cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agent implementation in Android app, OWASP test fails.

oskyba
Visitor

Hello,

 

I have a question about the following scenario:

In an Android App, it is throwing me the following warning when testing it to verify OWASP:

 

Use of HTTP protocol when HTTPS should be used:
- (HttpURLConnection) url.openConnection () in 'com / dynatrace / android / agent / comm / CommHandler.java'
- (HttpURLConnection) in 'com / dynatrace / android / callback / Callback.java'.

 

Unfortunately I do not have the agent implementation, and I do not have the Dynatrace reference documentation.

 

Can someone guide me where to find information related to that java class and the client?

7 REPLIES 7

DanielS
Mentor

Which tool are you using to test (ie Rapid 7)?

The true delight is in the finding out rather than in the knowing.

Hello,

 

We are using ZAP (Zed Attack Proxy) and we also use the ImmuniWeb website.

The two tools report the same vulnerability in the agent and in those JAVA classes.

 

Any ideas?

 

I got insights into this, from what i see in the java docs HttpURLConnection  this class only allow you to connect to a given URI and port, also you can use SocketPermission. 

I understand why this is detected, but only data could travel around here unencrypted is public URL, if the server is properly configured, you could set a redirection to use https.

The true delight is in the finding out rather than in the knowing.

DanielS
Mentor

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.

 

May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them.

The true delight is in the finding out rather than in the knowing.

DanielS
Mentor

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.

 

May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them to evaluate this.

The true delight is in the finding out rather than in the knowing.

DanielS
Mentor

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.


May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them to evaluate this

From what I could find on the javadocs httpURLConnection opens a connection to a given URL, you can use httpsURLConnection to strength this connection but in fact is a subclass of the first one, there is no data other than the Public URL you're using to connect being transmited. I understand why the software raise a vulnerability but I see no risk on this. Also it's important that the server you're connecting at redirects http requests to https.


May be to be OWASP compliant the class needs to be a different one from http, but at the time of writing I don't see that Oracle gonna change this. May be If you have a subscription with the software scanner, you can ask them to evaluate this.

The true delight is in the finding out rather than in the knowing.


docs.oracle.com/javase/8/docs/api/java/net/ HttpURLConnection.html

docs.oracle.com/javase/8/docs/api/javax/net/ssl/ HttpsURLConnection.html


I leave the links without https:// because the post system reports invalid HTML

The true delight is in the finding out rather than in the knowing.