7

When I scan using Fortify I have vulnerabilities like "Often Misused: Authentication" in the code below. Is there any fix for this issue? I have seen related posts but I was not able to get a solution. Using ESAPI, I have provided a regex for hostname and ipadress but it does not work.

addr.getHostAddress()
java.net.InetAddress.getByName(nameServiceHost);
java.net.InetAddress.getLocalHost().getCanonicalHostName()
localhost.getHostName()
Laurel
  • 5,965
  • 14
  • 31
  • 57
veera
  • 317
  • 2
  • 3
  • 14
  • 1
    Do you rely on DNS names for security with this code? If yes, don't. If not, ignore the warning. It's not detecting a vulnerability, it detects that your code can has this vulnerability. https://www.owasp.org/index.php/Often_Misused:_Authentication has an example what not to do with those methods. – zapl May 26 '16 at 11:51
  • @veera in my case also same issue if you have solution can share it – Laxminarayana Challagonda Feb 09 '17 at 14:56
  • @LaxminarayanaChallagonda For my case i have written separate code for getting host name from command prompt – veera Feb 14 '17 at 06:43
  • @veera can you share the solution if you have. are you using the Rumtime class and passing the cmd ? if this is the case we will get the Command Injection fortify issue ?? – Laxminarayana Challagonda Feb 14 '17 at 13:57

4 Answers4

2

All other answers try to provide workarounds by not using the inbuilt API, but using the command line or something else. However, they miss the actual problem, it is not the API that is problematic here, it is the assumption that DNS can be used for authentication.

Attackers can spoof, that is falsify, DNS responses pretending to be a valid caller. They can also use IP address spoofing to appear to be a valid caller without attacking DNS.

TL;DR don't use DNS or caller-IP as an authentication source. Instead use SSL/TLS with for an encrypted connection, then you can use Basic-Authentication, Oauth2 or even better client-certificates aka mTLS instead.

Community
  • 1
  • 1
Leonard Brünings
  • 12,408
  • 1
  • 46
  • 66
0

Try the InetSocketAddress wrapper, esp., for Elasticsearch Transport Client:

new InetSocketAddress(hostname, port)
gansvv
  • 21
  • 1
  • 3
-1

You can verify whether the request is from a trusted host

String ip = request.getRemoteAddr(); 
InetAddress addr = InetAddress.getByName(ip); 
if (addr.getCanonicalHostName().endsWith("trustme.com")) { 
 trusted = true; 
}
Bhavisankar
  • 43
  • 1
  • 9
-2

For my case i have re written the code like this

    public static String getIPAddress(String hostname) {
    Process process;
    String ipAddress = null;
    String localIpAddress = null;
    String[] commandArray;

    if(System.getProperty("os.name").startsWith("Windows")) {
        commandArray = new String[] {"cmd", "/c", "ping "+hostname+ " -4 | findstr Pinging"}; // For Windows
    } else {
        commandArray = new String[] { "bash", "-c", "host "+hostname}; // For Linux and OSX
    }

    try {
        process = Runtime.getRuntime().exec(commandArray);
        BufferedReader stdInput = new BufferedReader(new InputStreamReader(process.getInputStream()));
        String[] output;
         // Reading the output of a command executed.
         while ((localIpAddress = stdInput.readLine()) != null) {
             if(System.getProperty("os.name").startsWith("Windows")) {
                 output = localIpAddress.split(" ");
                 ipAddress = output[2].replace("[", "").replace("]", "").trim();
             } else {                
                 output = localIpAddress.split("has address"); 
                 ipAddress = output[1];
             }
         }
    } catch (IOException e) {
        org.owasp.esapi.reference.Log4JLogFactory.getInstance().getLogger(" com.util.esapi.InetAddressWrapper.getIPAddress() << "+e+" >>");
    }
    return ipAddress;
}
veera
  • 317
  • 2
  • 3
  • 14