Usage of insecure websocket connection

• Rule ID: ruby_lang_websocket_insecure
• Languages: ruby
• Source: websocket_insecure.yml

Description

Using an insecure WebSocket connection exposes data to interception and manipulation. This vulnerability occurs when WebSocket connections are not encrypted with SSL/TLS, risking the confidentiality and integrity of the data transmitted.

Remediations

• Do not initiate WebSocket connections without SSL. This can compromise the security of data in transit.

  client = Faye::WebSocket::Client.new('ws://insecure-api.com') # unsafe

• Do ensure all WebSocket connections are made over SSL to protect data during transmission.

  client = Faye::WebSocket::Client.new('wss://secure-api.com')

References

• OWASP Insecure Transport

Associated CWE

• CWE-319: Cleartext Transmission of Sensitive Information

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_websocket_insecure

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_websocket_insecure