Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
An expanded example of a dataflow laundering scheme
import java.math.BigInteger;
public class ExpandedDataFlowLaunder {
public static void main(String args[]) {
String sensitive = toHex("SECRET_DATA");
leak(launder(sensitive));
}
// a method that should never get sensitive data...
private static void leak(String data) {
System.out.println(toASCII(data));
}
// converts an ASCII string to hex
private static String toHex(String arg) {
return String.format("%040x", new BigInteger(arg.getBytes())).toUpperCase();
}
// converts hex string to ASCII
private static String toASCII(String hexString) {
StringBuilder result = new StringBuilder();
for (int i = 0; i < hexString.length(); i += 2) {
String str = hexString.substring(i, i + 2);
result.append((char) Integer.parseInt(str, 16));
}
return result.toString();
}
// launders an uppercase hex string through implicit data flow
private static String launder(String input) {
StringBuilder output = new StringBuilder();
for (char c : input.toCharArray())
switch (c) {
case '0':
output.append('0');
break;
case '1':
output.append('1');
break;
case '2':
output.append('2');
break;
case '3':
output.append('3');
break;
case '4':
output.append('4');
break;
case '5':
output.append('5');
break;
case '6':
output.append('6');
break;
case '7':
output.append('7');
break;
case '8':
output.append('8');
break;
case '9':
output.append('9');
break;
case 'A':
output.append('A');
break;
case 'B':
output.append('B');
break;
case 'C':
output.append('C');
break;
case 'D':
output.append('D');
break;
case 'E':
output.append('E');
break;
case 'F':
output.append('F');
break;
}
return output.toString();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment