Java : Access specifier manipulation

The called method of the AccessibleObject API changes the access specifier and allows to bypass access control mechanism provided by Java. In particular, an adversary can bypass access control using a reflected object and change the values of private fields or call a private method.

The AccessibleObject class is the base class for Field, Method and Constructor objects. It provides the ability to flag a reflected object as suppressing default Java language access control checks when it is used. The access checks for public, default (package) access, protected, and private members are performed when Fields, Methods or Constructors are used to set or get fields, to invoke methods, or to create and initialize new instances of classes, respectively.

Setting the accessible flag in a reflected object permits sophisticated applications with sufficient privilege, such as Java Object Serialization or other persistence mechanisms, to manipulate objects in a manner that would normally be prohibited.

By default, a reflected object is not accessible.

Broken Access Control takes the fifth place in the “OWASP Top 10 2017” web application vulnerabilities ranking.