Dart Ftp Unencrypted Connection
Description
This detector identifies unencrypted FTP connections in Dart applications. The vulnerability occurs when applications use insecure FTP connections that transmit data in plaintext, making credentials and file transfers susceptible to interception and man-in-the-middle attacks.
Detection Strategy
• The detector scans Dart code for import statements that include the FTP connection package with the specific prefix pattern
• When FTP-related imports are found, it examines all method call expressions in the code
• For each method call that matches an imported FTP connection function name, it validates whether the connection is configured securely
• A vulnerability is reported when an FTP connection method call is determined to be insecure (likely missing SSL/TLS encryption or using plain FTP instead of FTPS/SFTP)
Vulnerable code example
import 'package:ftpconnect/ftpconnect.dart';
Future<void> vulnerableConnection() async {
// VULNERABLE: omitted securityType defaults to cleartext FTP
final FTPConnect conn = FTPConnect('ftp.example.com', user: 'admin', pass: 'secret');
await conn.connect();
// VULNERABLE: explicitly using unencrypted SecurityType.ftp...✅ Secure code example
import 'package:ftpconnect/ftpconnect.dart';
Future<void> secureConnection() async {
// SAFE: explicitly using SecurityType.ftps for encrypted connection
final FTPConnect conn = FTPConnect('ftp.example.com', user: 'admin', pass: 'secret', securityType: SecurityType.ftps);
await conn.connect();
// SAFE: using SecurityType.ftps instead of unencrypted SecurityType.ftp...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.