Fortify fix for Often Misused Authentication

Asked 26/5, 2016 at 11:44 Answered 22/3, 2020 at 22:23

When I scan using Fortify I have vulnerabilities like "Often Misused: Authentication" in the code below. Is there any fix for this issue? I have seen related posts but I was not able to get a solution. Using ESAPI, I have provided a regex for hostname and ipadress but it does not work.

addr.getHostAddress()
java.net.InetAddress.getByName(nameServiceHost);
java.net.InetAddress.getLocalHost().getCanonicalHostName()
localhost.getHostName()

Variable answered 26/5, 2016 at 11:44 Comment(4)

Do you rely on DNS names for security with this code? If yes, don't. If not, ignore the warning. It's not detecting a vulnerability, it detects that your code can has this vulnerability. owasp.org/index.php/Often_Misused:_Authentication has an example what not to do with those methods. – Klimt 26/5, 2016 at 11:51

@Variable in my case also same issue if you have solution can share it – Harl 9/2, 2017 at 14:56

@LaxminarayanaChallagonda For my case i have written separate code for getting host name from command prompt – Variable 14/2, 2017 at 6:43

@Variable can you share the solution if you have. are you using the Rumtime class and passing the cmd ? if this is the case we will get the Command Injection fortify issue ?? – Harl 14/2, 2017 at 13:57

All other answers try to provide workarounds by not using the inbuilt API, but using the command line or something else. However, they miss the actual problem, it is not the API that is problematic here, it is the assumption that DNS can be used for authentication.

Attackers can spoof, that is falsify, DNS responses pretending to be a valid caller. They can also use IP address spoofing to appear to be a valid caller without attacking DNS.

TL;DR don't use DNS or caller-IP as an authentication source. Instead use SSL/TLS with for an encrypted connection, then you can use Basic-Authentication, Oauth2 or even better client-certificates aka mTLS instead.

Maryannamaryanne answered 22/3, 2020 at 22:23 Comment(0)

Try the InetSocketAddress wrapper, esp., for Elasticsearch Transport Client:

new InetSocketAddress(hostname, port)

Frisket answered 18/5, 2018 at 21:56 Comment(0)

-1

You can verify whether the request is from a trusted host

String ip = request.getRemoteAddr(); 
InetAddress addr = InetAddress.getByName(ip); 
if (addr.getCanonicalHostName().endsWith("trustme.com")) { 
 trusted = true; 
}

Dentilabial answered 31/10, 2016 at 6:50 Comment(3)

Still issue exists – Harl 14/3, 2017 at 13:18

The issue will "exist"; Fortify does not recognize the valid testing solution afterwards as valid - you need to False Positive the entry. – Tercentenary 17/11, 2019 at 2:56

This do not solve the issue: vulncat.fortify.com/en/… – Borgeson 1/8, 2022 at 1:7

-2

For my case i have re written the code like this

    public static String getIPAddress(String hostname) {
    Process process;
    String ipAddress = null;
    String localIpAddress = null;
    String[] commandArray;

    if(System.getProperty("os.name").startsWith("Windows")) {
        commandArray = new String[] {"cmd", "/c", "ping "+hostname+ " -4 | findstr Pinging"}; // For Windows
    } else {
        commandArray = new String[] { "bash", "-c", "host "+hostname}; // For Linux and OSX
    }

    try {
        process = Runtime.getRuntime().exec(commandArray);
        BufferedReader stdInput = new BufferedReader(new InputStreamReader(process.getInputStream()));
        String[] output;
         // Reading the output of a command executed.
         while ((localIpAddress = stdInput.readLine()) != null) {
             if(System.getProperty("os.name").startsWith("Windows")) {
                 output = localIpAddress.split(" ");
                 ipAddress = output[2].replace("[", "").replace("]", "").trim();
             } else {                
                 output = localIpAddress.split("has address"); 
                 ipAddress = output[1];
             }
         }
    } catch (IOException e) {
        org.owasp.esapi.reference.Log4JLogFactory.getInstance().getLogger(" com.util.esapi.InetAddressWrapper.getIPAddress() << "+e+" >>");
    }
    return ipAddress;
}

Variable answered 14/2, 2017 at 6:45 Comment(2)

process = Runtime.getRuntime().exec(commandArray); this line will give you the command injection? if i am not wrong – Harl 15/2, 2017 at 10:59

As mentioned above by Leonard. problem is the possibility of DNS spoofing. Getting the address using command line wont solve it. – Disjointed 3/9, 2021 at 7:21

Recommended topics

Hot tags