Java Code Download Without Validation
Description
Detects unvalidated dynamic class loading in Java applications using URLClassLoader. This vulnerability allows loading untrusted code from external sources without proper validation, which could lead to remote code execution if an attacker can control the class source location.
Detection Strategy
• Check if the code imports java.net.URLClassLoader
• Look for calls to loadClass() method
• Verify if the loadClass() call uses untrusted/unvalidated input sources
• Confirm the ClassLoader instance is created with unsafe configuration
Vulnerable code example
import java.net.URL;
import java.net.URLClassLoader;
import jakarta.servlet.http.HttpServletRequest;
public class VulnerableLoader {
public Object loadPlugin(HttpServletRequest request) throws Exception {
String urlString = request.getHeader("data"); // Unsafe: User-controlled URL input
URL url = new URL(urlString);...✅ Secure code example
import java.net.URL;
import java.net.URLClassLoader;
import jakarta.servlet.http.HttpServletRequest;
import java.nio.file.*;
import java.util.Set;
public class SecureLoader {
// Whitelist of allowed plugin locations...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.