Skip to main content

Use of an insecure channel - FTP

Need

Secure transmission of customer information

Context

  • Usage of Scala for building scalable and high-performance applications
  • Usage of java.net.URL for handling URL connections and data retrieval
  • Usage of java.net.URLConnection for establishing network connections and handling HTTP requests
  • Usage of java.io.BufferedReader for reading text from a character-input stream
  • Usage of java.io.InputStreamReader for reading input streams in Java

Description

Non compliant code

import java.net.{URL, URLConnection}
import java.io.{BufferedReader, InputStreamReader}

val url = new URL("ftp://username:[email protected]")
val conn = url.openConnection()
val reader = new BufferedReader(new InputStreamReader(conn.getInputStream))

var line = reader.readLine()
while (line != null) {
  println(line)
  line = reader.readLine()
}
reader.close()

This Scala code is using the standard Java URL and URLConnection classes to connect to an FTP server. The URL includes the username and password in plain text, and the connection is made over FTP, which is an insecure protocol that does not use encryption.

This means that anyone who can intercept the network traffic (for example, on a public Wi-Fi network) can see the username and password, and any data that is transmitted. This is a serious security vulnerability if the data includes sensitive information such as customer details.

The code reads data from the server line by line and prints it out, but the same vulnerability would apply if it was writing data to the server. The BufferedReader and InputStreamReader are also not closed in a finally block or using a try-with-resources statement, which could potentially lead to resource leaks if an exception is thrown.

Steps

  • Replace the insecure FTP protocol with a secure protocol such as SFTP or FTPS.
  • Use a secure connection library or framework that supports secure file transfer protocols.
  • Ensure that the credentials and confidential information are not transmitted in plain text.
  • Implement encryption for the transmission of customer information.
  • Use secure channels such as HTTPS or SSH for transmitting sensitive data.
  • Consider using secure authentication mechanisms such as public key authentication instead of passwords.
  • Regularly update and patch the libraries and frameworks used for secure file transfer.
  • Perform security testing and vulnerability assessments to identify and mitigate any other potential vulnerabilities.

Compliant code

import com.jcraft.jsch.{ChannelSftp, JSch, Session}
import java.io.{BufferedReader, InputStreamReader}
import java.util.Properties

val jsch = new JSch()
val session: Session = jsch.getSession("username", "sftp.example.com")
session.setPassword("password")

val config = new Properties()
config.put("StrictHostKeyChecking", "no")
session.setConfig(config)

session.connect()
val channel = session.openChannel("sftp").asInstanceOf[ChannelSftp]
channel.connect()

val stream = channel.get("/path/to/file")
val reader = new BufferedReader(new InputStreamReader(stream))

var line = reader.readLine()
while (line != null) {
  println(line)
  line = reader.readLine()
}
reader.close()
channel.disconnect()
session.disconnect()

The above code is a secure version of the previous FTP connection. It uses the SFTP protocol instead of FTP, which is a secure file transfer protocol that provides file access, file transfer, and file management functionalities over any reliable data stream. It is implemented as an extension of the SSH protocol.

The code uses the JSch library, which is a pure Java implementation of SSH2 that allows you to connect to an sshd server and use port forwarding, X11 forwarding, file transfer, etc.

The getSession method is used to establish a session with the SFTP server. The setPassword method is used to set the password for the session. The StrictHostKeyChecking property is set to no to automatically add the server's host key to the known hosts list. This is not recommended for production environments as it may leave the application vulnerable to man-in-the-middle attacks. In a production environment, the server's host key should be manually added to the known hosts list.

The openChannel method is used to open an SFTP channel to the server. The get method is used to retrieve a file from the server. The file is read line by line and printed to the console.

Finally, the reader, channel, and session are closed to free up resources.

References

Last updated on