CWE-246 J2EE不安全实践：对套接字的直接使用

J2EE Bad Practices: Direct Use of Sockets

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The J2EE application directly uses sockets instead of using framework method calls.

扩展描述

The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues.

Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

可能的缓解方案

Architecture and Design

策略:

Use framework method calls instead of using sockets directly.

示例代码

例

The following example opens a socket to connect to a remote server.

bad Java

A Socket object is created directly within the Java servlet, which is a dangerous way to manage remote connections.

分类映射