Java Datasource Encryption Disabled
Description
Identifies Java database connection strings that contain unencrypted/plaintext credentials in properties files. Exposing database credentials in plain text within configuration files poses a significant security risk as it could allow attackers to gain unauthorized access to the database if they can read these files.
Detection Strategy
• Scan Java properties files (*.properties) for database connection configuration
• Look for JDBC connection string patterns that contain unprotected sensitive data
• Report issues when connection strings contain credentials in plain text format
• Ignore connection strings that use protected/encrypted credential formats
Vulnerable code example
# Database connection configurations with disabled encryption
vulnerable.sqlserver.datasource.url=jdbc:sqlserver://example.com;encrypt=false; # Critical: Disables TLS encryption for SQL Server
vulnerable.mysql.datasource.url=jdbc:mysql://example.com:3306/db?useSSL=false # Critical: Disables SSL for MySQL connection
vulnerable.postgres.datasource.url=jdbc:postgresql://example.com:5432/db?sslmode=disable # Critical: Disables SSL/TLS for PostgreSQL✅ Secure code example
# Database connection configurations with enforced encryption
sqlserver.datasource.url=jdbc:sqlserver://example.com;encrypt=true;trustServerCertificate=false; # Enforces TLS and validates server certificate
mysql.datasource.url=jdbc:mysql://example.com:3306/db?useSSL=true&requireSSL=true # Mandates SSL and requires valid certificates
postgres.datasource.url=jdbc:postgresql://example.com:5432/db?sslmode=verify-full # Enforces SSL/TLS with full certificate verificationSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.