Ruby Ftp Unencrypted Connection
Description
Detects usage of unencrypted FTP connections via Ruby's Net::FTP library. FTP transfers data and credentials in plaintext, making them vulnerable to interception by attackers who can monitor network traffic.
Detection Strategy
• Checks if the 'net/ftp' library is imported in the Ruby code
• Identifies instantiation of FTP connections through Net::FTP.new or Net::FTP.open method calls
• Reports a vulnerability when FTP connections are created without encryption, as the Net::FTP class does not provide encryption by default
Vulnerable code example
require 'net/ftp'
# Insecure: Using plaintext FTP which transmits data without encryption
ftp = Net::FTP.new('example.com')
ftp.login('user', 'password')
ftp.getbinaryfile('sensitive.txt', 'local.txt')
ftp.close✅ Secure code example
require 'net/ftp'
require 'net/ftps'
# Use FTPS instead of FTP to encrypt data transmission
ftps = Net::FTPS.new('example.com')
ftps.ssl_context = OpenSSL::SSL::SSLContext.new # Enable SSL/TLS encryption
ftps.login('user', 'password')
ftps.getbinaryfile('sensitive.txt', 'local.txt')...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.