For a non-final class, if a constructor throws an exception before fully initializing the object, it becomes possible to maliciously obtain its instance. For example, an attack that uses the finalizer construct allows an attacker to invoke arbitrary methods within the class despite in spite of all authorization measures.
Noncompliant Code Example
The constructor of BankOperations class performs the SSN validation using performSSNVerification(). Assume that an attacker does not know the correct SSN, as . As a result, this method trivially returns false in this example. A SecurityException is forcefully thrown as a result. The UserApp class appropriately catches this exception and an access denied message is displayed. However, it is still possible for a malicious program to invoke methods of the partially initialized class BankOperations. This is illustrated in the code that follows this example.
...
To exploit this code, an attacker extends the BankOperations class and overrides the finalizer finalize method. The gist of the attack is the capture of a handle of the partially initialized class. When the constructor throws an exception, the garbage collector waits to grab the object reference. However, by overriding the finalizer, a reference is obtained using the this keyword. Consequently, any method on the base class can be invoked maliciously. Note that, even a security manager check can be bypassed this way.
...