Corgea LogoCorgea Security Hub

CWE-5: J2EE Misconfiguration: Data Transmission Without Encryption

Learn about CWE-5 (J2EE Misconfiguration: Data Transmission Without Encryption), its security impact, exploitation methods, and prevention guidelines.

What is J2EE Misconfiguration: Data Transmission Without Encryption?

• Overview: J2EE Misconfiguration: Data Transmission Without Encryption is a vulnerability where data transmitted over a network is not properly encrypted, allowing attackers to potentially read or alter the data during transit.

• Exploitation Methods:

  • Attackers can intercept network traffic to capture sensitive information sent in plaintext.
  • Common attacks include man-in-the-middle (MitM) attacks, packet sniffing, and session hijacking.

• Security Impact:

  • Direct consequences include unauthorized access to confidential data such as credentials or personal information.
  • Potential cascading effects include secondary breaches, where captured data is used to access other systems.
  • Business impact includes loss of customer trust, legal consequences, and financial losses due to data breaches.

• Prevention Guidelines:

  • Specific code-level fixes include implementing HTTPS instead of HTTP for all data transmissions.
  • Security best practices involve using strong encryption protocols such as TLS/SSL for data in transit.
  • Recommended tools and frameworks include employing Java security libraries like Java Secure Socket Extension (JSSE) to enforce encryption.
Corgea can automatically detect and fix J2EE Misconfiguration: Data Transmission Without Encryption in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Java

Affected Technologies: Not specified

Vulnerable Code Example

// Java Example: J2EE application configuration exposing HTTP servlet without encryption

import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;

// This servlet configuration does not enforce HTTPS, leading to data transmission without encryption
@WebServlet("/sensitiveData")
public class SensitiveDataServlet extends HttpServlet {
    // Implementation of data handling, potentially exposing sensitive information
}

Explanation of Vulnerability:

  • Lack of HTTPS Enforcement: The servlet is accessible over HTTP, which means data transmitted between the client and server is not encrypted. This can expose sensitive information to eavesdroppers.
  • No Security Constraints: The configuration does not specify any security constraints to ensure that sensitive data is only transmitted over secure connections.

How to fix J2EE Misconfiguration: Data Transmission Without Encryption?

To address this vulnerability, enforce HTTPS for your web application to ensure all data transmissions are encrypted. This involves:

  1. Configuring the Application Server: Set up your application server to support HTTPS by creating an SSL certificate and configuring server ports for HTTPS connections.

  2. Enforce HTTPS in Application Configuration: Redirect all HTTP traffic to HTTPS through server or application configuration.

  3. Secure Sensitive Endpoints: Use security constraints in your web application deployment descriptor (web.xml) to ensure sensitive servlets are only accessible over HTTPS.

  4. Use Secure Cookies: Set the Secure and HttpOnly flags on cookies to prevent them from being transmitted over non-secure connections.

Fixed Code Example

// Java Example: Fixed configuration enforcing HTTPS for the servlet

import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;

// Enforcing HTTPS by using security constraints in web.xml
@WebServlet("/sensitiveData")
public class SensitiveDataServlet extends HttpServlet {
    // Implementation of data handling with enforced secure transmission
}

// web.xml configuration to enforce HTTPS
/*
<web-app>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secured Resources</web-resource-name>
            <url-pattern>/sensitiveData</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
</web-app>
*/

Explanation of Fixes:

  1. Security Constraint: The web.xml configuration uses a security-constraint to ensure that the /sensitiveData endpoint is accessible only over a secure transport (CONFIDENTIAL), effectively enforcing HTTPS.

  2. SSL Configuration: Although not shown in the code, configure your application server (e.g., Tomcat, WildFly) to support HTTPS by setting up an SSL/TLS certificate and enabling the HTTPS connector.

  3. Redirecting HTTP to HTTPS: Implement server-level redirection from HTTP to HTTPS to ensure even mistakenly accessed HTTP endpoints are redirected securely.

  4. Secure Cookies: Ensure cookies are marked as Secure and HttpOnly to defend against network-based attacks such as session hijacking. This can be configured in the server or application settings.

By implementing these measures, you can protect sensitive data from being transmitted in plain text, significantly reducing the risk of data breaches.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-5: J2EE Misconfiguration: Data Transmission Without Encryption and get remediation guidance

Start for free and no credit card needed.