Java Unencrypted Ftp Connection
Description
Detects the usage of insecure FTP connections in Java applications that don't use encryption. Using unencrypted FTP can expose sensitive data to network sniffing since credentials and data are transmitted in plaintext, making it vulnerable to man-in-the-middle attacks.
Detection Strategy
• Identifies FTP client object instantiations in Java code
• Looks for calls to the 'connect()' method on FTP client objects
• Reports a vulnerability when an unencrypted FTP client connection is established without using FTPS or SFTP alternatives
Vulnerable code example
import org.apache.commons.net.ftp.FTPClient;
public void insecureFtpConnection() {
FTPClient ftpClient = new FTPClient();
// Vulnerable: Uses plain FTP instead of FTPS/SFTP, exposing data to MitM attacks
ftpClient.connect("ftp.example.com", 21);
}✅ Secure code example
import org.apache.commons.net.ftp.FTPSClient;
public void secureFtpConnection() {
FTPSClient ftpsClient = new FTPSClient(true); // Use explicit FTPS with SSL/TLS
ftpsClient.connect("ftp.example.com", 990); // Port 990 is standard for FTPS
ftpsClient.enterLocalPassiveMode(); // Safer than active mode for firewalls
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.