java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket
Community Favorite
semgrep
Author
73,396
Download Count*
License
Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.
Run Locally
Run in CI
Defintion
rules:
- id: unencrypted-socket
metadata:
functional-categories:
- net::search::crypto-config::java.net
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET
asvs:
section: V6 Stored Cryptography Verification Requirements
control_id: 6.2.5 Insecure Algorithm
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
version: "4"
category: security
technology:
- java
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
message: Detected use of a Java socket that is not encrypted. As a result, the
traffic could be read by an attacker intercepting the network traffic. Use
an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
instead.
severity: WARNING
languages:
- java
pattern-either:
- pattern: new ServerSocket(...)
- pattern: new Socket(...)
Examples
unencrypted-socket.java
package testcode.crypto;
import javax.net.ssl.SSLServerSocketFactory;
import java.io.*;
import java.net.InetAddress;
import java.net.Socket;
import java.net.ServerSocket;
public class UnencryptedSocket {
static void sslSocket() throws IOException {
// ok: unencrypted-socket
Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443);
doGetRequest(soc);
}
static void plainSocket() throws IOException {
// ruleid: unencrypted-socket
Socket soc = new Socket("www.google.com", 80);
doGetRequest(soc);
}
static void otherConstructors() throws IOException {
// ruleid: unencrypted-socket
Socket soc1 = new Socket("www.google.com", 80, true);
doGetRequest(soc1);
byte[] address = {127, 0, 0, 1};
// ruleid: unencrypted-socket
Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
doGetRequest(soc2);
byte[] remoteAddress = {74, 125, (byte) 226, (byte) 193};
// ruleid: unencrypted-socket
Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
doGetRequest(soc2);
}
static void doGetRequest(Socket soc) throws IOException {
System.out.println("");
soc.close();
}
}
public class UnencryptedServerSocket {
static void sslServerSocket() throws IOException {
// ok: unencrypted-socket
ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234);
ssoc.close();
}
static void plainServerSocket() throws IOException {
// ruleid: unencrypted-socket
ServerSocket ssoc = new ServerSocket(1234);
ssoc.close();
}
static void otherConstructors() throws IOException {
// ruleid: unencrypted-socket
ServerSocket ssoc1 = new ServerSocket();
ssoc1.close();
// ruleid: unencrypted-socket
ServerSocket ssoc2 = new ServerSocket(1234, 10);
ssoc2.close();
byte[] address = {127, 0, 0, 1};
// ruleid: unencrypted-socket
ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));
ssoc3.close();
}
}
Short Link: https://sg.run/W8zA