Dart Postgres Ssl Verification Bypass
Description
This detector identifies PostgreSQL database connections in Dart applications that bypass SSL certificate verification. When SSL verification is disabled, the application becomes vulnerable to man-in-the-middle attacks where an attacker can intercept, read, or modify database communications by presenting fake certificates.
Detection Strategy
• The detector triggers when the 'package:postgres/postgres.dart' library is imported in the Dart code
• It looks for calls to the ConnectionSettings constructor used to configure PostgreSQL database connections
• A vulnerability is reported when any argument passed to ConnectionSettings contains an unsafe SSL mode configuration that disables certificate verification
Vulnerable code example
import 'package:postgres/postgres.dart';
Future<void> unsafeConnection() async {
final endpoint = Endpoint(host: 'db.example.com', database: 'app');
await Connection.open(
endpoint,
settings: ConnectionSettings(sslMode: SslMode.require), // Vulnerable: accepts invalid certificates
);...✅ Secure code example
import 'package:postgres/postgres.dart';
Future<void> safeConnection() async {
final endpoint = Endpoint(host: 'db.example.com', database: 'app');
await Connection.open(
endpoint,
settings: ConnectionSettings(sslMode: SslMode.verifyFull), // Safe: full certificate verification
);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.