Failure to protect stored data from modification

From OWASP

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Contents


ASDR Table of Contents

Last revision (mm/dd/yy): 11/2/2008

Description

Data should be protected from direct modification.

Consequences

  • Integrity: The object could be tampered with.

Exposure period

  • Design through Implementation: At design time it is important to reduce the total amount of accessible data.
  • Implementation: Most implementation level issues come from a lack of understanding of the language modifiers.

Platform

  • Languages: Java, C++
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

One of the main advantages of object-oriented code is the ability to limit access to fields and other resources by way of accessor functions. Utilize accessor functions to make sure your objects are well-formed.

Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final.


Risk Factors

TBD

Examples

In C++: 

public:
  int someNumberPeopleShouldntMessWith;

In Java: 

private class parserProg {
    public stringField;
}

Another set of Examples are:

In C/C++: 

private:
  int someNumber;

public:
  void writeNum(int newNum) {
    someNumber = newNum;
  }

In Java: 

public class eggCorns {
   private String acorns;
   public void misHear(String name){
      acorns=name;
   }
}


Related Attacks


Related Vulnerabilities

Related Controls

  • Design through Implementation: Use private members, and class accessor methods to their full benefit. This is the recommended mitigation. Make all public members private, and - if external access is necessary - use accessor functions to do input validation on all values.
  • Implementation: Data should be private, static, and final whenever possible This will assure that your code is protected by instantiating early, preventing access and preventing tampering.
  • Implementation: Use sealed classes. Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.
  • Implementation: Use class accessor methods to their full benefit. Use the accessor functions to do input validation on all values intended for private values.

Related Technical Impacts


References

TBD

Retrieved from "http://www.owasp.org/index.php/Failure_to_protect_stored_data_from_modification"
Personal tools
Language