Java Insecure Ftp Session Factory
Description
Detects the use of insecure plain FTP connections through FTPClient/FTPSessionFactory in Java applications. Using unencrypted FTP instead of secure alternatives like FTPS or SFTP can expose sensitive data to network eavesdropping and man-in-the-middle attacks since credentials and data are transmitted in cleartext.
Detection Strategy
• Identifies calls to setHost() method on FTP session factory objects
• Verifies if the object is an instance of FTPClient or FTPSessionFactory
• Checks if the host parameter uses insecure 'ftp://' protocol instead of secure alternatives
• Reports a vulnerability when an insecure FTP connection is configured via setHost
Vulnerable code example
import org.springframework.integration.ftp.session.DefaultFtpSessionFactory;
class FtpConfig {
public DefaultFtpSessionFactory createFtpSession() {
DefaultFtpSessionFactory ftpFactory = new DefaultFtpSessionFactory();
ftpFactory.setHost("ftp://example.com"); // Vulnerable: Using insecure FTP instead of SFTP/FTPS
return ftpFactory;
}...✅ Secure code example
import org.springframework.integration.sftp.session.DefaultSftpSessionFactory;
import org.springframework.context.annotation.Bean;
class FtpConfig {
@Bean
public DefaultSftpSessionFactory createFtpSession() {
DefaultSftpSessionFactory sftpFactory = new DefaultSftpSessionFactory();
sftpFactory.setHost("sftp://example.com"); // Using secure SFTP instead of plain FTP...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.