AF
HomeTagSubmit NotesAsk AnythingLoginSubscribe Us
AF
1. Feel Free to ask and submit anything on Anyforum.in and get satisfactory answer
2. Registration is not compulsory, you can directly login via google or facebook
3. Our Experts are looking for yours ?.



java-security: Fortify Often Misused-Authentication vulnerability

when i do scan using fortify, i have got vulnerabilities like "Often Misused: Authentication" at the below code. For this do we have any fix to avoid this issue. i have seen related posts but not able to get solution. Using ESAPI i have provided regex for hostname and ip address but it does not work.
addr.getHostAddress()
java.net.InetAddress.getByName(nameServiceHost);
java.net.InetAddress.getLocalHost().getCanonicalHostName()
localhost.getHostName()

Please Suggest me to solve this issue.

java x 211
security x 9
Posted On : 2016-05-26 17:17:56.0
profile veera - anyforum.in veera
3220
up-rate
4
down-rate

Answers


The vulnerability is effectively just warning you as a developer not to trust the output from these. Many DNS servers are susceptible to spoofing attacks, so you should assume that your software will someday run in an environment with a compromised DNS server. If attackers are allowed to make DNS updates (sometimes called DNS cache poisoning), they can route your network traffic through their machines or make it appear as if their IP addresses are part of your domain. Do not base the security of your system on DNS names.


Example: The following code uses a DNS lookup to determine whether an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status.



String ip = request.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
if (addr.getCanonicalHostName().endsWith("trustme.com")) {
trusted = true;
}


IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

Posted On : 2016-05-26 23:41:25
Satisfied : 6 Yes  4 No
profile Rishi Kumar - anyforum.in Rishi Kumar
523188250042
Reply This Thread
up-rate
3
down-rate
Comments
my sample code is like this :java.net.InetAddress.getLocalHost().getCanonicalHostName() and i used esapi validation ESAPIValidationUtils.getValidHostname(java.net.InetAddress.getLocalHost().getCanonicalHostName()) like this..but i´m not able to solve it.How to validate this hostname or ip.any idea pls share it.
profile veera - anyforum.in veera
32  2  0
Posted On :2016-05-30 10:34:26.0
Leave a Comment
Is there any alternative way to get canonical hostanme using System class?
profile veera - anyforum.in veera
32  2  0
Posted On :2016-07-18 12:30:20.0
Leave a Comment
Yes, you can use:
System.getenv("COMPUTERNAME")

and further you can validate like below:

if (System.getProperty("os.name").startsWith("Windows")) {
/* Windows will always set the ´COMPUTERNAME´ variable*/
return System.getenv("COMPUTERNAME");
} else {
/*If it is not Windows then it is most likely a Unix-like operating system
such as Solaris, AIX, HP-UX, Linux or MacOS.

Most modern shells (such as Bash or derivatives) sets the
HOSTNAME variable so lets try that first.*/
String hostname = System.getenv("HOSTNAME");
if (hostname != null) {
return hostname;
} else {

/* If the above returns null *and* the OS is Unix-like
then you can try an exec() and read the output from the
´hostname´ command which exist on all types of Unix/Linux.*/
}
}
profile Rishi Kumar - anyforum.in Rishi Kumar
523  1882  50042
Posted On :2016-07-18 15:13:35.0
Leave a Comment
Hi Raj,

Thanks for your reply.But the above code is for getting hostname,i need to get canonical hostname.Is there any alternative way?
profile veera - anyforum.in veera
32  2  0
Posted On :2016-07-19 17:28:18.0
Leave a Comment



Post Answer
Please Login First to Post Answer: Login login with facebook - anyforum.in