CWE-246: J2EE Bad Practices: Direct Use of Sockets

Description

The J2EE application directly uses sockets instead of using framework method calls.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues.

Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.

Example Vulnerable Codes

Example - 1

The following example opens a socket to connect to a remote server.


// // Perform servlet tasks.// 
// // Open a socket to a remote server (bad).// 

// // Do something with the socket.// 
sock = new Socket(remoteHostname, 3000);.........Socket sock = null;try {} catch (Exception e) {}public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {}

A Socket object is created directly within the Java servlet, which is a dangerous way to manage remote connections.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-695: Use of Low-Level Functionality

Go to

Visit http://cwe.mitre.org/ for more details.