Fluid Attacks Database

Description

Detects unencrypted HTTP requests in Ruby code using the net/http library. When applications make HTTP requests without encryption (using http:// instead of https://), sensitive data transmitted over the network can be intercepted and exposed to attackers through man-in-the-middle attacks.

Weakness:

372 - Use of an insecure channel - HTTP

Category: Information Collection

Detection Strategy

• Identifies when the net/http library is imported in Ruby code

• Looks for HTTP client request methods (like GET, POST, PUT, etc.) called on the HTTP object

• Checks if the URL provided to these HTTP requests uses an unencrypted http:// protocol

• Reports a vulnerability when HTTP requests are made without using encryption (HTTPS)

Vulnerable code example

require 'net/http'

def fetch_data
    # Vulnerable: Uses insecure HTTP instead of HTTPS
    uri = URI('http://example.com/data')
    Net::HTTP.get(uri)
end

✅ Secure code example

require 'net/http'

def fetch_data
    # Secure: Uses HTTPS for encrypted data transmission
    uri = URI('https://example.com/data')
    Net::HTTP.get(uri)
end

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.