java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket

Community Favorite
profile photo of returntocorpreturntocorp
Author
73,396
Download Count*

Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.

Run Locally

Run in CI

Defintion

rules:
  - id: unencrypted-socket
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Detected use of a Java socket that is not encrypted. As a result, the
      traffic could be read by an attacker intercepting the network traffic. Use
      an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
      instead.
    severity: WARNING
    languages:
      - java
    pattern-either:
      - pattern: new ServerSocket(...)
      - pattern: new Socket(...)

Examples

unencrypted-socket.java

package testcode.crypto;

import javax.net.ssl.SSLServerSocketFactory;
import java.io.*;
import java.net.InetAddress;
import java.net.Socket;
import java.net.ServerSocket;

public class UnencryptedSocket {

    static void sslSocket() throws IOException {
        // ok: unencrypted-socket
        Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443);
        doGetRequest(soc);
    }

    static void plainSocket() throws IOException {
        // ruleid: unencrypted-socket
        Socket soc = new Socket("www.google.com", 80);
        doGetRequest(soc);
    }

    static void otherConstructors() throws IOException {
        // ruleid: unencrypted-socket
        Socket soc1 = new Socket("www.google.com", 80, true);
        doGetRequest(soc1);
        byte[] address = {127, 0, 0, 1};
        // ruleid: unencrypted-socket
        Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
        doGetRequest(soc2);
        byte[] remoteAddress = {74, 125, (byte) 226, (byte) 193};
        // ruleid: unencrypted-socket
        Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
        doGetRequest(soc2);
    }

    static void doGetRequest(Socket soc) throws IOException {
        System.out.println("");
        soc.close();
    }
}

public class UnencryptedServerSocket {

    static void sslServerSocket() throws IOException {
        // ok: unencrypted-socket
        ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234);
        ssoc.close();
    }

    static void plainServerSocket() throws IOException {
        // ruleid: unencrypted-socket
        ServerSocket ssoc = new ServerSocket(1234);
        ssoc.close();
    }

    static void otherConstructors() throws IOException {
        // ruleid: unencrypted-socket
        ServerSocket ssoc1 = new ServerSocket();
        ssoc1.close();
        // ruleid: unencrypted-socket
        ServerSocket ssoc2 = new ServerSocket(1234, 10);
        ssoc2.close();
        byte[] address = {127, 0, 0, 1};
        // ruleid: unencrypted-socket
        ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));
        ssoc3.close();
    }

}