Java Jdbc Url Ssl Disabled
Description
Detects Spring datasource configurations that use JDBC connection URLs with SSL/TLS encryption disabled. Unencrypted database connections can expose sensitive data to network sniffing and man-in-the-middle attacks.
Detection Strategy
• Look for Spring configuration properties with key 'datasource'
• Within the datasource configuration, examine JDBC connection URL strings
• Check if the JDBC URL contains parameters that explicitly disable SSL/TLS (like 'useSSL=false' or 'sslMode=DISABLED')
• Flag any datasource configurations where encryption is disabled as vulnerable
Vulnerable code example
# Database connection configuration with disabled encryption
# Multiple database examples showing insecure connection strings
# SQL Server - encryption disabled
jdbc_url1 = "jdbc:sqlserver://example.com;encrypt=false;" # Vulnerable: SSL encryption explicitly disabled
# MySQL - SSL disabled
jdbc_url2 = "jdbc:mysql://example.com:3306/db?useSSL=false" # Vulnerable: Database connection without SSL...✅ Secure code example
# Database connection configuration with encryption enabled
# Multiple database examples showing secure connection strings
# SQL Server - encryption enabled with certificate validation
jdbc_url1 = "jdbc:sqlserver://example.com;encrypt=true;trustServerCertificate=false;" # Secure: Forces SSL with cert validation
# MySQL - SSL required and verified
jdbc_url2 = "jdbc:mysql://example.com:3306/db?useSSL=true&requireSSL=true" # Secure: Enforces SSL with server verification ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.