This socket is insecure
84 */
85 protected void createSocket() {
86 setAddress(new InetSocketAddress(getDdosPattern().getHost(), getDdosPattern().getPort()));
87 socket = new Socket(); 88 try {
89 socket.setKeepAlive(true);
90 socket.setSoTimeout(getDdosPattern().getSocketTimeout());
Description
Socket
and ServerSocket
do not implement TLS/SSL by default. Use SSLSocket
/SSLServerSocket
instead.
The socket factory types javax.net.SocketFactory
and javax.net.ServerSocketFactory
cannot be used to create secure client and server sockets. For that purpose, their subclasses, SSLSocketFactory
and SSLServerSocketFactory
must be used.
Bad Practice
Socket s = SocketFactory.getDefault().createSocket();
ServerSocket s2 = new ServerSocket(3434);
Recommended
Socket s = SSLSocketFactory.getDefault().createSocket();
ServerSocket s2 = SSLServerSocketFactory.getDefault().createSocket();
Beyond using an SSL socket, you need to make sure your use of SSLSocketFactory
(or for server sockets, SSLServerSocketFactory
) does all the appropriate certificate validation checks to make sure you are not subject to man-in-the-middle attacks. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly.
References
- FindSecBugs - UNENCRYPTED_SOCKET
- WASC-04 - Insufficient transport layer security
- CWE-200 - Exposure of Sensitive Information to Unauthorized Actors
- CWE-319 - Cleartext Transmission of Sensitive Information
- OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
- OWASP Top Ten (2021) - Category A02 - Cryptographic Failures
- OWASP Transport Level Security Cheatsheet