Difference between revisions of "Failure to protect stored data from modification"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 
+
<br>
__TOC__
+
  
 
[[ASDR Table of Contents]]
 
[[ASDR Table of Contents]]

Revision as of 21:21, 17 February 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



ASDR Table of Contents

Last revision (mm/dd/yy): 02/17/2009

Description

Data should be protected from direct modification.

Consequences

  • Integrity: The object could be tampered with.

Exposure period

  • Design through Implementation: At design time it is important to reduce the total amount of accessible data.
  • Implementation: Most implementation level issues come from a lack of understanding of the language modifiers.

Platform

  • Languages: Java, C++
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

One of the main advantages of object-oriented code is the ability to limit access to fields and other resources by way of accessor functions. Utilize accessor functions to make sure your objects are well-formed.

Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final.


Risk Factors

TBD

Examples

In C++:

public:
  int someNumberPeopleShouldntMessWith;

In Java:

private class parserProg {
    public stringField;
}

Another set of Examples are:

In C/C++:

private:
  int someNumber;

public:
  void writeNum(int newNum) {
    someNumber = newNum;
  }

In Java:

public class eggCorns {
   private String acorns;
   public void misHear(String name){
      acorns=name;
   }
}


Related Attacks


Related Vulnerabilities

Related Controls

  • Design through Implementation: Use private members, and class accessor methods to their full benefit. This is the recommended mitigation. Make all public members private, and - if external access is necessary - use accessor functions to do input validation on all values.
  • Implementation: Data should be private, static, and final whenever possible This will assure that your code is protected by instantiating early, preventing access and preventing tampering.
  • Implementation: Use sealed classes. Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.
  • Implementation: Use class accessor methods to their full benefit. Use the accessor functions to do input validation on all values intended for private values.

Related Technical Impacts


References

TBD