Usage of insecure websocket connection

• Rule ID: php_lang_websocket_insecure
• Languages: php
• Source: websocket_insecure.yml

Description

Using insecure websocket connections can compromise data security. This vulnerability arises when applications connect to APIs without SSL, making the data susceptible to interception and manipulation.

Remediations

• Do not use unsecured websocket connections. These connections lack encryption, putting data at risk.

  $client = new Client('ws://insecure-api.com') // unsafe

• Do ensure all websocket connections are secured with SSL. This encrypts the data, protecting it from unauthorized access.

  $client = new Client('wss://secure-api.com')

References

• OWASP insecure transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_websocket_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_websocket_insecure