Java stdlib
disallow-old-tls-versions1
disallow-old-tls-versions1
Detects direct creations of SSLConnectionSocketFactories that don’t disallow SSL v2, SSL v3, and TLS v1. SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
ftp-request
ftp-request
Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
unirest-http-request
unirest-http-request
Checks for requests sent via Unirest to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
httpurlconnection-http-request
httpurlconnection-http-request
Detected an HTTP request sent via HttpURLConnection. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
tls-renegotiation
tls-renegotiation
Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
socket-request
socket-request
Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
http-components-request
http-components-request
Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
disallow-old-tls-versions2
disallow-old-tls-versions2
Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
telnet-request
telnet-request
Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
bypass-tls-verification
bypass-tls-verification
Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
httpclient-http-request
httpclient-http-request
Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
httpget-http-request
httpget-http-request
Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- C
- W
- E
- -
- 3
- 1
- 9
- :
-
- C
- l
- e
- a
- r
- t
- e
- x
- t
-
- T
- r
- a
- n
- s
- m
- i
- s
- s
- i
- o
- n
-
- o
- f
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- I
- n
- f
- o
- r
- m
- a
- t
- i
- o
- n
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e