Java Resttemplate Insecure Http Request
Description
Detects the use of insecure HTTP URLs in Spring Framework's RestTemplate methods. Using unencrypted HTTP instead of HTTPS for web requests can expose sensitive data to man-in-the-middle attacks and network eavesdropping, potentially compromising data confidentiality and integrity.
Detection Strategy
• 1. Checks if Spring Web Client library (org.springframework.web.client) is imported in the code
• 2. Identifies calls to RestTemplate methods like getForObject, postForEntity, exchange, etc.
• 3. Examines if the first argument of these methods contains an HTTP URL (not HTTPS)
• 4. Verifies that the method is called on a RestTemplate object
• 5. Reports a vulnerability when HTTP URLs are used with RestTemplate methods instead of secure HTTPS URLs
Vulnerable code example
import org.springframework.web.client.RestTemplate;
public class VulnerableExample {
public void unsafeRestCalls() {
RestTemplate restTemplate = new RestTemplate();
// Vulnerable: Using unencrypted HTTP protocol for REST calls
restTemplate.delete("http://example.com");...✅ Secure code example
import org.springframework.web.client.RestTemplate;
public class SecureExample {
public void safeRestCalls() {
RestTemplate restTemplate = new RestTemplate();
// Safe: Using encrypted HTTPS protocol for REST calls
restTemplate.delete("https://example.com");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.