logo

Database

Java Unsafe Reflection Invocation

Description

Detects unsafe usage of Java reflection through Class.forName() where the class name parameter is not properly validated or sanitized. This vulnerability could allow attackers to load arbitrary classes and execute malicious code if they can control the class name parameter.

Weakness:

404 - OS Command Injection

Category: Functionality Abuse

Detection Strategy

    Identifies calls to Class.forName() method in Java code

    Verifies that the first argument (class name parameter) is not properly sanitized

    Checks if the class name parameter comes from an unsafe source like user input or external data

    Reports a vulnerability when the class name parameter is both unsanitized and derived from an unsafe source

Vulnerable code example

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class VulnerableServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        try {
            String className = request.getParameter("className");...

✅ Secure code example

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Arrays;
import java.util.List;

public class VulnerableServlet extends HttpServlet {
    // SECURE: Define allowlist of permitted classes to prevent arbitrary class loading...