Menu
When I do scan using fortify I have got vulnerabilities like "Often Misused: Authentication" at the below code. For this do we have any fix to avoid this issue.
I have seen related posts but not able to get solution.Using ESAPI I have provided regex for hostname and ipadress but it not works.
addr.getHostAddress()
java.net.InetAddress.getByName(nameServiceHost);
java.net.InetAddress.getLocalHost().getCanonicalHostName()
localhost.getHostName()
Please Suggest me to solve this issue.
797
All other answers try to provide workarounds by not using the inbuilt API, but using the command line or something else. However, they miss the actual problem, it is not the API that is problematic here, it is the assumption that DNS can be used for authentication.
Attackers can spoof, that is falsify, DNS responses pretending to be a valid caller. They can also use IP address spoofing to appear to be a valid caller without attacking DNS.
TL;DR don't use DNS or caller-IP as an authentication source. Instead use SSL/TLS with for an encrypted connection, then you can use Basic-Authentication, Oauth2 or even better client-certificates aka mTLS instead.
59
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
