Fluid Attacks Database

Description

This vulnerability detector identifies Java JPasswordField components that have character masking disabled by calling setEchoChar with a zero/null character. When masking is disabled, passwords are displayed as plain text instead of being hidden with asterisks or dots, creating a security risk where sensitive credentials can be visually exposed.

Weakness:

272 - Insecure functionality - Masking

Category: Functionality Abuse

Detection Strategy

• The detector first checks if the code imports JPasswordField from javax.swing package

• It then searches for method calls to 'setEchoChar' on JPasswordField objects

• The vulnerability is reported when setEchoChar is called with a zero character (like '\0', 0, or null) as the first argument

• This configuration disables password masking, making the password field display characters in plain text instead of hiding them

Vulnerable code example

import javax.swing.JPasswordField;

public class VulnerablePassword {
    public void disablePasswordMasking() {
        JPasswordField pwdField = new JPasswordField();
        pwdField.setEchoChar(0); // VULNERABLE: disables password masking, shows plain text
    }
}

✅ Secure code example

import javax.swing.JPasswordField;

public class SecurePassword {
    public void enablePasswordMasking() {
        JPasswordField pwdField = new JPasswordField();
        pwdField.setEchoChar('*'); // SECURE: uses non-zero char to mask password input
    }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.