Java Unencrypted Socket Connection
Description
Detects the use of unencrypted Java Socket or ServerSocket connections. These classes create network connections without built-in encryption, which could allow attackers to intercept and read sensitive data transmitted over the network. Using unencrypted sockets can expose applications to man-in-the-middle attacks and data theft.
Detection Strategy
• Check if code imports java.net.Socket or java.net.ServerSocket classes
• Look for instantiations of Socket or ServerSocket classes in the code
• Report a vulnerability when these unencrypted socket classes are used instead of their secure alternatives (like SSLSocket)
Vulnerable code example
import java.net.Socket;
import java.net.ServerSocket;
import java.io.IOException;
public class VulnerableSocketExample {
public static void main(String[] args) throws IOException {
// Vulnerable: Using plaintext Socket without SSL/TLS encryption
Socket socket = new Socket("www.example.com", 80);...✅ Secure code example
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import java.io.IOException;
public class SecureSocketExample {
public static void main(String[] args) throws IOException {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.