...
var fs:FileStream = new FileStream();
fs.open(new File("config.properties"), FileMode.READ);
var decoder:Base64Decoder = new Base64Decoder();
decoder.decode(fs.readMultiByte(fs.bytesAvailable, File.systemCharset));
var password:String = decoder.toByteArray().toString();
URLRequestDefaults.setLoginCredentialsForHost(hostname, usr, password);
...
config.properties
can read the value of password
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
...
string value = regKey.GetValue(passKey).ToString());
byte[] decVal = Convert.FromBase64String(value);
NetworkCredential netCred =
new NetworkCredential(username,decVal.toString(),domain);
...
password
. Any devious employee with access to this information can use it to break into the system.
...
RegQueryValueEx(hkey, TEXT(.SQLPWD.), NULL,
NULL, (LPBYTE)password64, &size64);
Base64Decode(password64, size64, (BYTE*)password, &size);
rc = SQLConnect(*hdbc, server, SQL_NTS, uid,
SQL_NTS, password, SQL_NTS);
...
password64
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
...
01 RECORDX.
05 UID PIC X(10).
05 PASSWORD PIC X(10).
05 LEN PIC S9(4) COMP.
...
EXEC CICS
READ
FILE('CFG')
INTO(RECORDX)
RIDFLD(ACCTNO)
...
END-EXEC.
CALL "g_base64_decode_inplace" using
BY REFERENCE PASSWORD
BY REFERENCE LEN
ON EXCEPTION
DISPLAY "Requires GLib library" END-DISPLAY
END-CALL.
EXEC SQL
CONNECT :UID
IDENTIFIED BY :PASSWORD
END-EXEC.
...
CFG
can read the value of password and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
...
file, _ := os.Open("config.json")
decoder := json.NewDecoder(file)
decoder.Decode(&values)
password := base64.StdEncoding.DecodeString(values.Password)
request.SetBasicAuth(values.Username, password)
...
config.json
can read the value of password
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
...
<beans:bean id="encoder" class="org.springframework.security.crypto.password.Md4PasswordEncoder"/>
...
config.properties
can read the value of password
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
plist
file and uses it to unzip a password-protected file.
...
NSDictionary *dict= [NSDictionary dictionaryWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"Config" ofType:@"plist"]];
NSString *encoded_password = [dict valueForKey:@"encoded_password"];
NSData *decodedData = [[NSData alloc] initWithBase64EncodedString:encoded_password options:0];
NSString *decodedString = [[NSString alloc] initWithData:decodedData encoding:NSUTF8StringEncoding];
[SSZipArchive unzipFileAtPath:zipPath toDestination:destPath overwrite:TRUE password:decodedString error:&error];
...
Config.plist
file can read the value of encoded_password
and easily determine that the value has been base64 encoded.
...
$props = file('config.properties', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$password = base64_decode($props[0]);
$link = mysql_connect($url, $usr, $password);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
...
config.properties
can read the value of password
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
...
props = os.open('config.properties')
password = base64.b64decode(props[0])
link = MySQLdb.connect (host = "localhost",
user = "testuser",
passwd = password,
db = "test")
...
config.properties
can read the value of password
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
require 'pg'
require 'base64'
...
passwd = Base64.decode64(ENV['PASSWD64'])
...
conn = PG::Connection.new(:dbname => "myApp_production", :user => username, :password => passwd, :sslmode => 'require')
PASSWD64
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.
...
val prop = new Properties();
prop.load(new FileInputStream("config.properties"));
val password = Base64.decode(prop.getProperty("password"));
DriverManager.getConnection(url, usr, password);
...
config.properties
can read the value of password
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.plist
file and uses it to unzip a password-protected file.
...
var myDict: NSDictionary?
if let path = NSBundle.mainBundle().pathForResource("Config", ofType: "plist") {
myDict = NSDictionary(contentsOfFile: path)
}
if let dict = myDict {
let password = base64decode(dict["encoded_password"])
zipArchive.unzipOpenFile(zipPath, password:password])
}
...
Config.plist
file can read the value of encoded_password
and easily determine that the value has been base64 encoded.
...
root:qFio7llfVKk.s:19033:0:99999:7:::
...
...
...
Private Declare Function GetPrivateProfileString _
Lib "kernel32" Alias "GetPrivateProfileStringA" _
(ByVal lpApplicationName As String, _
ByVal lpKeyName As Any, ByVal lpDefault As String, _
ByVal lpReturnedString As String, ByVal nSize As Long, _
ByVal lpFileName As String) As Long
...
Dim password As String
...
password = StrConv(DecodeBase64(GetPrivateProfileString("MyApp", "Password", _
"", value, Len(value), _
App.Path & "\" & "Config.ini")), vbUnicode)
...
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & password &";"
...
Config.ini
can read the value of Password
and easily determine that the value has been base64 encoded. Any devious employee with access to this information can use it to break into the system.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML:
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in the following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.
...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...
Example 2
:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini
file. The attacker may utilize XML elements which are returned to the client to exfiltrate data or obtain information as to the existence of network resources.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in the following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.
...
Blob iv = Blob.valueOf('1234567890123456');
Blob encrypted = Crypto.encrypt('AES128', encKey, iv, input);
...
byte[] iv = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
using (SymmetricAlgorithm aesAlgo = SymmetricAlgorithm.Create("AES"))
{
...
aesAlgo.IV = iv;
...
}
unsigned char * iv = "12345678";
EVP_EncryptInit_ex(&ctx, EVP_idea_gcm(), NULL, key, iv);
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
)
...
block, err := aes.NewCipher(key)
...
mode := cipher.NewCBCEncrypter(block, key)
mode.CryptBlocks(ciphertext[aes.BlockSize:], plaintext)
byte[] iv = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
IvParameterSpec ips = new IvParameterSpec(iv);
...
NSString *iv = @"1234567812345678"; //Bad idea to hard code IV
char ivPtr[kCCBlockSizeAES128];
[iv getCString:ivPtr maxLength:sizeof(ivPtr) encoding:NSASCIIStringEncoding];
...
ccStatus = CCCrypt( kCCEncrypt,
kCCAlgorithmAES128,
kCCOptionPKCS7Padding,
[key cStringUsingEncoding:NSASCIIStringEncoding],
kCCKeySizeAES128,
[ivPtr], /*IV should be something random (not null and not constant)*/
[self bytes], dataLength, /* input */
buffer, bufferSize, /* output */
&numBytesEncrypted
);
nil
) then an IV of all zeros will be used.
from Crypto.Cipher import AES
from Crypto import Random
...
key = Random.new().read(AES.block_size)
cipher = AES.new(key, AES.MODE_CTR, IV=key)
require 'openssl'
...
cipher = OpenSSL::Cipher::AES.new('256-GCM')
cipher.encrypt
@key = cipher.random_key
cipher.iv=@key
encrypted = cipher.update(data) + cipher.final # encrypts data without hardcoded IV
...
...
let cStatus = CCCrypt(UInt32(kCCEncrypt),
UInt32(kCCAlgorithmAES128),
UInt32(kCCOptionPKCS7Padding),
key,
keyLength,
"0123456789012345",
plaintext,
plaintextLength,
ciphertext,
ciphertextLength,
&numBytesEncrypted)
nil
) then an IV of all zeros will be used.Null
passwords can compromise security.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
var storedPassword:String = null;
var temp:String;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(Utils.verifyPassword(userPassword, storedPassword))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it might enable attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
string storedPassword = null;
string temp;
if ((temp = ReadPassword(storedPassword)) != null) {
storedPassword = temp;
}
if (Utils.VerifyPassword(storedPassword, userPassword)) {
// Access protected resources
...
}
...
ReadPassword()
fails to retrieve the stored password due to a database error or other problem, then an attacker can easily bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
string storedPassword = null;
string temp;
if ((temp = ReadPassword(storedPassword)) != null) {
storedPassword = temp;
}
if(Utils.VerifyPassword(storedPassword, userPassword))
// Access protected resources
...
}
...
ReadPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
char *stored_password = NULL;
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for user_password
.null
to password variables is never a good idea as it might enable attackers to bypass password verification or it might indicate that resources are protected by an empty password.null
to password variables is a bad idea because it can allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
String storedPassword = null;
String temp;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(Utils.verifyPassword(userPassword, storedPassword))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
, reads credentials from an Android WebView store if they have not been previously rejected by the server for the current request, and uses them to setup authentication for viewing protected pages.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String username = null;
String password = null;
if (handler.useHttpAuthUsernamePassword()) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
username = credentials[0];
password = credentials[1];
}
handler.proceed(username, password);
}
});
...
Example 1
, if useHttpAuthUsernamePassword()
returns false
, an attacker will be able to view protected pages by supplying a null
password.null
password.null
:
...
var password=null;
...
{
password=getPassword(user_data);
...
}
...
if(password==null){
// Assumption that the get didn't work
...
}
...
null
to password variables because it might enable attackers to bypass password verification or indicate that resources are not protected by a password.null
password.
{
...
"password" : null
...
}
null
password. Null
passwords can compromise security.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
NSString *stored_password = NULL;
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password)) {
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for user_password
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
<?php
...
$storedPassword = NULL;
if (($temp = getPassword()) != NULL) {
$storedPassword = $temp;
}
if(strcmp($storedPassword,$userPassword) == 0) {
// Access protected resources
...
}
...
?>
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
.
DECLARE
password VARCHAR(20);
BEGIN
password := null;
END;
null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
storedPassword = NULL;
temp = getPassword()
if (temp is not None) {
storedPassword = temp;
}
if(storedPassword == userPassword) {
// Access protected resources
...
}
...
getPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for userPassword
.nil
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.nil
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
@storedPassword = nil
temp = readPassword()
storedPassword = temp unless temp.nil?
unless Utils.passwordVerified?(@userPassword, @storedPassword)
...
end
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for @userPassword
.nil
as a default value when none is specified. In this case you also need to make sure that the correct number of arguments are specified in order to make sure a password is passed to the function.null
to password variables is a bad idea because it can allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
ws.url(url).withAuth("john", null, WSAuthScheme.BASIC)
...
null
password. Null
passwords can compromise security.nil
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
, attempts to read a stored value for the password, and compares it against a user-supplied value.
...
var stored_password = nil
readPassword(stored_password)
if(stored_password == user_password) {
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing a null
value for user_password
.null
to password variables is never a good idea as it may allow attackers to bypass password verification or might indicate that resources are protected by an empty password.null
and uses it to connect to a database.
...
Dim storedPassword As String
Set storedPassword = vbNullString
Dim con As New ADODB.Connection
Dim cmd As New ADODB.Command
Dim rst As New ADODB.Recordset
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & storedPassword &";"
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
Rfc2898DeriveBytes rdb = new Rfc2898DeriveBytes("", salt,100000);
...
...
var encryptor = new StrongPasswordEncryptor();
var encryptedPassword = encryptor.encryptPassword("");
...
...
CCKeyDerivationPBKDF(kCCPBKDF2,
"",
0,
salt,
saltLen
kCCPRFHmacAlgSHA256,
100000,
derivedKey,
derivedKeyLen);
...
...
CCKeyDerivationPBKDF(kCCPBKDF2,
password,
0,
salt,
saltLen
kCCPRFHmacAlgSHA256,
100000,
derivedKey,
derivedKeyLen);
...
password
contains a strong, appropriately managed password value, passing its length as zero will result in an empty, null
, or otherwise unexpected weak password value.
...
$zip = new ZipArchive();
$zip->open("test.zip", ZipArchive::CREATE);
$zip->setEncryptionIndex(0, ZipArchive::EM_AES_256, "");
...
from hashlib import pbkdf2_hmac
...
dk = pbkdf2_hmac('sha256', '', salt, 100000)
...
...
key = OpenSSL::PKCS5::pbkdf2_hmac('', salt, 100000, 256, 'SHA256')
...
...
CCKeyDerivationPBKDF(CCPBKDFAlgorithm(kCCPBKDF2),
"",
0,
salt,
saltLen,
CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256),
100000,
derivedKey,
derivedKeyLen)
...
...
CCKeyDerivationPBKDF(CCPBKDFAlgorithm(kCCPBKDF2),
password,
0,
salt,
saltLen,
CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256),
100000,
derivedKey,
derivedKeyLen)
...
password
contains a strong, appropriately managed password value, passing its length as zero will result in an empty, null
, or otherwise unexpected weak password value.null
password may compromise system security in a way that cannot be easily remedied.null
value as the password argument to a cryptographic password-based key derivation function. In this scenario, the resulting derived key will be based solely on the provided salt (rendering it significantly weaker), and fixing the problem is extremely difficult. After the offending code is in production, the null
password often cannot be changed without patching the software. If an account protected by a derived key based on a null
password is compromised, the owners of the system might be forced to choose between security and availability.null
value as the password argument to a cryptographic password-based key derivation function:
...
var encryptor = new StrongPasswordEncryptor();
var encryptedPassword = encryptor.encryptPassword(null);
...
null
password argument, but anyone with even basic cracking techniques is much more likely to successfully gain access to any resources protected by the offending keys. If an attacker also has access to the salt value used to generate any of the keys based on a null
password, cracking those keys becomes trivial. After the program ships, there is likely no way to change the null
password unless the program is patched. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null
password.null
password may compromise system security in a way that cannot be easily remedied.null
value as the password argument to a cryptographic password-based key derivation function. In this scenario, the resulting derived key will be based solely on the provided salt (rendering it significantly weaker), and fixing the problem is extremely difficult. After the offending code is in production, the null
password often cannot be changed without patching the software. If an account protected by a derived key based on a null
password is compromised, the owners of the system might be forced to choose between security and availability.null
value as the password argument to a cryptographic password-based key derivation function:
...
CCKeyDerivationPBKDF(kCCPBKDF2,
nil,
0,
salt,
saltLen
kCCPRFHmacAlgSHA256,
100000,
derivedKey,
derivedKeyLen);
...
null
password argument, but anyone with even basic cracking techniques is much more likely to successfully gain access to any resources protected by the offending keys. If an attacker also has access to the salt value used to generate any of the keys based on a null
password, cracking those keys becomes trivial. After the program ships, there is likely no way to change the null
password unless the program is patched. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null
password.null
password may compromise system security in a way that cannot be easily remedied.null
value as the password argument to a cryptographic password-based key derivation function. In this scenario, the resulting derived key will be based solely on the provided salt (rendering it significantly weaker), and fixing the problem is extremely difficult. After the offending code is in production, the null
password often cannot be changed without patching the software. If an account protected by a derived key based on a null
password is compromised, the owners of the system might be forced to choose between security and availability.null
value as the password argument to a cryptographic password-based key derivation function:
...
CCKeyDerivationPBKDF(CCPBKDFAlgorithm(kCCPBKDF2),
nil,
0,
salt,
saltLen,
CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256),
100000,
derivedKey,
derivedKeyLen)
...
null
password argument, but anyone with even basic cracking techniques is much more likely to successfully gain access to any resources protected by the offending keys. If an attacker also has access to the salt value used to generate any of the keys based on a null
password, cracking those keys becomes trivial. After the program ships, there is likely no way to change the null
password unless the program is patched. An employee with access to this information can use it to break into the system. Even if attackers only had access to the application's executable, they could extract evidence of the use of a null
password.spring.application.admin.enabled
property. This exposes the SpringApplicationAdminMXBean
on the platform MBeanServer
. Developers could use this feature to administer the Spring Boot application remotely, however this feature exposes an additional attack surface in the form of a remote JMX endpoint. Depending on the configuration of the MBeanServer
the MBean
can be exposed locally or remotely, and may or may not require authentication. In the worst case, attackers will be able to manage the application remotely, including shutting it down without any authentication. In the best case, the service will be as strong as the credentials used to protect the server.