-
Notifications
You must be signed in to change notification settings - Fork 3
DataLeak
Improper input validation or bad programming practices may get Java programs to leak sensitive data. This data may be provide what the attacker wants (such as passwords, PIN numbers, photos, account details) or help as part of a great attack. Input validation and proper programming practices, considering all possible outcomes and abusive behaviors of a program, help prevent against information leaking.
We complement the Input Validation chapter with example on how abusive behavior of apparently correct Java programs alllows data leaks.
input, infiltration, exfiltration
program output: standard output, log files, errors
side/covert channel attacks: learning program behavior through indirect means (time to run, errors, resource consumption, electromagnetic waves)
logging and exception handling
hard coding sensitive data
Enter the 04-data-leak/logging/ subfolder in the repository. Check the source code, find the issue with it, "exploit" it the fix it.
Based on IDS03
Enter the 04-data-leak/exceptions/ subfolder in the repository. Check both source code files (Logging.java and Sensitive.java), find the issue with it, "exploit" it then fix it.
Enter the 04-data-leak/private/ subfolder in the repository. Check the source code, find the issue with it, "exploit" it the fix it.
Enter the 04-data-leak/hard-codibg/ subfolder in the repository. Check the source code, find the issue with it, "exploit" it the fix it.
Based on MSC03