Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5332

Using clear-text protocols is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Using {protocol.insecure} protocol is insecure. Use {protocol.alternatives} instead
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      APEX, Kotlin, Ruby, Scala, Swift
    • Covered Languages:
      C#, C, C++, Java, JavaScript, Objective-C, PHP, Python
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-200, CWE-319
    • OWASP:
      A3

      Description

      Clear-text protocols as ftp, telnet or non secure http are lacking encryption of transported data. They are also missing the capability to build an authenticated connection. This mean that any attacker who can sniff traffic from the network can read, modify or corrupt the transported content. These protocol are not secure as they expose applications to a large range of risk:

      • Sensitive data exposure
      • Traffic redirected to a malicious endpoint
      • Malware infected software update or installer
      • Execution of client side code
      • Corruption of critical information

      Note also that using the http protocol is being deprecated by major web browser.

      In the past, it has led to the following vulnerabilities:

      Ask Yourself Whether

      • The confidentiality and integrity of data is necessary in the context of the web application.
      • The data is exchanged on an exposed network (Internet, public network etc).

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Use ssh as an alternative to telnet
      • Use sftp, scp or ftps instead of ftp
      • Use https instead of http
      • Use SMTP over SSL/TLS or SMTP with STARTTLS instead of clear-text SMTP

      It is recommended to secure all transport channels (event local network) as it can take a single non secure connection to compromise an entire application or system.

      Exceptions

      No issue is reported for the following cases because they are not considered sensitive:

      • Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or localhost

      See

        Attachments

          Issue Links

          1.
          Apex RSPEC-5333 Language-Specification Active Unassigned
          2.
          Python RSPEC-5448 Language-Specification Active Unassigned
          3.
          C-Family RSPEC-5892 Language-Specification Active Unassigned
          4.
          C# RSPEC-6060 Language-Specification Active Unassigned
          5.
          VB.NET RSPEC-6065 Language-Specification Active Unassigned
          6.
          PHP RSPEC-6071 Language-Specification Active Unassigned
          7.
          Javascript RSPEC-6093 Language-Specification Active Unassigned
          8.
          Java RSPEC-6123 Language-Specification Active Unassigned
          9.
          Kotlin RSPEC-6237 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated: