Usage of insecure websocket connection

Overview

• Rule ID: javascript_lang_websocket_insecure

• Applicable Languages: Javascript

• Weakness ID: CWE-319

Description

Your application is vulnerable when connecting to APIs via insecure websocket connections. This risk arises because data transmitted over these connections can be intercepted or altered by attackers. Make sure all websocket connections in your application use SSL to encrypt data in transit, protecting it from unauthorized access.

Remediation Guidelines

• Avoid starting websocket connections without SSL, as these connections are susceptible to interception and compromise.

  Copy

  const client = new WebSocket('ws://insecure-api.com'); // insecure

• Ensure that all websocket connections are secured with SSL. This encrypts the transmitted data, safeguarding it from eavesdropping and tampering.

  Copy

  const client = new WebSocket('wss://secure-api.com');
  

References

• OWASP insecure transport

• CWE-319: Cleartext Transmission of Sensitive Information

• OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL