Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5332

Using clear-text protocols is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Hide
      Using {protocol.insecure} protocol is insecure. Use {protocol.alternatives} instead
      Make sure STARTTLS is used to upgrade to a secure connection using SSL/TLS.
      Show
      Using {protocol.insecure} protocol is insecure. Use {protocol.alternatives} instead Make sure STARTTLS is used to upgrade to a secure connection using SSL/TLS.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      APEX, C#, Java, JavaScript, Kotlin, Objective-C, PHP, Ruby, Scala, Swift
    • Covered Languages:
      Python
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-200, CWE-319
    • OWASP:
      A3

      Description

      Clear-text protocols as ftp, telnet or non secure http are lacking encryption of transported data. They are also missing the capability to build an authenticated connection. This mean that any attacker who can sniff traffic from the network can read, modify or corrupt the transported content. These protocol are not secure as they expose applications to a large range of risk:

      • Sensitive data exposure
      • Traffic redirected to a malicious endpoint
      • Malware infected software update or installer
      • Execution of client side code
      • Corruption of critical information

      Note also that using the http protocol is being deprecated by major web browser.

      In the past, it has led to the following vulnerabilities:

      Recommended Secure Coding Practices

      • Use ssh as an alternative to telnet
      • Use sftp, scp or ftps instead of ftp
      • Use https instead of http
      • Use SMTP over SSL/TLS or SMTP with STARTTLS instead of clear-text SMTP

      It is recommended to secure all transport channels (event local network) as it can take a single non secure connection to compromise an entire application or system.

      Exceptions

      No issue is reported for the following cases because they are not considered sensitive:

      • Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or localhost

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: