Failure to protect stored data from modification

Revision as of 18:46, 20 February 2009 by KirstenS (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 02/20/2009

Vulnerabilities Table of Contents


Data should be protected from direct modification.


  • Integrity: The object could be tampered with.

Exposure period

  • Design through Implementation: At design time it is important to reduce the total amount of accessible data.
  • Implementation: Most implementation level issues come from a lack of understanding of the language modifiers.


  • Languages: Java, C++
  • Operating platforms: Any

Required resources




Likelihood of exploit


One of the main advantages of object-oriented code is the ability to limit access to fields and other resources by way of accessor functions. Utilize accessor functions to make sure your objects are well-formed.

Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final.

Risk Factors



In C++:

  int someNumberPeopleShouldntMessWith;

In Java:

private class parserProg {
    public stringField;

Another set of Examples are:

In C/C++:

  int someNumber;

  void writeNum(int newNum) {
    someNumber = newNum;

In Java:

public class eggCorns {
   private String acorns;
   public void misHear(String name){

Related Attacks

Related Vulnerabilities

Related Controls

  • Design through Implementation: Use private members, and class accessor methods to their full benefit. This is the recommended mitigation. Make all public members private, and - if external access is necessary - use accessor functions to do input validation on all values.
  • Implementation: Data should be private, static, and final whenever possible This will assure that your code is protected by instantiating early, preventing access and preventing tampering.
  • Implementation: Use sealed classes. Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.
  • Implementation: Use class accessor methods to their full benefit. Use the accessor functions to do input validation on all values intended for private values.

Related Technical Impacts