• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

sun.misc.BASE64Decoder and deserialization of untrusted data  RSS feed

 
Ranch Hand
Posts: 258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My company still use JDK 7 (will not upgrade to JDK 8 for now).
I am maintaining an old program.
I am concerned about deserialization of untrusted data.
How to fix this program?


 
Saloon Keeper
Posts: 10211
216
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why, what's wrong with it? Other than that you're treating the key as a string, which you should not, and that you're using an obsolete String constructor...
 
albert kao
Ranch Hand
Posts: 258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Why, what's wrong with it? Other than that you're treating the key as a string, which you should not, and that you're using an obsolete String constructor...


The String key variable is an input (untrusted data) in a web service.
I am concerned about deserialization of untrusted data. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.
Please see https://www.owasp.org/index.php/Deserialization_of_untrusted_data for details.
How to fix this program to prevent hackers to exploit the vulnerability?
 
Saloon Keeper
Posts: 5476
143
Android Firefox Browser Mac OS X Safari Tomcat Server VI Editor
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That page talks about serialized objects - is that what is being sent over the WS? If so, can you change the API so that data is sent instead of objects?

It's hard to be more speciifc without knowing what kind of data we're talking about. I wouldn't call the act of decoding base-64 "deserialization", BTW, and I'm quite sure OWASP doesn't either.
 
Stephan van Hulst
Saloon Keeper
Posts: 10211
216
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is no exploit. BASE64Decoder throws an exception when the data is not valid Base64, so unless the code that calls the get() method does very strange things when such an exception is thrown, you don't have to worry.

A bigger issue is that you're treating key material as strings. Key material should be treated as raw binary data.

And why does the client have an opportunity to inject key material in the first place? Why are you sending keys?

 
albert kao
Ranch Hand
Posts: 258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Moores wrote:That page talks about serialized objects - is that what is being sent over the WS? If so, can you change the API so that data is sent instead of objects?

It's hard to be more speciifc without knowing what kind of data we're talking about. I wouldn't call the act of decoding base-64 "deserialization", BTW, and I'm quite sure OWASP doesn't either.


Thanks for the comment.
 
albert kao
Ranch Hand
Posts: 258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:There is no exploit. BASE64Decoder throws an exception when the data is not valid Base64, so unless the code that calls the get() method does very strange things when such an exception is thrown, you don't have to worry.

A bigger issue is that you're treating key material as strings. Key material should be treated as raw binary data.

And why does the client have an opportunity to inject key material in the first place? Why are you sending keys?


Thanks for the comment.
This is an old program written by my colleague, which I don't have to worry (maintain) now.
Anyway, the proper code will be:
 
Stephan van Hulst
Saloon Keeper
Posts: 10211
216
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not really though. Why are you catching the IOException and printing it to the standard output?

If the key contains invalid characters, you may want to wrap the exception in one that's appropriate for your method, and let it propagate up the call stack.
 
albert kao
Ranch Hand
Posts: 258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Not really though. Why are you catching the IOException and printing it to the standard output?

If the key contains invalid characters, you may want to wrap the exception in one that's appropriate for your method, and let it propagate up the call stack.


Anyway, the proper code for the old program will be:
 
The harder I work, the luckier I get. -Sam Goldwyn So tiny. - this ad:
ScroogeXHTML - small and flexible RTF to HTML converter library
https://coderanch.com/t/710903/ScroogeXHTML-RTF-HTML-XHTML-converter
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!