A non-final class or method, which is not meant to be inherited, can be overridden by an attacker, if it is not declared as final \[3\]. \\ |
In case inheritance is to be limited to trusted implementations for a public, non-final class, then the class type should be confirmed before creating the instance at each place where an instance of the non-final class can be created. A SecurityManager check should be enforced on detecting a subclass (Chapter 6 of \[2\]). |
A non-final class can be subverted simply by declaring a malicious class that inherits from the non-final class which implies that there is no need for reflection. However, reflection is necessary if the non-final class is private or otherwise inaccessible to the attacker.
class BankOperation{
//the account balance has already been retrieved from the database and stored in the foll variable
Integer balance = 5000;
public BankOperation() {
//invoke java.lang.Object.getClass to get class instance
Class clazz = getClass();
//shows the class of the instantiated object
System.out.println(clazz);
Method m;
try {
m = clazz.getMethod(balance.toString(), (Class[])null);
m.invoke(this, (Object[])null) ;
} catch (Exception e) {
//e.printStackTrace();
}
}
public void getBalance() {
System.out.println("The current balance is: $" + balance);
}
}
//this class has been written by the attacker
public class SubClass extends BankOperation {
public void getBalance() {
//The attacker can change his account balance to any value he wants.
InputStreamReader input = new InputStreamReader(System.in);
BufferedReader reader = new BufferedReader(input);
System.out.print(" Enter balance: ");
try {
balance = Integer.parseInt(reader.readLine());
} catch (IOException e) {
//e.printStackTrace();
}
System.out.println("The balance is: "+balance);
}
public static void main(String[] args) {
SubClass subclass = new SubClass();
subclass.getBalance();
}
}
|
Here, an attacker can easily create an instance and override methods of the BankOperation class.
This compliant solution can be achieved by using the keyword final, thus ensuring that the sensitive class cannot be extended.
final class BankOperation{
//normal coding...
}
|
In case the class needs to be extended, then permissions should be checked in case a sub class is detected during construction so that malicious implementations are blocked.
Allowing a non-final class or method to be inherited without checking the class instances, allows an attacker to exploit it.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
OBJ33-J |
high |
probable |
high |
P3 |
L3 |
TODO
Search for vulnerabilities resulting from the violation of this rule on the CERT website
SCG 07 Secure Coding Guidelines for the Java Programming Language