|
-
January 18th, 2017, 11:17 AM
#1
Can you spot any problems in this code? (Java)
Some background info if it will help you or not...
A payment app was aquired by a bank. During data center migration, there was a data breach and information was leaked by hackers BEFORE the data centers migrated to the bank.
The code provided is from the key area of authentication of the app.
HERE'S THE CODE:
Any help will be appreciated thanks!!
-
January 18th, 2017, 01:56 PM
#2
Re: Can you spot any problems in this code? (Java)
I'm c++ not java, but a couple of general points. It looks like you are storing clear-text passwords and passing clear-text passwords as arguments to functions. That's really a no-no. The passwords should be encrypted as soon as they are entered and only the encrypted form stored and passed between functions. Once encrypted, the memory used to temporarily hold the clear-text password should be overwritten. Comparisons are then made between the encrypted paswords.
What if the entered username and/or password contained SQL statements? I'm not an SQL expert but I know that you can 'embed' SQl in data passed to an SQL query. As well as storing passwords encrypted (meaning that the entered text is changed), user-names also are not stored as 'plain text' but undergo a (reversible?) transformation so that again any embedded SQL wouldn't work.
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
January 18th, 2017, 02:42 PM
#3
Re: Can you spot any problems in this code? (Java)
 Originally Posted by 2kaud
I'm c++ not java, but a couple of general points. It looks like you are storing clear-text passwords and passing clear-text passwords as arguments to functions. That's really a no-no. The passwords should be encrypted as soon as they are entered and only the encrypted form stored and passed between functions. Once encrypted, the memory used to temporarily hold the clear-text password should be overwritten. Comparisons are then made between the encrypted paswords.
What if the entered username and/or password contained SQL statements? I'm not an SQL expert but I know that you can 'embed' SQl in data passed to an SQL query. As well as storing passwords encrypted (meaning that the entered text is changed), user-names also are not stored as 'plain text' but undergo a (reversible?) transformation so that again any embedded SQL wouldn't work.
I thank you for your input.
Your first point makes sense, I get that. However your second point about SQL statements, I didn't quite catch that. Could you perhaps rephrase it somehow...I'm trying to figure it out, seems a bit too complex for me xDD
-
January 18th, 2017, 03:54 PM
#4
Re: Can you spot any problems in this code? (Java)
However your second point about SQL statements
See https://en.wikipedia.org/wiki/SQL_injection
Like I said, I'm not an SQL expert - but we never use any entered data directly.
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
January 18th, 2017, 07:07 PM
#5
Re: Can you spot any problems in this code? (Java)
Norm
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
