Difference between revisions of "Failure to provide confidentiality for stored data"

From OWASP
Jump to: navigation, search
 
(Examples)
Line 47: Line 47:
 
In C++:
 
In C++:
  
 +
<pre>
 
public int password r = 45;
 
public int password r = 45;
 +
</pre>
 +
 
In Java:
 
In Java:
  
 +
<pre>
 
public String r = new String("My Password");
 
public String r = new String("My Password");
 +
</pre>
 +
 
Now this field is readable from any function and can be changed by any function.
 
Now this field is readable from any function and can be changed by any function.
  

Revision as of 12:22, 16 April 2006



Overview

Non-final public fields should be avoided, if possible, as the code is easily tamperable.

Consequences

  • Integrity: The object could potentially be tampered with.
  • Confidentiality: The object could potentially allow the object to be read.

Exposure period

  • Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

  • Languages: Java, C++
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

High

Avoidance and mitigation

  • Implementation: Make any non-final field private.

Discussion

If a field is non-final and public, it can be changed once their value is set by any function which has access to the class which contains the field.

Examples

In C++:

public int password r = 45;

In Java:

public String r = new String("My Password");

Now this field is readable from any function and can be changed by any function.

Related problems

Not available.

Categories