AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Calling Overridable Methods in Constructor

Malicious subclasses may manipulate the initialization code of an object

Severity

Low

Fix Cost

Low

Trust Level

High

When a class constructor calls a method for initialization, a derived class may override the original virtual method and therefore may manipulate the object initialization that is designed in the original, inherited class constructor.

            
                class BaseClass {
  public BaseClass () {
   initialize();
  }
 
  public virtual void initialize() {
   Console.WriteLine("Original code for initializing in effect...");
  }
}
 
class DerivedClass : BaseClass {
 
  public DerivedClass() {
  }
 
  public override void initialize() {
   Console.WriteLine("Manipulated code for initialization in effect");
  }
}

                 
            

In the above code, when DerivedClass is initialized and BaseClass constructor is called, instead of original BaseClass.initialize virtual method, overrided DerivedClass.initialize method will be run.

When a class constructor calls a method for initialization, a derived class may override the original method and therefore may manipulate the object initialization that is designed in the original, inherited class constructor.

        
class BaseClass {
public BaseClass () {
initialize();
}
 
public void initialize() {
System.out.println("Original code for initializing in effect...");
}
}
 
class DerivedClass extends BaseClass {
 
public DerivedClass() {
super();
}
 
public void initialize() {
System.out.println("Manipulated code for initialization in effect");
}
}

                
            

When a class constructor calls a method for initialization, a derived class may override the original method and therefore may manipulate the object initialization that is designed in the original, inherited class constructor.

            
class BaseClass {
public BaseClass () {
initialize();
}
 
public void initialize() {
System.out.println("Original code for initializing in effect...");
}
}
 
class DerivedClass extends BaseClass {
 
public DerivedClass() {
super();
}
 
public void initialize() {
System.out.println("Manipulated code for initialization in effect");
}
}

                
            

In the above code, when DerivedClass is initialized and BaseClass constructor is called , due to super(), instead of original BaseClass.initialize method, overrided DerivedClass.initialize method will be run.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!