Cleartext transmission of sensitive information
ID |
scala.endpoint.scala_endpoint_rule_unencryptedsocket |
Severity |
low |
Resource |
Endpoint |
Language |
Scala |
Description
Beyond using an SSL socket, you need to make sure your use of SSLSocketFactory does all the appropriate certificate validation checks to make sure you are not subject to man-in-the-middle attacks. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly.
Rationale
Beyond using an SSL socket, you need to make sure your use of SSLSocketFactory does all the appropriate certificate validation checks to make sure you are not subject to man-in-the-middle attacks. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly.
The following code illustrates a vulnerable pattern detected by this rule:
@throws[IOException]
private[this] def sslSocket(): Unit = {
val soc = SSLSocketFactory.getDefault.createSocket("www.google.com", 443)
doGetRequest(soc)
}
@throws[IOException]
private[this] def plainSocket(): Unit = {
// VULNERABLE: Cleartext transmission of sensitive information
val soc = new Socket("www.google.com", 80)
doGetRequest(soc)
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.