I need to fix Heap Inspection vulnerability which is coming after running security scan. Scan generated document is pointing to POJO property "private String password;". Also it is mentioned "The application does not contain any code that sets Content Security Policy headers." Can anyone help me in how to remove this Heap Inspection Vulnerability
Asked
Active
Viewed 4,521 times
1 Answers
2
An application is vulnerable to Heap Inspection when sensitive information (a password in your case) is stored as clear-text (unencrypted) in the memory.
If an attacker will perform a memory dump (remember the Heartbleed bug?), this sensitive information will be compromised.
There are two proper ways of holding such sensitive information:
- Using a secured object, such as a GuardedString instead of a String or a char array, or
- Encrypting the information and immediately scrubbing the memory containing the clear-text
Checkmarx probably found that vulnerability in your code, so it is advised to use one of these methods to hold your sensitive information securely.
yaloner
- 715
- 2
- 6
- 19