Null Dereference

From OWASP
Revision as of 12:10, 20 July 2006 by Weilin Zhong (Talk | contribs)

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

The program can potentially dereference a null pointer, thereby raising a NullPointerException.

Description

Null pointer errors are usually the result of one or more programmer assumptions being violated.

Most null pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks.

Examples

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null pointer exception when it attempts to call the trim() method.

String cmd = System.getProperty("cmd"); cmd = cmd.trim();

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories