...
This compliant solution retrieves the server IP address from an external file located in a secure directory. Exposure , as recommended by FIO00-J. Do not operate on files in shared directories. It reads the file in compliance with FIO10-J. Ensure the array is filled when using read() to fill an array. Exposure of the IP address is further limited by clearing storing it in a char array rather than a java.lang.String
, and by clearing the server IP address from memory immediately after use.
Code Block | ||
---|---|---|
| ||
class IPaddress { public static void main(String[] args) throws IOException { char[] ipAddress = new char[100]; int offset = 0; int charsRead = 0; BufferedReader br = null; try { br = new BufferedReader(new InputStreamReader( new FileInputStream("serveripaddress.txt"))); // Reads thewhile server((charsRead IP address into the char array, = br.read(ipAddress, offset, ipAddress.length - offset)) // returns the number of bytes read != -1) { int noffset += br.read(ipAddress); charsRead; if (offset >= ipAddress.length) { // Validate server IP addressbreak; // Manually clear} the server IP address } // immediately after use for (int i = n - 1; i >= 0; i--) { // ... Work with IP address } finally { ipAddress[i] =Arrays.fill(ipAddress, (byte) 0); } br.close(); } } } |
To further limit the exposure time of the sensitive server IP address, replace BufferedReader
with a direct native input/output (NIO) buffer, which can be cleared immediately after use.
...
Hard coding sensitive information exposes that information to attackers. The severity of this rule can vary depending on the kind of information that is disclosed. Frequently, the information disclosed is password or key information, which can lead to remote exploitation. Consequently, a high severity rating is given but may be adjusted downwards according to the nature of the sensitive data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC03-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.HARDCODED.PASSWD | Hardcoded Password (Java) | ||||||
Coverity | 7.5 | HARDCODED_CREDENTIALS | Implemented | ||||||
Fortify | 1.0 | Password_Management | Partially implemented | ||||||
Parasoft Jtest |
| CERT.MSC03.HCCS CERT.MSC03.HCCK CERT.MSC03.AHCA | Avoid passing hardcoded usernames/passwords/URLs to database connection methods Avoid using hard-coded cryptographic keys Avoid hard-coding the arguments to certain methods |
PMD | 1.0 | AvoidUsingHardCodedIP | Partially implemented |
SonarQube |
|
|
| S1313 |
S2068 | Partially implemented |
Related Vulnerabilities
GERONIMO-2925 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.
Related Guidelines
MSC18-C. Be careful while handling sensitive data, such as passwords, in program code | |
Hard-coded Password [XYP] | |
CWE-259, Use of Hard-Coded Password |
Android Implementation Details
Hard-coded information can be easily obtained on Android by using the apktool
to decompile an application or by using dex2jar
to convert a dex file to a jar file.
Bibliography
Section 11.2, "Outbound Passwords: Keep Passwords out of Source Code" | |
"Unsafe Mobile Code: Database Access" | |
Section 9.4, "Private Object State and Object Immutability" |
...
...