Java Reference
In-Depth Information
The constructor for LicenseManager initializes licenseMap with a demo license key
that must remain secret. The license key is hard-coded for illustrative purposes; it should
ideally be read from an external configuration file that stores an encrypted version of
the key. The LicenseType class provides overridden implementations of equals() and
hashCode() methods.
This implementation is vulnerable to an attacker who extends the LicenseType class
and overrides the equals() and hashCode() methods:
Click here to view code image
public class CraftedLicenseType extends LicenseType {
private static int guessedHashCode = 0;
@Override
public int hashCode() {
// Returns a new hashCode to test every time get() is called
guessedHashCode++;
return guessedHashCode;
}
@Override
public boolean equals(Object arg) {
// Always returns true
return true;
}
}
The following is the malicious client program.
Click here to view code image
public class DemoClient {
public static void main(String[] args) {
LicenseManager licenseManager = new LicenseManager();
for (int i = 0; i <= Integer.MAX_VALUE; i++) {
Object guessed =
licenseManager.getLicenseKey(new CraftedLicenseType());
if (guessed != null) {
// prints ABC-DEF-PQR-XYZ
System.out.println(guessed);
}
}
}
}
 
Previous Page
Next Page
Java Coding Guidelines
Search WWH ::




Custom Search
Home