I need to fix Heap Inspection vulnerability which is coming after running security scan. Scan generated document is pointing to POJO property "private String password;".
Also it is mentioned "The application does not contain any code that sets Content Security Policy headers."
Can anyone help me in how to remove this Heap Inspection Vulnerability
An application is vulnerable to Heap Inspection when sensitive information (a password in your case) is stored as clear-text (unencrypted) in the memory.
If an attacker will perform a memory dump (remember the Heartbleed bug?), this sensitive information will be compromised.
There are two proper ways of holding such sensitive information:
Using a secured object, such as a GuardedString instead of a String or a char array, or
Encrypting the information and immediately scrubbing the memory containing the clear-text
Checkmarx probably found that vulnerability in your code, so it is advised to use one of these methods to hold your sensitive information securely.
Related
Which method or way would you choose to make encrypted data only accessible for the user and an algorithm to process and evaluate the data? In this case the user would be one of n service-users, who would add sensible data (mostly answers to questions) about himself into the database. The company who is providing the database shouldn’t have any access to the sensible data, but to the results of the data processing. The results wouldn’t give any conclusion of the sensible data.
What you are looking for is Fully Homomorphic Encryption (FHE). FHE operates on encrypted data. This can be achieved by an encryption scheme that supports two operations on encrypted data. RSA and others only supported one operation until Gentry's work.
With FHE schemes like HeLib (there are many now), you can upload your data the server and give a function (circuit) to evaluate. The FHEs, in general, have semantic security (randomized encryption). The Semi-honest server can only see encrypted data and can return the result back to you.
Note: They are not practical, yet.
I think the best way to do that is to save only the result. but if you want to save the user's answers you could use AES with the user's password as a key by doing so the user will have to enter his password every time to decrypt the data.
I have a doubt regarding the exposure of internal database primary keys.
I have decided to use UUIDs in place of auto-increment longs (see here for details). This way, among other things, people cannot discover the relative size of my data or their growth over time.
Now, the UUID doesn't provide any internal information but it is not very URL friendly, although it is URL safe. Furthermore if long PKs shouldn't be exposed, then UUIDs shouldn't either.
Usually to make UUIDs more user friendly, people base64 encode them.
Example:
- UUID: 7b3149e7-bdab-4895-b659-a5f5b0d0
- base64: ezFJ572rSJW2WQAApfWw0A
My point is: anyone could still take those base64 string from the url and decode them in order to obtain the original UUID. This means that even in this case UUIDs would end up being exposed as well.
Should I use another type of encoding? Is out there something already known or should I create my custom encoding? If yes, should I follow any guidelines?
Thank you
On the first look to be able to provide a small tiny level of Secrecy to those Identifiers you can use one way Hash functions such as SHA2(which is a Cryptographic function and not Encoding). This will literally buy you no specific security advantage.
If you are relying only on Object Reference IDs for access control and try to make them secret then I suggest you think twice at your Access Control and Authorization Model.
It is good to have random/non-guessable/Collision Free Object Reference IDs, however If you are relying on Secrecy of Reference ID for security this is a big flaw (in Old OWASP Top10 this was referred as Direct Object Reference Identifier Issue and in OWASP 2017 this is referred as Broken Access Control Issue). You need to consider a Full AAA chain: Authentication,Authorization,Audit/Accountability for Access by relying on a Random unique Token with a short validity period, which later on can be used to decide on Authorization and Access levels of your system's to be tied with a subject and permit them to interact with the Objects that they are entitled with.
The reason you aren't supposed to expose PKs is that they may (a) leak information and (b) allow people to guess other values. Neither is true of UUIDs (at least v3/4/5), which is one of the main reasons to use them in the first place. The human factor you mention is why so many folks use base64 (or other) encoding; it's not for security.
That said, you should never rely on URL secrecy as security; there are far too many ways that URLs leak, and your users may even do it intentionally--but they'd be very upset if sending a link to their friend meant that friend had full access to their account.
I have a dictionary (simple key - value mapping between small strings) of ~1GB in size (which may grow in time) that I want to use for spell correction and autocompletion purposes. I was planning on keeping it in RAM, but until I gain some traffic I want to stick to free hosting plans, so this is not really an option for the time being in my case.
The alternative is to store it on disk (SSD) and use some limited (e.g. up to 128MB) clever caching (e.g. with a combined LRU/LFU eviction policy) to keep access times bearable. However, I'm not sure which form of disk storage I should use to maximize throughput. The options I have considered so far are:
Use a database:
MongoDB
BerkleyDB ( https://en.wikipedia.org/wiki/Berkeley_DB )
Use a custom solution:
https://github.com/spotify/sparkey
Just use the filesystem:
have a file for each entry in the dictionary,
whose name is the key and contents are the value
Before I start getting my hands dirty and evaluate the above by implementing and profiling, I wanted to know, if anyone has done something similar before, what was your approach and results. Please note that the dictionary is only created once and not modified afterwards. That is, after creation, there will only be read (lookup) operations, and one 'correction/suggestion query' typically needs 15-20 lookup operations.
Thanks in advance for any useful input!
PS: I'm developing using the MEAN stack.
In my C application I have a decryption key that is used to decrypt sets in the database (username / password). Currently, I simply declared it with
char * key = "$$$secretSampleDecryptionKey$$$";
Shortly after that line, I prepare the SQL statement and then select from the DB. My question is, if someone was to debug my compiled application or dissassemble it, will they actually see the key? What can I do to hide it from them?
EDIT:
As Mark and Aaron pointed out, I can simply use the Linux / Unix strings command
strings nameOfApplication
to print out all the strings in my application, including the "secret" key.
EDIT 2:
The app runs on my server and the database stores sensitive customer data that is encrypted. I thought I was playing it safe by not having the key in a text file for everyone to read but compile it instead.
An interesting link relating the story of someone retrieving a password from a binary :
Deconstructing an ELF File
This is a step-by-step description of what someone could try to discover a password. It will give you some idea of what "not to do". The use of the command strings is the first item in the list for example.
If you want to hide your secret string from strings, you can store it in as a char array not terminated with \0 character. strings should not pick it up.
There is also a nice trick mentioned (which is bypassed) to avoid someone to use a strace/ltrace on your binary.
Ultimately by disassembling the code, the "hacker" manage to retrieve the password, which as other have pointed out is difficult to protect against. Basically you can't really hide anything in a binary...
If the key is in your source then an attacker will be able to find it. The best you can do is to make it more difficult for them.
The stored key should not be text, but binary. That way you avoid searches for strings. Presumably if you have the key present in the code your users do not need to be able to type it in.
Store the key in at least two random looking binary arrays that are XOR'ed together to make the actual key. Alternatively, pick one of the standard text strings that is present in your application anyway, something like: "Please enter the Zipcode: ", and use that as your key, or as one component of the XOR. Hashing such a message would get it to a standard length if needed.
Using a debugger / disassembler the user will always be able to find out the password. You can make it harder (e.g. use obfuscation), but not impossible.
If you really do have a secret (i.e. a private key needed to decrypt the data), you can perform decryption on a smartcard.
In your scenario concerning usernames and password, you might just store the password-hash in the database (see referenced answers in Best way to store password in database)
Can someone see it?
The command strings will show the string, no need to disassemble the application.
Disassembling will just make it more simple to identify which of the 15'000 strings is used as key.
What can I do to hide it from them?
There is only one solution: Don't put it in the code.
Instead, use a license key or similar technique where the user knows the key.
I wonder if someone could give us a real answer to solve this problem. From my experience as an web dev I can tell you that what you give to client does not belong to you anymore to control. Consider a website using some encryption algorithm on the server-side and a hard-coded javascript technique on the client, and the webdev, himself, guided by his own vanity, do not want to show it to the world, but still to be used by the clients, as it is.
In this case, what can he do? Yes, yes, he can come up with the idea to put his script in an infinite loop based on setTimeout, all as an anonymous function, so it can't be tracked, but still the initialisation must be done somewhere, the code must be visibile, further more, he decide to send the code after load in an encrypted way, but still, on the client you wil still have to have the decryption key, so someone who want's the information will still have the two necessary pieces of this puzzle. But our programmer is perseveringly, so he creates the decryption function every time to match only one encrypted string, but still it does him no good. As the client will still have the string and the matching function.
Anything he can do is to find a way to use the environment so that the function can be used only one time, after that the code used to expire as the string, and the real information to be lost forever. And the thing with the highest importance is to make the use of the environment in such a way that the context of the execution of the decryption function can not be forged.
I know that I do not answered your question but I pin pointed some important details of the problem you mentioned. If you work with C there must be some tools you can use, as creating a context using some memory state or an actual system operation to get you something that can't be forged.
EDIT 1:
You could create an interesting domino efect in your code leaking bits of the encryption key based on the execution as when it is needed you wil have it entirely but it would not be stored in a file or in a string in your compiled file, so it can only be found at runtime, and it only be found in some specific conditions, and further more it might take some hrd reverse engineering to get it. Might be a good solution.
With great respect,
Paul
I am using windows form and mysql.
I am very confuse about different between encode and encription?.
encode also change the string value. and decode is give back the string.
In my program,...
userid - mcs
password - mcs
i want to store these strings in mysql database. but not a same string, for security purpose.
What is secure way to store these datas.
encode and encription which is best for this requirement.
thanks in advance.
i googled for the different but till i am not clear!. any one pls tell me the different between encode and encription?. For my requrement what i use?.
Before leave this question just vist my downvote question in Click here
In short:
Encoding transforms data from one representation to another, in such a way that anybody can transform it back. So if you want to prevent other people from seeing the original data, encoding alone is not useful at all.
Encryption transforms data in such a way that only persons who know a secret key can get the original data back.
However, there is a third option, which is what you probably will want to use in this case (which is the reason I am posting this, since others have already stated the above points):
Hashing. This transforms the data in such a way that no one, not even you, can get the data back - however, each time you hash the same data, you will get the same result. Why is this useful? In your case, by hashing the password, you will accomplish your goal of preventing people who can access the database from seeing what the passwords are. However, you can still verify that someone who tries to log in has provided the correct password: simply hash the password the user entered, and if the result matches what is stored in the database, the password was correct. This is a standard and highly recommended approach; see the Wikipedia article on password hashing.
Encoding is how the different characters are represented according to their memory spaces (8bit etc.). Encryption is how to keep a text hidden with the use of a secret key. After encryption the text turns into a series of arbitrary bytes so you encode it with say Base64 encoding to be able to make it into a readable (and properly cachable) string.
You'll want to encrypt your user information before storing in a database for security purposes. MySql Encryption has many function to help you with that.
Encoding and decoding (such as base64) are often associated with security procedures but encoding data is not at all a secure procedure on its own. Encoding simply turns an arbitrary set of byte data such as jpegs, gifs and encrypted bytes, into a string of text which easier and safer to store and transport across a variety of platforms and systems.
With encryption you actually secure data by processing it with a secret key into a different, encrypted block of data that is very hard to break without the key with which it was created. Decryption does the reverse, provided you have the key.
To secure your data you need to encrypt it. To help you store encrypted data you may want to encode but it is optional. If you store your encrypted data as a db blob, there's no need to encode.
To get the data back, you will need decode it (if you encoded) and then decrypt.
Always google gives the best answer, by quick search.. Very neat with example explanation here.
http://www.blesta.com/2009/07/26/encoding-vs-encryption/
http://www.perlmonks.org/index.pl?node_id=66249
Don't get confused, encoding is not encryption
http://www.di-mgt.com.au/encode_encrypt.html