Follow the principle of least privilege
What is insufficient encapsulation?
Encapsulation is the practice of bundling related data and functions into a single unit, usually called an "object". Insufficient encapsulation occurs when an object's properties and methods are not properly contained within the object, allowing external code to access or modify them in unintended ways.
Insufficient encapsulation is generally considered to be a poor coding practice that can lead to vulnerabilities, rather than being a vulnerability in and of itself.
About this lesson
In this lesson, you will learn about vulnerabilities stemming from insufficient encapsulation and how to protect your applications against them. We will step into the shoes of an inexperienced developer at a bank who discovers and remediates an instance of insufficient encapsulation in their own application.
Getters and setters
The most common fix for insufficient encapsulation is to use accessor (getter and setter) methods, which allow you to control precisely how and when an object's properties and methods may be accessed or modified.
Buddy was thrilled to land his first job as a developer at Saturn Bank right after graduating from university. He was assigned to work on a major project to overhaul the bank's outdated code that handled money transfers.
- STEP 1
- STEP 2
- STEP 3
- STEP 4
- STEP 5
Setting the stage
Buddy was thrilled to land his first job as a developer at a bank. He was assigned to work on a major project to overhaul the bank's outdated code.
The bank began to notice strange activity. Many accounts were suddenly able to draw money out of their account into negative values. This caused widespread panic among the bank's customers and led to a huge loss of trust in the bank's security and stability.
Buddy worked closely with the bank's security team to investigate the issue and ultimately discovered that the problem was caused by a lack of encapsulation in his code.
So, what exactly went wrong here? Here's the relevant code snippet:
In this code, the
balance variable in the
account class is not sufficiently encapsulated because it can be directly accessed and modified by the transfer function, which is not intended behavior. Buddy naively wrote a
transfer() function which accesses the balance directly, not considering that this variable could become negative.
Because he edited the balance directly, instead of using the
deposit() functions, there are no checks in place to ensure that the sender account has enough funds to make the transfer before executing it.
What is the impact of insufficient encapsulation?
Insufficient encapsulation is not a vulnerability in itself, but it does encourage and allow poor coding practices. The impact will vary widely depending on the context and application.
When designing classes, it's best to follow the principle of least privilege. Treat all properties as private unless there is a specific need to make them protected or public. Then, write accessors (setter and getter functions) to access or modify the values. This way, the only way that properties in the class can be accessed is through the accessor functions, which may include validation and sanity checks.
The code example above could be mitigated by making the balance property private, meaning that it could only be accessed via the withdraw and deposit functions, which contain a check to ensure that the balance will not go below zero.
transfer function could be modified to use the
deposit functions, like this:
Test your knowledge!
When designing classes, it's best to follow the principle of least privilege. This means: