You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 70 Next »

Hard coding sensitive information, such as passwords, server IP addresses, and encryption keys can expose the information to attackers. Anyone who has access to the class files can decompile them and discover the sensitive information. Consequently, programs must not hard code sensitive information.

Hard coding sensitive information also increases the need to manage and accommodate changes to the code. For example, changing a hard-coded password in a deployed program may require distribution of a patch [[Chess 2007]].

Noncompliant Code Example

This noncompliant code example includes a hard-coded server IP address in a constant String.

class IPaddress {
  String ipAddress = new String("172.16.254.1");
  public static void main(String[] args) {
    //..
  }
}

A malicious user can use the javap -c IPaddress command to disassemble the class and discover the hard-coded server IP address. The output of the disassembler reveals the server IP address 172.16.254.1 in clear text:

Compiled from "IPaddress.java"
class IPaddress extends java.lang.Object{
java.lang.String ipAddress;

IPaddress();
  Code:
   0:     aload_0
   1:     invokespecial     #1; //Method java/lang/Object."<init>":()V
   4:     aload_0
   5:     new   #2; //class java/lang/String
   8:     dup
   9:     ldc   #3; //String 172.16.254.1
   11:    invokespecial     #4; //Method java/lang/String."<init>":(Ljava/lang/String;)V
   14:    putfield    #5; //Field ipAddress:Ljava/lang/String;
   17:    return

public static void main(java.lang.String[]);
  Code:
   0:     return

}

Compliant Solution

This compliant solution retrieves the server IP address from an external file located in a secure directory. Exposure is further limited by clearing the server IP address from memory immediately after use.

class IPaddress {
  public static void main(String[] args) throws IOException {
    char[] ipAddress = new char[100];
    BufferedReader br = new BufferedReader(new InputStreamReader(
        new FileInputStream("serveripaddress.txt")));

    // Reads the server IP address into the char array,
    // returns the number of bytes read 
    int n = br.read(ipAddress);  
    // Validate server IP address
    // Manually clear out the server IP address
    // immediately after use 
    for (int i = n - 1; i >= 0; i--) {  
      ipAddress[i] = 0;
    }
    br.close();
  }
}

To further limit the exposure time of the sensitive server IP address, replace BufferedReader with a direct native input/output (NIO) buffer, which can be cleared immediately after use.

Noncompliant Code Example (Hard-Coded Database Password)

The user name and password fields in the SQL connection request are hard coded in this noncompliant code example.

public final Connection getConnection() throws SQLException {
  return DriverManager.getConnection(
      "jdbc:mysql://localhost/dbName", 
      "username", "password");
}

Note that the one-and-two argument java.sql.DriverManager.getConnection() methods can also be used incorrectly.

Compliant Solution

This compliant solution reads the user name and password from a configuration file located in a secure directory.

public final Connection getConnection() throws SQLException {
  char[] username = new char[16];
  char[] password = new char[16];
  // Username and password are read at runtime from a secure config file
  return DriverManager.getConnection(
      "jdbc:mysql://localhost/dbName",
      username, password);
  for (int i = username.length - 1; i >= 0; i--) {  
    username[i] = 0;
  }
  for (int i = password.length - 1; i >= 0; i--) {  
    password[i] = 0;
  }

}

It is also permissible to prompt the user for the user name and password at runtime.

Risk Assessment

Hard coding sensitive information exposes that information to attackers.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC03-J

high

probable

medium

P12

L1

Related Vulnerabilities

GERONIMO-2925, GERONIMO-1135 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.

Related Guidelines

CERT C Secure Coding Standard

MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f409e85a-c2db-4f7b-9a91-94bf1fe39aea"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

Hard-coded Password [XYP]

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-259. Use of hard-coded password

 

CWE-798. Use of hard-coded credentials

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fa69649f-6490-46ad-a80b-07ead4914d65"><ac:plain-text-body><![CDATA[

[[Chess 2007

AA. Bibliography#Chess 07]]

11.2, Outbound Passwords: Keep Passwords out of Source Code

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cc039759-fcbc-4484-919b-ea07731244e9"><ac:plain-text-body><![CDATA[

[[Fortify 2008

AA. Bibliography#Fortify 08]]

Unsafe Mobile Code: Database Access

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dcec4f78-6428-49bd-9fb1-5764613881de"><ac:plain-text-body><![CDATA[

[[Gong 2003

AA. Bibliography#Gong 03]]

9.4, Private Object State and Object Immutability

]]></ac:plain-text-body></ac:structured-macro>


      49. Miscellaneous (MSC)      

  • No labels