Php Insecure Channel Use Websocket Client
Description
This detector identifies PHP WebSocket client connections using insecure unencrypted channels. Using unencrypted WebSocket connections (ws://) exposes data transmission to eavesdropping and man-in-the-middle attacks, as communication is sent in plaintext without encryption.
Detection Strategy
• Scans PHP code for imports or usage of the WebSocket/Client library
• Identifies instantiations of WebSocket Client objects (constructor calls with name 'Client')
• Examines the first argument passed to the Client constructor to check if it's a URL
• Reports a vulnerability when the URL uses the insecure 'ws://' scheme instead of the secure 'wss://' protocol
• Only triggers when both the WebSocket library is imported AND a Client is instantiated with an insecure ws:// URL
Vulnerable code example
<?php
use WebSocket\Client;
function unsafeWebSocket(): void
{
$client = new Client('ws://insecure-api.com'); // Unencrypted WebSocket connection
$client->text("Hello WebSocket.org!");...✅ Secure code example
<?php
use WebSocket\Client;
function safeWebSocket(): void
{
$client = new Client('wss://secure-api.com'); // Use wss:// for encrypted WebSocket connection
$client->text("Hello WebSocket.org!");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.