CWE-246 J2EE不安全实践:对套接字的直接使用
J2EE Bad Practices: Direct Use of Sockets
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
The J2EE application directly uses sockets instead of using framework method calls.
扩展描述
The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues.
Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Other | Quality Degradation |
可能的缓解方案
Architecture and Design
策略:
Use framework method calls instead of using sockets directly.
示例代码
例
The following example opens a socket to connect to a remote server.
bad Java
// Perform servlet tasks.
...
// Open a socket to a remote server (bad).
Socket sock = null;
try {
// Do something with the socket.
...
} catch (Exception e) {
}
}
A Socket object is created directly within the Java servlet, which is a dangerous way to manage remote connections.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | J2EE Bad Practices: Sockets | ||
| Software Fault Patterns | SFP3 | Use of an improper API |
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论