Dart Insecure Websocket Channel
Description
This detector identifies insecure WebSocket connections in Dart applications that use non-encrypted protocols (ws://) instead of secure protocols (wss://). Using unencrypted WebSocket connections exposes data transmission to interception and man-in-the-middle attacks, compromising the confidentiality and integrity of communication.
Detection Strategy
• Scans Dart source code for imports of WebSocket packages and identifies connection establishment functions
• Examines WebSocket connection calls to check if the first argument (URI) uses an insecure protocol
• Reports vulnerability when a WebSocket connection is made using 'ws://' protocol instead of the secure 'wss://' protocol
• Validates that the URI parameter passed to WebSocket connection methods contains insecure protocol schemes
Vulnerable code example
import 'package:web_socket_channel/web_socket_channel.dart';
void connectWebSocket() {
// VULNERABLE: Uses insecure ws:// protocol instead of wss://
final channel = WebSocketChannel.connect(
Uri.parse('ws://example.com/socket'),
);
}✅ Secure code example
import 'package:web_socket_channel/web_socket_channel.dart';
void connectWebSocket() {
// SAFE: Uses wss:// protocol for encrypted WebSocket transport
final channel = WebSocketChannel.connect(
Uri.parse('wss://example.com/socket'),
);
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.