Python Websocket Ssl Verification Bypass

Description

Detects when Python WebSocket connections are configured to bypass SSL certificate verification, making connections vulnerable to man-in-the-middle attacks. This security issue occurs when WebSocket clients are created with SSL verification disabled, allowing connections to potentially malicious servers with invalid certificates.

Weakness:

313 - Insecure service configuration - Certificates

Category: Functionality Abuse

Detection Strategy

• Check if the 'websocket' library is imported in the Python code

• Look for direct WebSocket client instantiations or connections

• Identify calls to WebSocket run_forever() method with insecure SSL settings

• Check for WebSocket connections using qualified names (e.g., websocket.WebSocket) with unsafe SSL configuration

Vulnerable code example

import websocket
import ssl

# Vulnerable: Disables SSL certificate verification
ws = websocket.create_connection("wss://example.com", sslopt={"cert_reqs": ssl.CERT_NONE})

✅ Secure code example

import websocket
import ssl

# Safe: Enables SSL certificate verification by requiring valid certificates
ws = websocket.create_connection("wss://example.com", sslopt={"cert_reqs": ssl.CERT_REQUIRED})

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.