Kingdom: Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Weak SecurityManager Check: Overridable Method

Java/JSP

Abstract

Non-final methods that perform security checks may be overridden in ways that bypass security checks.

Explanation

If a method is overridden by a child class, the child class can bypass security checks in the parent class.
Example 1: In the following code, doSecurityCheck() performs a security check and can be overridden by a child class.


public class BadSecurityCheck {
    private int id;

    public BadSecurityCheck() {
        doSecurityCheck();
        id = 1;
    }
    protected void doSecurityCheck() {
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(new SomePermission("SomeAction"));
        }
    }
}

In this example, if the SecurityManager permission is not allowed, a SecurityException exception will be thrown, which is a runtime exception and will stop the program from executing any further. Since BadSecurityCheck is not final, and the method doSecurityCheck() is protected and not final, it means that this class can be subclassed to override this function.

Example 2: In the following code, doSecurityCheck() is overridden by a subclass:


public class EvilSubclass extends BadSecurityCheck {
    private int id;

    public EvilSubclass() {
        super();
    }
    protected void doSecurityCheck() {
        //do nothing
    }
}

When EvilSubclass is instantiated, the constructor first calls super(), to invoke the constructor of the superclass. This in turn calls the function doSecurityCheck(), but Java will first look for the function within the subclass prior to looking in the superclass, thus invoking the attacker controlled method that bypasses the security check, so id will still be set to 1.

References

[1] M. S. Ware, "Writing secure Java code: taxonomy of heuristics and an evaluation of static analysis tools," M.S. Thesis, James Madison University, 2008.

[2] MET03-J. Methods that perform a security check must be declared private or final CERT

[3] EXTEND-5: Limit the extensibility of classes and methods Oracle

[4] Standards Mapping - Common Weakness Enumeration CWE ID 358

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165

[6] Standards Mapping - FIPS200 MP

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-7 Least Functionality (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-7 Least Functionality

[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1

[12] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control

[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

desc.structural.java.weak_securitymanager_check_overridable_method