ABSTRACT

Socket-based communication in web applications is prone to error.

EXPLANATION

The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues, including:

- In-band versus out-of-band signaling

- Compatibility between protocol versions

- Channel security

- Error handling

- Network constraints (firewalls)

- Session management

Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems.

Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.

REFERENCES

[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 246

[2] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems