So over the weekend I had some experiment with Java GC and decided to write something about it. I was just mingling around to prove that just because a Java object or variable is eligible for garbage collection does not mean it gets collected right away.
That momentary moment becomes a window of opportunity for a hacker/attacker to sniff into maybe a sensitive data from your application through a heap memory dump.
To prove this, I created a simple console application for this experimentation.
1. Create Java program:
public class HelloWorld {
private static void readData() {
System.out.println("Enter password here : ");
Scanner scanIn = new Scanner(System.in);
char[] sesitiveData = scanIn.nextLine().toCharArray();
scanIn.close();
}
public static void main(String[] args) throws Exception {
readData();
Thread.sleep(1000 * 3600);
}
}
