J2EE Bad Practices: Direct Use of Sockets |
Weakness ID: 246 (Weakness Variant) | Status: Draft |
Description Summary
Example 1
In the following example, a Socket object is created directly from within the body of a doGet() method in a Java servlet.
The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues, including: - In-band versus out-of-band signaling - Compatibility between protocol versions - Channel security - Error handling - Network constraints (firewalls) - Session management Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers. |
Ordinality | Description |
---|---|
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 227 | Failure to Fulfill API Contract ('API Abuse') | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ChildOf | Weakness Base | 695 | Use of Low-Level Functionality | Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | J2EE Bad Practices: Sockets |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | J2EE Bad Practices: Sockets | |||