ABSTRACT
The program violates secure coding principles for mobile code by declaring a member variable public
but not final
.
EXPLANATION
All public
member variables in an Applet and in classes used by an Applet should be declared final
to prevent an attacker from manipulating or gaining unauthorized access to the internal state of the Applet.
Example 1: The following Java Applet code mistakenly declares a member variable public
but not final
.
public final class urlTool extends Applet {
public URL url;
...
}
Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.
REFERENCES
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 493
[2] G. McGraw Securing Java. Chapter 7: Java Security Guidelines