Fluid Attacks Database

Description

Detects the use of insecure FTP client implementations that transmit data in plaintext without TLS encryption. This vulnerability could allow attackers to intercept sensitive data through network sniffing since FTP transfers credentials and data without encryption.

Weakness:

148 - Use of an insecure channel - FTP

Category: Information Collection

Detection Strategy

• Identifies direct usage or instantiation of FTP clients in C# code

• Specifically detects when 'FtpClient' class is used without secure configuration

• Reports a vulnerability when FTP connections are created without TLS/encryption settings

Vulnerable code example

using System.Net;
using System.Net.FtpClient;

public class FtpConnection {
    public void Connect() {
        var client = new FtpClient();
        client.Host = "localhost";
        client.Credentials = new NetworkCredential("ftptest", "ftptest"); // Vulnerable: Hardcoded credentials expose sensitive data...

✅ Secure code example

using System.Net;
using System.Net.FtpClient;
using System.Configuration;

public class FtpConnection : IDisposable
{
    private readonly FtpClient _client;
...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.