Dart Io Insecure Channel Websocket
Description
This detector identifies insecure WebSocket connections in Dart applications that use unencrypted ws:// URLs instead of secure wss:// URLs. Unencrypted WebSocket connections expose data transmission to eavesdropping and man-in-the-middle attacks, compromising application security.
Detection Strategy
• The detector checks if the dart:io package is imported with WebSocket connection functionality
• It scans for WebSocket connection method calls (like WebSocket.connect) in non-test files
• It examines the first argument (URL) of WebSocket connection calls
• A vulnerability is reported when the URL argument uses the insecure ws:// protocol instead of the secure wss:// protocol
Vulnerable code example
import 'dart:io';
void main() async {
// Insecure WebSocket connection using ws:// protocol
await WebSocket.connect('ws://example.com/socket'); // Vulnerable: unencrypted connection
// Variable with insecure URL
final url = 'ws://api.example.com/realtime';...✅ Secure code example
import 'dart:io';
void main() async {
// Secure WebSocket connection using wss:// protocol
await WebSocket.connect('wss://example.com/socket'); // Fixed: encrypted connection with TLS
// Variable with secure URL
final url = 'wss://api.example.com/realtime';...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.