FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agent implementation in Android app, OWASP test fails.

oskyba
Visitor

‎18 Mar 2021 06:40 AM - last edited on ‎22 Mar 2021 12:24 AM by Community Team

Hello,

 

I have a question about the following scenario:

In an Android App, it is throwing me the following warning when testing it to verify OWASP:

 

Use of HTTP protocol when HTTPS should be used:
- (HttpURLConnection) url.openConnection () in 'com / dynatrace / android / agent / comm / CommHandler.java'
- (HttpURLConnection) in 'com / dynatrace / android / callback / Callback.java'.

 

Unfortunately I do not have the agent implementation, and I do not have the Dynatrace reference documentation.

 

Can someone guide me where to find information related to that java class and the client?

0 Kudos
Reply
7 REPLIES 7

DanielS
DynaMight Pro
DynaMight Pro

‎18 Mar 2021 07:54 AM

Which tool are you using to test (ie Rapid 7)?

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply

oskyba
Visitor
In response to DanielS

‎18 Mar 2021 10:10 AM

Hello,

 

We are using ZAP (Zed Attack Proxy) and we also use the ImmuniWeb website.

The two tools report the same vulnerability in the agent and in those JAVA classes.

 

Any ideas?

 

0 Kudos
Reply

DanielS
DynaMight Pro
DynaMight Pro
In response to oskyba

‎18 Mar 2021 08:59 PM

I got insights into this, from what i see in the java docs HttpURLConnection  this class only allow you to connect to a given URI and port, also you can use SocketPermission. 

I understand why this is detected, but only data could travel around here unencrypted is public URL, if the server is properly configured, you could set a redirection to use https.

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply

DanielS
DynaMight Pro
DynaMight Pro

‎19 Mar 2021 02:10 PM

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.

 

May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them.

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply

DanielS
DynaMight Pro
DynaMight Pro

‎19 Mar 2021 02:20 PM

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.

 

May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them to evaluate this.

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply

DanielS
DynaMight Pro
DynaMight Pro

‎19 Mar 2021 02:24 PM

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.


May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them to evaluate this

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.


May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them to evaluate this.

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply

DanielS
DynaMight Pro
DynaMight Pro
In response to DanielS

‎19 Mar 2021 02:25 PM


docs.oracle.com/javase/8/docs/api/java/net/ HttpURLConnection.html

docs.oracle.com/javase/8/docs/api/javax/net/ssl/ HttpsURLConnection.html


I leave the links without https:// because the post system reports invalid HTML

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply
Ask a question