Fortify fix for Often Misused Authentication
Question
When I do scan using fortify I have got vulnerabilities like "Often Misused: Authentication" at the below code. For this do we have any fix to avoid this issue. I have seen related posts but not able to get solution.Using ESAPI I have provided regex for hostname and ipadress but it not works. addr.getHostAddress() java.net.InetAddress.getByName(nameServiceHost); java.net.InetAddress.getLocalHost().getCanonicalHostName() localhost.getHostName()
Please Suggest me to solve this issue.
4 answers
solution1
2 2020-03-22 22:23:54
All other answers try to provide workarounds by not using the inbuilt API, but using the command line or something else. However, they miss the actual problem, it is not the API that is problematic here, it is the assumption that DNS can be used for authentication.
Attackers can spoof , that is falsify, DNS responses pretending to be a valid caller. They can also use IP address spoofing to appear to be a valid caller without attacking DNS.
TL;DR don't use DNS or caller-IP as an authentication source. Instead use SSL/TLS with for an encrypted connection, then you can use Basic-Authentication , Oauth2 or even better client-certificates aka mTLS instead.
solution2
0 2016-10-31 06:50:26
You can verify whether the request is from a trusted host
String ip = request.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
if (addr.getCanonicalHostName().endsWith("trustme.com")) {
trusted = true;
}
solution3
0 2017-02-14 06:45:18
For my case i have re written the code like this
public static String getIPAddress(String hostname) {
Process process;
String ipAddress = null;
String localIpAddress = null;
String[] commandArray;
if(System.getProperty("os.name").startsWith("Windows")) {
commandArray = new String[] {"cmd", "/c", "ping "+hostname+ " -4 | findstr Pinging"}; // For Windows
} else {
commandArray = new String[] { "bash", "-c", "host "+hostname}; // For Linux and OSX
}
try {
process = Runtime.getRuntime().exec(commandArray);
BufferedReader stdInput = new BufferedReader(new InputStreamReader(process.getInputStream()));
String[] output;
// Reading the output of a command executed.
while ((localIpAddress = stdInput.readLine()) != null) {
if(System.getProperty("os.name").startsWith("Windows")) {
output = localIpAddress.split(" ");
ipAddress = output[2].replace("[", "").replace("]", "").trim();
} else {
output = localIpAddress.split("has address");
ipAddress = output[1];
}
}
} catch (IOException e) {
org.owasp.esapi.reference.Log4JLogFactory.getInstance().getLogger(" com.util.esapi.InetAddressWrapper.getIPAddress() << "+e+" >>");
}
return ipAddress;
}
solution4
0 2018-05-18 21:56:55
尝试使用 InetSocketAddress 包装器,尤其是用于 Elasticsearch 传输客户端:
new InetSocketAddress(hostname, port)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.