Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
...
CALL FUNCTION 'FTP_VERSION'
...
IMPORTING
EXEPATH = p
VERSION = v
WORKING_DIR = dir
RFCPATH = rfcp
RFCVERSION = rfcv
TABLES
FTP_TRACE = FTP_TRACE.
WRITE: 'exepath: ', p, 'version: ', v, 'working_dir: ', dir, 'rfcpath: ', rfcp, 'rfcversion: ', rfcv.
...
try {
...
}
catch(e:Error) {
trace(e.getStackTrace());
}
Example 1, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
try {
...
} catch (Exception e) {
System.Debug(LoggingLevel.ERROR, e.getMessage());
}
string cs="database=northwind;server=mySQLServer...";
SqlConnection conn=new SqlConnection(cs);
...
Console.Writeline(cs);
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
char* path = getenv("PATH");
...
fprintf(stderr, "cannot find exe on path %s\n", path);
Example 1, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
...
EXEC CICS DUMP TRANSACTION
DUMPCODE('name')
FROM (data-area)
LENGTH (data-value)
END-EXEC.
...
<cfscript>
try {
obj = CreateObject("person");
}
catch(any excpt) {
f = FileOpen("c:\log.txt", "write");
FileWriteLine(f, "#excpt.Message#");
FileClose(f);
}
</cfscript>
final file = await File('example.txt').create();
final raf = await file.open(mode: FileMode.write);
final data = String.fromEnvironment("PASSWORD");
raf.writeString(data);
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
path := os.Getenv("PATH")
...
log.Printf("Cannot find exe on path %s\n", path)
Example 1, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
...
PrintWriter out = res.getWriter();
try {
...
} catch (Exception e) {
out.println(e.getMessage());
}
}
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
...
try {
...
} catch (Exception e) {
String exception = Log.getStackTraceString(e);
Intent i = new Intent();
i.setAction("SEND_EXCEPTION");
i.putExtra("exception", exception);
view.getContext().sendBroadcast(i);
}
...
...
public static final String TAG = "NfcActivity";
private static final String DATA_SPLITTER = "__:DATA:__";
private static final String MIME_TYPE = "application/my.applications.mimetype";
...
TelephonyManager tm = (TelephonyManager)Context.getSystemService(Context.TELEPHONY_SERVICE);
String VERSION = tm.getDeviceSoftwareVersion();
...
NfcAdapter nfcAdapter = NfcAdapter.getDefaultAdapter(this);
if (nfcAdapter == null)
return;
String text = TAG + DATA_SPLITTER + VERSION;
NdefRecord record = new NdefRecord(NdefRecord.TNF_MIME_MEDIA,
MIME_TYPE.getBytes(), new byte[0], text.getBytes());
NdefRecord[] records = { record };
NdefMessage msg = new NdefMessage(records);
nfcAdapter.setNdefPushMessage(msg, this);
...
var http = require('http');
...
http.request(options, function(res){
...
}).on('error', function(e){
console.log('There was a problem with the request: ' + e);
});
...
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
try {
...
} catch (e: Exception) {
e.printStackTrace()
}
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
...
try {
...
} catch (e: Exception) {
Log.e(TAG, Log.getStackTraceString(e))
}
...
...
NSString* deviceID = [[UIDevice currentDevice] name];
NSLog(@"DeviceID: %@", deviceID);
...
deviceID entry to the list of user defaults, and stores them immediately to a plist file.
...
NSString* deviceID = [[UIDevice currentDevice] name];
[defaults setObject:deviceID forKey:@"deviceID"];
[defaults synchronize];
...
Example 2 stores system information from the mobile device in an unprotected plist file stored on the device. Although many developers trust plist files as a safe storage location for any and all data, it should not be trusted implicitly particularly when system information and privacy are a concern, since plist files could be read by anyone in possession of the device.
<?php
...
echo "Server error! Printing the backtrace";
debug_print_backtrace();
...
?>
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
try:
...
except:
print(sys.exc_info()[2])
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
...
begin
log = Logger.new(STDERR)
...
rescue Exception
log.info("Exception: " + $!)
...
end
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program. Of course, another problem with Example 1 is rescuing the root Exception instead of a specific type or error/exception, meaning it will catch all exceptions, potentially causing other unconsidered side effects.
...
println(Properties.osName)
...
Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
let deviceName = UIDevice.currentDevice().name
...
NSLog("Device Identifier: %@", deviceName)
ASPError object to a script debugger, such as the Microsoft Script Debugger:
...
Debug.Write Server.GetLastError()
...
UDID key stores a Unique Device Identifier.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>systemName</key>
<string>John's iPhone</string>
<key>systemInfo</key>
<dict>
<key>UDID</key>
<string>2b6f0cc904d137be2e1730235f5664094b831186</string>
<key>systemVersion</key>
<string>4.2</string>
<key>model</key>
<string>iPhone</string>
<key>localizedModel</key>
<string>iPhone</string>
</dict>
</dict>
</plist>
Example 1 stores private user information from the mobile device in an unprotected plist file stored on the device. Although many developers trust plist files as a safe storage location for any and all data, it should not be trusted implicitly particularly when system information and privacy are a concern, since plist files could be read by anyone in possession of the device.EnableSensitiveDataLogging option to true which allows application data used in database commands to be included in logging and exception messages.
...
services.AddDbContext<ApplicationDbContext>(options => {
options.UseSqlServer(_configuration.GetConnectionString("ApplicationDbConnection"));
options.EnableSensitiveDataLogging(true);
});
...
log4j.properties file causes all queries to be logged at the info level.
...
log4j.logger.net.sf.hibernate.type=info
log4j.logger.net.sf.hibernate.tool.hbm2ddl=info
...
usrname parameter in the HTTP session object before checking to ensure that the user has been authenticated.
usrname = request.Item("usrname");
if (session.Item(ATTR_USR) == null) {
session.Add(ATTR_USR, usrname);
}
usrname parameter in the HTTP session object before checking to ensure that the user has been authenticated.
usrname = request.getParameter("usrname");
if (session.getAttribute(ATTR_USR) != null) {
session.setAttribute(ATTR_USR, usrname);
}
var GetURL = function() {};
GetURL.prototype = {
run: function(arguments) {
...
arguments.completionFunction({ "URL": document.location.href });
}
...
};
var ExtensionPreprocessingJS = new GetURL;
usrname parameter in the HTTP session object before checking to ensure that the user has been authenticated.
val usrname: String = request.getParameter("usrname")
if (session.getAttribute(ATTR_USR) != null) {
session.setAttribute(ATTR_USR, usrname)
}
webview.
#import <MobileCoreServices/MobileCoreServices.h>
- (IBAction)done {
...
[self.extensionContext completeRequestReturningItems:@[untrustedItem] completionHandler:nil];
}
usrname cookie and stores its value in the HTTP DB session before it verifies that the user has been authenticated.
...
IF (OWA_COOKIE.get('usrname').num_vals != 0) THEN
usrname := OWA_COOKIE.get('usrname').vals(1);
END IF;
IF (v('ATTR_USR') IS null) THEN
HTMLDB_UTIL.set_session_state('ATTR_USR', usrname);
END IF;
...
username parameter in the HTTP session object before checking to ensure that the user has been authenticated.
uname = request.GET['username']
request.session['username'] = uname
webview.
import MobileCoreServices
@IBAction func done() {
...
self.extensionContext!.completeRequestReturningItems([unstrustedItem], completionHandler: nil)
}
usrname parameter in the HTTP session object before checking to ensure that the user has been authenticated.
...
Dim Response As Response
Dim Request As Request
Dim Session As Session
Dim Application As Application
Dim Server As Server
Dim usrname as Variant
Set Response = objContext("Response")
Set Request = objContext("Request")
Set Session = objContext("Session")
Set Application = objContext("Application")
usrname = Request.Form("usrname")
If IsNull(Session("ATTR_USR")) Then
Session("ATTR_USR") = usrname
End If
...
private array variable from a public access method. private array variable from a public access method allows the calling code to modify the contents of the array, effectively giving the array public access and contradicting the intentions of the programmer who made it private.private array variable from a public access method.
public final class urlTool extends Applet {
private URL[] urls;
public URL[] getURLs() {
return urls;
}
...
}
public class CustomerServiceApplet extends JApplet
{
public void paint(Graphics g)
{
...
conn = DriverManager.getConnection ("jdbc:mysql://db.example.com/customerDB", "csr", "p4ssw0rd");
...
package level access to the original outer class. More insidiously, since an inner class can access private fields in their enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.
public final class urlTool extends Applet {
private final class urlHelper {
...
}
...
}
finalize()method public.super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke one of your finalize() methods because it is declared with public access. If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.public finalize() method.
public final class urlTool extends Applet {
public void finalize() {
...
}
...
}
public, final and static.public, final and static is a bug. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. In most situations the array should be made private.public, final and static.
public final class urlTool extends Applet {
public final static URL[] urls;
...
}
public but not final. public member variables in an Applet and in classes used by an Applet should be declared final to prevent an attacker from manipulating or gaining unauthorized access to the internal state of the Applet.public but not final.
public final class urlTool extends Applet {
public URL url;
...
}