Usage of insecure websocket connection

• Rule ID: javascript_lang_websocket_insecure
• Languages: javascript
• Source: websocket_insecure.yml

Description

Your application is at risk when it connects to APIs via insecure websocket connections. This vulnerability occurs because the data transmitted over these connections can be intercepted or tampered with by attackers. Ensure that all websocket connections in your application use SSL to encrypt the data in transit, safeguarding it from unauthorized access.

Remediations

• Do not initiate websocket connections without SSL. Such connections are vulnerable to interception and compromise.

  const client = new WebSocket('ws://insecure-api.com'); // unsafe

• Do ensure all websocket connections are secured with SSL. This encrypts the data transmitted, protecting it from eavesdroppers and tampering.

  const client = new WebSocket('wss://secure-api.com');

References

• OWASP insecure transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_websocket_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_websocket_insecure