java-security: Fortify Often Misused-Authentication vulnerability

when i do scan using fortify, i have got vulnerabilities like "Often Misused: Authentication" at the below code. For this do we have any fix to avoid this issue. i have seen related posts but not able to get solution. Using ESAPI i have provided regex for hostname and ip address but it does not work.
addr.getHostAddress()
java.net.InetAddress.getByName(nameServiceHost);
java.net.InetAddress.getLocalHost().getCanonicalHostName()
localhost.getHostName()

Please Suggest me to solve this issue.

java x 211
security x 9
Posted On : 2016-05-26 17:17:56.0

veera
3220

Answers

The vulnerability is effectively just warning you as a developer not to trust the output from these. Many DNS servers are susceptible to spoofing attacks, so you should assume that your software will someday run in an environment with a compromised DNS server. If attackers are allowed to make DNS updates (sometimes called DNS cache poisoning), they can route your network traffic through their machines or make it appear as if their IP addresses are part of your domain. Do not base the security of your system on DNS names.

Example: The following code uses a DNS lookup to determine whether an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status.

String ip = request.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
if (addr.getCanonicalHostName().endsWith("trustme.com")) {
trusted = true;
}

IP addresses are more reliable than DNS names, but they can also be spoofed. Attackers can easily forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

Posted On : 2016-05-26 23:41:25
Satisfied : 6 Yes 4 No

Rishi Kumar
523188247634
Reply This Thread

Comments

my sample code is like this :java.net.InetAddress.getLocalHost().getCanonicalHostName() and i used esapi validation ESAPIValidationUtils.getValidHostname(java.net.InetAddress.getLocalHost().getCanonicalHostName()) like this..but i´m not able to solve it.How to validate this hostname or ip.any idea pls share it.

veera
32 2 0 Posted On :2016-05-30 10:34:26.0
Leave a Comment

Is there any alternative way to get canonical hostanme using System class?

veera
32 2 0 Posted On :2016-07-18 12:30:20.0
Leave a Comment

Yes, you can use:
System.getenv("COMPUTERNAME")

and further you can validate like below:

if (System.getProperty("os.name").startsWith("Windows")) {
/* Windows will always set the ´COMPUTERNAME´ variable*/
return System.getenv("COMPUTERNAME");
} else {
/*If it is not Windows then it is most likely a Unix-like operating system
such as Solaris, AIX, HP-UX, Linux or MacOS.

Most modern shells (such as Bash or derivatives) sets the
HOSTNAME variable so lets try that first.*/
String hostname = System.getenv("HOSTNAME");
if (hostname != null) {
return hostname;
} else {

/* If the above returns null *and* the OS is Unix-like
then you can try an exec() and read the output from the
´hostname´ command which exist on all types of Unix/Linux.*/
}
}

Rishi Kumar
523 1882 47634 Posted On :2016-07-18 15:13:35.0
Leave a Comment

Hi Raj,

Thanks for your reply.But the above code is for getting hostname,i need to get canonical hostname.Is there any alternative way?

veera
32 2 0 Posted On :2016-07-19 17:28:18.0
Leave a Comment

Post Answer

Please Login First to Post Answer: Login

anyforum.in

Answer: