Java 3.0 Fixers

API Usage Issues (24):

  • Add Controller Class Restrictions –

    A Spring @Controller class that uses @SessionAttributes has to call setComplete() on the SessionStatus object from an @RequestMapping method. This is specific to the Spring framework.

  • Add Component Package Location –

    A class with annotation @ComponentScan should include all component (Service, Repository, Controller, RestController) packages. Otherwise, the classes will not be available in the Spring application context. This is specific to the Spring framework.

  • Add Default Package Restrictions –

    The default package should not contain a class with @ComponentScan, @SpringBootApplication, or @ServletComponentScan annotations. This is specific to the Spring framework.

  • Add No-argument Constructor in the Non-serializable Super Class –

    The non-serializable super class of a serializable class should have a public no-argument constructor to avoid problems during deserialization.

  • Add No-argument Constructor inside Externalizable Class –

    An externalizable class should have a public no-argument constructor as it is required for instantiation during deserialization.

  • Avoid Creating Date Object Only to Call getTime() Method –

    A Date object should not be created only to get the current number of milliseconds. It is better to use System.currentTimeMillis() instead.

  • Avoid Redundant Modifiers –

    A method declaration inside an interface is public and abstract by default. The default modifier for a field declaration inside the interface is public, static and final. Same goes for declarations inside an annotation declaration as it is also an interface. Also, a nested enum or a nested interface is static by default. Moreover, method declarations inside a final class are final by default. It is better to avoid using these redundant modifiers.

  • Avoid String.replaceAll(String, String) for Plain String –

    String.replace(String, String) should be used instead of String.replaceAll(String, String) if the first argument is not a regular expression as the former API has less overhead in this case.

  • Avoid Using Executors.newCachedThreadPool

    A thread pool created using Executors.newCachedThreadPool can create as many threads as needed. This can lead to a memory overflow if an unusual number of threads are created. It is better to use ExecutorService.newFixedThreadPool(int) instead to create a fixed number of threads.

  • Block Serialization with Append –

    An object output stream that is opened in append mode should not be serialized because the data will be stored in the wrong format and a deserialization attempt will result in an exception being thrown.

  • Declare serialVersionUID with Proper Signature in a Serializable Class –

    A serializable class should declare a serialVersionUID field with proper signature, otherwise the compiler will generate one. The generated one is dependent upon the compiler implementation and this may create unexpected problems during deserialization. Fixes CWE 502, CWE 589, CERT Secure coding standard SER00-J.

  • Declare Special Methods with Proper Signature in Serializable Class –

    A serializable class that wants to handle serialization and deserialization in a special manner should define special methods such as readObject, writeObject, readObjectNoData, readResolve, writeReplace, etc., with proper signatures. Fixes CWE 502, CERT Secure coding standard SER01-J.

  • Instantiate BigDecimal Object Properly –

    Instantiating a BigDecimal object using BigDecimal(double) or BigDecimal(float) constructor can result in precision loss. BigDecimal(String) constructor should be used instead to avoid this problem. Fixes CERT Secure coding standard NUM10-J.

  • Instantiate StringBuilder and StringBuffer Object Properly –

    Instantiating a StringBuilder object using a character translates to StringBuilder(int capacity) constructor. Same goes for StringBuffer. It is more likely that the developer intended to use the string literal instead of the character.

  • Non-serializable Field inside Serializable Class –

    A non-serializable field inside a serializable class will result in a NotSerializableException during serialization. The field should be serializable or transient.

  • Replace Confusing Scope Combination –

    Classes with annotation @Controller, @Service, or @Repository are singleton classes and if they have @Scope annotation, that should be explicitly specified. This is specific to the Spring framework.

  • Replace EnableAutoConfiguration with Import –

    A class with annotation @EnableAutoConfiguration, should be replaced by @Import, as @EnableAutoConfiguration may include unnecessary beans which slows down an application. This is specific to the Spring framework.

  • Remove Method Call –

    Remove unnecessary method calls that have been deprecated.

  • Serializable Non-static Inner Class inside Non-serializable Class –

    A non-static serializable inner class inside an non-serializable outer class will result in NotSerializableException during serialization. Either the inner class should be static, or the outer class should be serializable.

  • Use Better API for Case Insensitive String Equality Check –

    Case insensitive String equality check should not be done by converting to lower or upper case followed by String.equals method due to more overhead. It is better to do the case insensitive equality check using String.equalsIgnoreCase method.

  • Use Better API for String Emptiness Check –

    Emptiness of a String should not be checked using String.equals method due to more overhead. It is better to do the emptiness check using String.isEmpty method.

  • Use Better Directory Creation API –

    The directory creation APIs such as File.mkdir, Path.createDirectory, etc., can fail if the parent directory does not exist. It is better to use APIs such as File.mkdirs, Path.createDirectories etc., that can create the non-existent parent directory if needed.

  • Use Better JSON APIs –

    Using JSoN APIs with 'get' prefix such as getJSONObject, getJSONArray can throw JSONException in absence of corresponding JSoN field. This may crash the program if unhandled. Better APIs such as optJSONObject, optJSONArray should be used instead.

  • Use BufferedWriter Instead of FileWriter

    java.io.BufferedWriter should be preferred over java.io.FileWriter as the former one is more efficient for large I/O operations.

Arithmetic Issues (1):

  • Fix Zero Division –

    Removes zero division opportunities in code. Fixes CWE 369, CERT Secure coding standard NUM02-J.

Broken Authentication (8):

  • Fix Hard-coded Key –

    Cryptographic keys or other credentials should not be kept hard-coded in the source code. An attacker can extract the strings or byte arrays from an application source code or binary. Fixes CWE 798, OWASP A7-Identification and Authentication Failures, CERT Secure coding standard MSC03-J.

  • Fix Hard-coded Password –

    User passwords should not be kept hard-coded in the source code. An attacker can extract the strings or byte arrays from an application source code or binary. Fixes CWE 259, OWASP A7-Identification and Authentication Failures, CERT Secure coding standard MSC03-J.

  • Hide Application Specific Secret –

    Application-specific secrets such as password, database root password, etc., should not be kept hard-coded in the application configuration files (e.g., YAML files). Fixes CWE 798, OWASP A7-Identification and Authentication Failures, CERT Secure coding standard MSC03-J. This is specific to the Spring framework.

  • Minimize Access Token Lifetime –

    Developers sometimes set the lifetime of a randomly generated access token to be too long to make it easier to manage the token. But this increases the risk of replay attacks if any access token gets leaked. The lifetime of an access token should not be more than a couple of hours. This is specific to the Spring framework.

  • Prevent Session Fixation –

    Creating cookie for session id from untrusted data may allow an attacker to launch a session fixation attack. Fixes CWE 384, OWASP A7-Identification and Authentication Failures.

  • Restrict Access to Broadcast Receiver –

    While registering broadcast receivers in Android, broadcast permission should be specified so that a receiver only receives broadcasts sent by components having proper permission. This is specific to Android applications. Fixes CWE 925, CWE 940, OWASP A7-Identification and Authentication Failures.

  • Restrict Access to Broadcast Sender –

    While sending broadcast messages in Android, broadcast permission should be specified so that only receivers with proper permission can receive it. This is specific to Android applications. Fixes CWE 927, OWASP A3-Sensitive Data Exposure.

  • Validate SSL Certificates During Mail Transmission –

    If SSL is enabled in email transmission, the SSL certificate should be validated. Otherwise, the mail transmission will be vulnerable to a man-in-the-middle (MITM) attack. Fixes CWE 297, OWASP A7-Identification and Authentication Failures.

Concurrency Issues (11):

  • Always Synchronize on a private final Field –

    Synchronization should be on a private final field as it ensures the immutability of the field. Fixes CWE 412, CERT Secure coding standard LCK00-J.

  • Avoid Overriding Synchronized Method with Non-synchronized Method –

    Overriding a synchronized method of superclass with a non-synchronized method can lead to improper synchronization if the caller of this method relies on the thread-safety assurance of the superclass. Fixes CERT Secure coding standard TSM00-J.

  • Avoid String and Boxed Primitive Locks –

    Synchronization should avoid Strings and boxed primitives that can be reused. Fixes CERT Secure coding standard LCK01-J.

  • Avoid Synchronization on Parameter –

    Synchronization should not be done on a method parameter as multiple threads can pass different arguments to the method. Hence, the synchronization will be on different objects and the purpose of synchronization will fail. Fixes CWE 412, CERT Secure coding standard LCK00-J.

  • Avoid Threads inside Constructors –

    Starting a thread inside the constructor of a class that has been extended by other classes can lead to unexpected results as the constructor can start the thread before proper subclass instantiation. Fixes CERT Secure coding standard TSM02-J.

  • Avoid Value-Based Class Locks –

    Synchronization should avoid value-based classes as locks. Fixes CERT Secure coding standard LCK01-J.

  • Fix Data Race –

    Concurrent accesses of the same memory location can cause data race conditions if at least one of the accesses is a write access and exclusive locks are not used properly. Fixes CWE 366.

  • Make Both Getter and Setter Synchronized –

    Both getters and setters of a field should be synchronized to ensure the consistent state of the field. Fixes CWE 662.

  • Remove Servlet Mutable Fields –

    Make the instance fields of the servlet classes to be static or final, or remove them. The servlet container creates one instance of each servlet for each HTTP request and the threads will share the instance fields, leading to concurrency issues. Fixes CERT Secure coding standard MSC11-J.

  • Synchronize with Proper Class –

    Synchronization should avoid using getClass() methods. Fixes CERT Secure coding standard LCK02-J.

  • Use Thread.start() Instead of Thread.run()

    Invoking Thread.run() method executes the code in the current thread and does not spawn a separate thread. Thread.start() method should be used instead to spawn a separate thread. Fixes CWE 572.

Improper Access Control (6):

  • Avoid Hard-coded File Path to Publicly Writable Directories –

    Files should not be created with predictable names. Moreover, they should not be created in a publicly writable directory. This exposes any temporarily created file to race condition attacks. An attacker can access, modify or even delete a file. Fixes CWE 377, CWE 379, OWASP A1-Broken Access Control.

  • Get Proper Permission –

    Get Proper Permission from the super ClassLoader if any class extends the URLClassLoader. Fixes CERT Secure coding standard SEC07-J.

  • Prevent Permission Check With User Data –

    Permission checking using untrusted user-provided data may allow an attacker to gain unauthorized access to sensitive data. Fixes CWE 807, CERT Secure coding standard SEC02-J.

  • Prevent Persistent Entity Short-circuiting –

    Persistent objects annotated with @Entity or @Document should not be used as arguments in methods annotated with @RequestMapping and similar other annotations. This is specific to the Spring framework. Fixes CWE 915, OWASP A8-Software and Data Integrity Failures.

  • Prevent Untrusted File Extraction –

    Attempting to extract an archive file from an untrusted source may lead to a Denial of Service (DoS) attack. The archived file may be very small in size but the uncompressed file is huge. Identifies potential denial of service opportunities through a zip bomb. Fixes CWE 409, OWASP A1-Broken Access Control, OWASP A5-Security Misconfiguration.

  • Prevent URL Redirection –

    Using untrusted user-provided data to perform HTTP redirect leads to an Open Redirection attack. This allows an attacker to redirect a user to a malicious website and steal the user's credential by phishing. Identifies potential Open Redirection opportunities. Fixes CWE 601, OWASP A1-Broken Access Control.

Improper Method Call (5):

  • Call Super Method –

    Overriding methods should reference the method in the parent class.

  • Check Return Result –

    The return value of a method may contain error codes sent by the method. The return values should be checked against error codes before being used. Fixes CWE 252.

  • Fix Finalize Method Implementation –

    finalize method should be avoided or if used, called properly with reference to Object.finalize. Fixes CWE 568, CERT Secure coding standard MET12-J.

  • Prevent Incompatible Transactional Calls –

    Methods should not call same-class methods with incompatible @Transactional values.

  • Use Appropriate Method Parameter –

    Method invocations should be done with actual parameters that match the formal parameters. Violating that may sometimes lead to bugs that are extremely hard-to-debug.

Inappropriate Logic (12):

  • Add Missing Breaks –

    Unexpected control flow because of missing break statements in a switch. Fixes CWE 484.

  • Avoid Self Assignment –

    Useless self assignment does not have any effect. Rather, it indicates an unintentional mistake from a developer. This should be avoided.

  • Check Collection Length Meaningfully –

    The size of a Collection is always greater than or equal to zero and never less than zero. Checking if a Collection length is greater than or equal to zero or less than zero is useless.

  • Check Common Method Signature –

    A class should not have methods whose signature appears to be too similar to common methods such as hashCode, equals and toString.

  • Fix Array Equality Check –

    Typical equality checks only check for reference equality but not content equality for arrays. Array content equality should be done with Arrays.equals() method. Moreover, it should be ensured that the equality check is done between two array types. Fixes CWE 595, CERT Secure coding standard EXP02-J.

  • Fix Equality Check –

    Confusing object equality (equals method) with reference equality (== operator) and vice versa lead to inappropriate control flow, thus leading to hard-to-debug root causes. Perform appropriate equality checks according to the context. Fixes CWE 595, CWE 597, CERT Secure coding standard EXP03-J, CERT Secure coding standard EXP50-J

  • Move Default Statement –

    Switch statements should handle default case after everything else is handled.

  • Override both Object.equals and Object.hashCode

    A class should override both hashCode and equals methods to abide by the general contract of the hashCode method. Fixes CWE 581, CWE 697, CERT Secure coding standard MET08-J, CERT Secure coding standard MET09-J.

  • Override Object.equals Properly –

    A class should override the equals in such a way that it does not violate the symmetry contract of the equals method. Fixes CWE 697, CERT Secure coding standard MET08 -J.

  • Prevent Key Modification –

    While iterating on a HashMap or a HashSet, if a field of a key is modified, the hash of the key may change and therefore the old entry may not be referenced anymore. This introduces a bug in the program logic.

  • Prevent Object Access Nondeterminism –

    If an object is assigned inside a loop and then used outside, there is an opportunity of non-determinism based upon which object is referenced during the last iteration of the loop. This non-determinism introduces a bug in the program logic.

  • Remove Unused Semicolon –

    Remove unexpected control flow scenarios because of bad use of delimiters.

Injection (13):

  • Prevent SQL Injection –

    Constructing SQL queries with untrusted user-provided data, e.g., URL parameters, enables attackers to inject code in place of data that changes the meaning of the SQL query. Identify potential SQL injection opportunities. Fixes CWE 20, CWE 89, CWE 943, OWASP A3-Injection Issue, CERT Secure coding standard IDS00-J.

  • Prevent Cross-site Scripting –

    When endpoints reflect back tainted, user-provided data such as POST content, URL parameters, etc., it may allow attackers to inject code that will eventually be executed on the browser of a user. Identify potential SQL injection opportunities. Fixes CWE 79, CWE 80, CWE 81, CWE 82, CWE 83, CWE 84, CWE 85, CWE 86, CWE 87, OWASP A3-Injection.

  • Prevent Dynamic Code Injection –

    Applications that execute code dynamically that comes from an external source without proper validation allows an attacker to execute malicious code. An application should execute trusted code only. Fixes CWE 20, CWE 95, OWASP A3-Injection.

  • Prevent Insecure Deserialization –

    Deserializing untrusted user-provided data may allow an attacker to insert malicious objects which may lead to remote code execution, denial of service and so on. Check that the deserialization is done on trusted data only. Fixes CWE 502, OWASP A8-Software and Data Integrity Failures.

  • Prevent Log Injection –

    User-provided, untrusted data should not be injected into logs directly. This allows an attacker to corrupt the log file structure. Fixes CWE 117, OWASP A3-Injection, OWASP A9-Security Logging and Monitoring Failures.

  • Prevent Path Manipulation –

    Constructing file system paths from untrusted user-provided data such as POST content, URL parameters, etc., enables attackers to inject specific path browsing symbols, such as "..", to manipulate the file path and to access files that they are not allowed to access otherwise. Identify potential path manipulation opportunities. Fixes CWE 22, CWE 23, CWE 36, CWE 99, CWE 641, OWASP A3-Injection, OWASP A1-Broken Access Control.

  • Prevent OS Command Injection –

    Applications that execute operating system calls should not use untrusted user-provided data to create the command or command parameters. Identify potential OS command injection opportunities. Fixes CWE 77, CWE 78, CWE 88, OWASP A3-Injection.

  • Prevent XPath Injection –

    Constructing XPath expressions using untrusted user-provided data such as POST content, URL parameters, etc., enables attackers to inject specially crafted values that change the way the expression is supposed to interpreted under normal circumstances. Identify potential XPath injection opportunities. Fixes CWE 643, OWASP A3-Injection, CERT secure coding standard IDS53-J.

  • Prevent LDAP Injection –

    Constructing LDAP names or search filters using untrusted user-provided data enables attackers to inject values that change the way the name or the filter is supposed to interpreted under normal circumstances. Identify potential LDAP injection opportunities. Fixes CWE 90, OWASP A3-Injection, CERT secure coding standard IDS54-J.

  • Prevent Regular Expression Denial of Service –

    Using external strings as regular expressions leads to potential denial of service attack since evaluating the regular expressions is CPU intensive. Identify potential regular expression injection opportunities. Fixes CWE 400, OWASP A3-Injection.

  • Prevent Server-side Request Forgery –

    User-provided, untrusted data should not be used to fetch remote resources. This allows an attacker to send a crafted request to an unexpected destination. Fixes CWE 20, CWE 641, CWE 918, OWASP A10-Server-Side Request Forgery (SSRF).

  • Prevent SQL Injection in PreparedStatement

    PreparedStatement is used to prevent SQL injection attacks. But, constructing SQL queries with string concatenation using untrusted user provided data, e.g., URL parameters, undermines the benefits of a PreparedStatement. Identify potential SQL injection opportunities. Fixes CWE 20, CWE 85, CWE 943, OWASP A3-Injection, CERT Secure coding standard IDS00-J.

  • Prevent XSLT Injection –

    Transforming XML documents using untrusted user-provided XSLT stylesheets may allow an attacker to execute malicious code or read sensitive files. Identifies potential XSLT injection opportunities. Fixes CWE 74, OWASP A3-Injection.

Null Pointer Issues (2):

  • Bad Return Value –

    Methods with boxed type return values should not return null. Fixes CWE 476, CERT Secure coding standard EXP01-J.

  • Fix Null Dereference –

    A pointer which has not been initialized is used as if it pointed to a valid memory area in the heap. A null pointer issue happens because the developer mistakenly did not allocate an object or has mistakenly assumed that that the object is allocated when in fact it is null. Fixes CWE 476, CERT Secure coding standard EXP01-J.

Object Visibility (3):

  • Add Qualifier for Static –

    Access inherited static fields using the parent class as the qualifier.

  • Avoid Field Shadowing –

    A class should not declare a field with the same name of another field from the parent class.

  • Limit Field Access –

    Accessibility of fields in Java classes should be limited. Fixes CWE 582, CWE 607, CERT Secure Coding Standard OBJ01-J and OBJ13-J.

Security Misconfiguration Issues (19):

  • Allow Automatic Connection Recovery –

    Spring framework uses a factory object (SingleConnectionFactory) that returns the same connection for all connection requests. This should be declared with a setting to allow automatic recovery when the connection goes bad. This is specific to the Spring framework.

  • Annotate Public Method –

    Spring framework annotations should be accompanying a public method.

  • Avoid GET Mix –

    Spring framework annotations should use HTTP GET method and not mix it with other methods. Fixes CWE 352, OWASP A5-Security Misconfiguration Issue.

  • Avoid Insecure Protocol in POM File –

    Insecure protocols like HTTP/FTP should not be used in a POM file as it makes the maven build vulnerable to Man-in-the-middle (MITM) attacks. Fixes CWE 319, CWE 494, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration, OWASP A8-Software and Data Integrity Failures.

  • Avoid Using Bintray to Download Artifacts –

    Downloading artifacts from a deprecated repository like 'Bintray' should be avoided as this can result in unwanted build failures.

  • Avoid Permissive Cross-Origin Resource Sharing (CORS) Policy –

    Cross-Origin Resource Sharing (CORS) is an HTTP header-based mechanism that allows a server to specify that it can support loading resources from some whitelisted domains other than its own. A loose CORS policy should not be set for a Spring handler class or method. Fixes CWE 346, CWE 942, OWASP A5-Security Misconfiguration, OWASP A7-Identification and Authentication Failures. This is specific for Spring applications.

  • Declare EJB Connectors Properly –

    Following EJB 3.0 conventions, application security interceptors must be listed in the ejb-jar.xml file, or they will not be treated as default interceptors. Fixes OWASP A5-Security Misconfiguration Issue.

  • Disable Deserialization of LDAP Objects –

    Configuring SearchControls object to enable deserialization of LDAP objects may allow an attacker to execute malicious code. Deserialization of LDAP objects should be disabled. Fixes CWE 502, OWASP A5-Security Misconfiguration, OWASP A8–Software and Data Integrity Failures.

  • Enable Transport Layer Security –

    Authentication and authorization packages in Spring security (e.g., OAuth 2.0, SAML 2.0, CAS, OpenID connect) strongly recommend the use of TLS. But developers tend to avoid the use of TLS in many places. This undermines the security of the whole application. This is specific to the Spring framework.

  • Limit Scope of Maven Dependencies –

    System dependencies in Maven are sought at a specific path that matches a configuration and cannot be ported. If an artifact is deployed in an environment that is different from the original configuration, the build would fail.

  • Prevent CSRF Disabling in XML –

    In Spring-Security, CSRF can be disabled in security-context.xml file. It is insecure to manually disable the default CSRF protection, especially if authentication is done based on the authentication cookie (i.e., JESSIONID) stored on a user's browser. This is specific to the Spring framework. Fixes CWE 352, OWASP A1-Broken Access Control.

  • Prevent CSRF Disabling –

    Spring-Security, by default, secures the web applications by defining a method csrf() and implicitly enabling this function invocation for each state-changing request (e.g., PATCH, POST, PUT, DELETE). It is insecure to manually disable the default CSRF protection, especially if authentication is done based on the authentication cookie (i.e., JESSIONID) stored on a user's browser. This is specific to the Spring framework. Fixes CWE 352, OWASP A1-Broken Access Control.

  • Remove Duplicate Validation Forms –

    The names of Struts validation forms should be unique. When there are duplicate validation form names, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This is specific to the Struts framework. Fixes CWE 102, OWASP A5-Security Misconfiguration Issue.

  • Remove Duplicate Servlet Definition –

    When a deployment descriptor contains the same name for multiple servlets, only the first one is deployed, and the others are ignored.

  • Stop Debugging Web Remoting –

    Direct Web Remoting (DWR) is a Java and JavaScript library that enables RPC calls in an Ajaxian application. If the debug mode of DWR is turned on, it will allow users to access information exposed under the debugging servlet. This is specific to the DWR library.

  • Track Messages During Restart –

    In Spring, DefaultMessageListenerContainer is implemented as a Java Message Service (JMS) polling component. While the Spring container is going through a restart/shut down, the message listener may discard messages and will therefore lose them. The message listener container should be declared such that the messages are not discarded. This is specific to the Spring framework.

  • Use Declared Filter –

    Every filter declared in web.xml file should be used in an element. Otherwise, such filters are not invoked. Fixes OWASP A5-Security Misconfiguration Issue.

  • Use Proper Request Mapping –

    Ensures that Proper Request Mappings are used. Fixes CWE 352, OWASP A1-Broken Access Control, OWASP A5-Security Misconfiguration Issue.

  • Validate Certificates Properly –

    X509 certificates should be validated properly during SSL/TLS authentication. Fixes CWE 295, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration, OWASP A7-Identification and Authentication Failures, CERT Secure coding standard MSC61-J.

Sensitive Data Exposure (7):

  • Never Expose Stack Trace to End Users –

    Sending an exception stack trace through a servlet response can expose sensitive data about the internals of the application to an attacker. Fixes CWE 209, OWASP A4-Insecure Design, CERT Secure coding standard ERR01-J.

  • Prevent Sensitive Data Leakage –

    Data leakage happens when sensitive information is shared with an outside user, whether inside or outside of an organization. For example, sensitive data transmission via SMS can be easily intercepted by malware observing the outbox of the Android SMS service. Any sensitive data in the sinks can be a threat. This is specific to Android applications. Fixes CWE 200, CWE 201, CWE 319, OWASP A1-Broken Access Control, OWASP A2-Cryptographic Failures.

  • Prevent Sharing of User Preferences –

    Android getPreferences and getSharedPreferences should use private mode when invoked, so that the preferences are not exposed globally.

  • Prevent XML eXternal Entity –

    XML Document Type Definition (DTD) should be disabled to prevent information disclosure via XXE attacks. Fixes CWE 611, CWE 827, OWASP A5-Security Misconfiguration Issue.

  • Replace Random Generator –

    Weak random number generator should be replaced with a strong random number generator. Fixes CWE 330, CWE 332, CWE 336, CWE 337, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue, Secure coding standard MSC63-J.

  • Remove Weak Seed –

    A strong random number generator does not need a seed value to be set. Setting the seed with a constant or a predictable value will weaken the random generator itself. If a seed value is set explicitly, it should be removed. Fixes CWE 337, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue, CERT secure coding standard MSC63-J.

  • Use Proper Dependency Injection –

    Non-static members and constructors in classes with annotation @Controller, @Service, or @Repository should have proper annotations (any one of @Autowired, @Value, @Resource, or @Inject). This is specific to the Spring framework. Fixes OWASP A1-Broken Access Control Issue.

Weak Cryptography Issues (4):

  • Allow Throttling on Password Verification –

    The default configuration of BCryptPasswordEncoder is vulnerable to brute-force attacks. BCryptPasswordEncoder has a deliberately slow hashing function Bcrypt. This slowness or number of rounds in Bcrypt is one of the key factors which makes it resistant to do feasible brute-force attacks. But the default strength does not have enough slowness. This is specific to the Spring framework.

  • Use Secure Socket Protocol –

    SSL context objects should use a secure socket protocol such as TLS or DTLS. Fixes CWE 326, CWE 327, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue.

  • Use Strong Hash Function –

    Hashing should be done using strong hashing algorithms such as SHA-256 or SHA-3. Fixes CWE 327, CWE 328, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue.

  • Use Strong Password Encoder –

    Authentication manager should use a strong password encoder. This is specific to the Spring framework. Fixes CWE 327, CWE 328, OWASP A2-Cryptographic Failures, OWASP A5-Security Misconfiguration Issue, OWASP A7-Identification and Authentication Failures.

Last updated