Java Http Used Instead Of Https
Description
Detects usage of insecure HTTP protocols in Java applications using Apache HTTP Components library. When applications use HTTP instead of HTTPS for making requests, data transmitted over the network is not encrypted, potentially exposing sensitive information to network eavesdropping and man-in-the-middle attacks.
Detection Strategy
• Identifies import statements for Apache HTTP Components client library (org.apache.http.client.methods or org.apache.hc.client5.http.classic.methods)
• Looks for instantiation of HTTP method classes like HttpGet, HttpPost, HttpPut, HttpDelete, HttpPatch, HttpOptions, or HttpHead
• Examines the URL parameter passed to these HTTP methods to check if it uses an insecure 'http://' scheme
• Reports a vulnerability if an HTTP method is used with a non-HTTPS URL
Vulnerable code example
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.CloseableHttpResponse;
public class VulnerableHttp {
public void unsafeRequest() {
CloseableHttpClient client = HttpClients.createDefault();...✅ Secure code example
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.CloseableHttpResponse;
public class SecureHttp {
public void safeRequest() {
try (CloseableHttpClient client = HttpClients.createDefault()) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.