Java Insecure Http Connection
Description
Detects the use of insecure HTTP connections in Java applications through openConnection() method calls. Using unencrypted HTTP instead of HTTPS for network connections can expose sensitive data to man-in-the-middle attacks and eavesdropping.
Detection Strategy
• Identifies calls to openConnection() method on URL or URI objects
• Checks if the URL/URI object is using the insecure 'http://' protocol instead of 'https://'
• Reports a vulnerability when openConnection() is called on a URL/URI object that uses plain HTTP
Vulnerable code example
import java.net.URL;
import java.net.HttpURLConnection;
import java.io.IOException;
public class InsecureConnection {
public static void main(String[] args) throws IOException {
// Vulnerable: Using plain HTTP instead of HTTPS for network communication
URL url = new URL("http://example.com");...✅ Secure code example
import java.net.URL;
import java.net.HttpURLConnection;
import java.io.IOException;
public class SecureConnection {
public static void main(String[] args) throws IOException {
// Secure: Using HTTPS to ensure encrypted communication
URL url = new URL("https://example.com");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.