英文:
Java - hack or modify public variable in object via application
问题
我正在使用Spring开发应用程序。
我想问的是,是否有可能有人通过任何注入或黑客手段来更改对象中的公共变量的值?
我有一个类似于这样的Object类:
public class ObjectA {
public String key;
public String getKey() {
return key;
}
public void setKey(String key) {
this.key = key;
}
}
英文:
I am developing application via Spring.
I would like to ask is there any possibility that someone able to change the value of public variable in Object via any injection or hacking?
I have a Object class similar to this:
public class ObjectA {
public String key;
public String getKey() {
return key;
}
public void setKey(String key) {
this.key = key;
}
}
答案1
得分: 1
没有访问系统权限的攻击者可以利用漏洞、弱密码、错误配置或未受保护的端口来获取对系统的访问。
具有系统访问权限的攻击者可以使用特权升级方法来操纵系统,使其赋予他/她附加权限。
在系统上具有足够特权的攻击者始终可以访问和操纵内存内容,无论变量是声明为私有还是公共。
具有物理访问系统权限的攻击者始终可以打开计算机,并连接探针到主板上的信号,从而绕过在软件中实施的任何访问控制。
唯一的“安全”数据要么(a)处于静止状态并使用强加密进行加密,要么(b)存储在物理密封且设计成永远不会将数据发送到密封芯片之外的硬件安全模块(HSM)中。
英文:
An attacker with no access to the system can exploit a bug, weak passwords, misconfiguration or an unprotected port to gain access to the system.
An attacker with access to the system can use privilege escalation methods to manipulate system into giving him/her additional permissions.
An attacker with sufficient privileges on the system can always access and manipulate memory contents, regardless if the variables are declared private or public.
An attacker with physical access to the system can always open the computer and attach probes to signals on the motherboard to bypass any access controls implemented in software.
The only "safe" data is either (a) at rest and encrypted with strong encryption, or (b) stored in hardware security modules (HSM) which are physically sealed and designed in such a way that the data is never sent outside of sealed chip.
答案2
得分: 0
为什么他们首先需要这样做呢?有一个设置方法。
英文:
Why would they need to do that in the first place? There is a setter method.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论