (int i = password.length - 1; i >= 0; i--) {
password[i] = 0;
}
}
|
It is also permissible to prompt the user for the user name and password at runtime.
...
GERONIMO-2925, GERONIMO-1135 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it henceforth.
Related Guidelines
MSC18-C. Be careful while handling sensitive data, such as passwords, in program code | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0b02ed60a91c38b4-0de30386-42bf4b02-be00a812-3b79d11ea18daaa21fc982e8"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | " Hard-coded Password [XYP] " | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-259, ". Use of Hardhard-coded Password" password | ||||
| CWE-798, ". Use of Hardhard-coded Credentials" credentials |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7b8e9b81f96541dc-49157a0f-473243a1-aeff91a1-bf4bfa5f2cb687d0b9b85e5e"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | 11.2, Outbound Passwords: Keep Passwords out of Source Code | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5b2645ebb95b83b9-65a4bdb8-42844a3d-bc23a75f-fc6e6b6bc436132897dbfbf5"><ac:plain-text-body><![CDATA[ | [[Fortify 2008 | AA. Bibliography#Fortify 08]] | " Unsafe Mobile Code: Database Access " | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ae5c4a36ae755c33-42ed2522-4d9840b5-90eea26a-b6d48a375f61bb1a9144d6e2"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | 9.4, Private Object State and Object Immutability | ]]></ac:plain-text-body></ac:structured-macro> |
...