javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket
semgrepAuthor
2,474
Download Count*
License
Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
Run Locally
Run in CI
Defintion
rules:
- id: detect-insecure-websocket
message: Insecure WebSocket Detected. WebSocket Secure (wss) should be used for
all WebSocket connections.
metadata:
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
asvs:
section: "V13: API and Web Service Verification Requirements"
control_id: 13.5.1 Insecure WebSocket
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v135-websocket-security-requirements
version: "4"
category: security
technology:
- regex
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- regex
severity: ERROR
patterns:
- pattern-regex: \bws:\/\/
- pattern-not-inside: \bws:\/\/localhost.*
- pattern-not-inside: \bws:\/\/127.0.0.1.*
Examples
detect-insecure-websocket.js
// ruleid: detect-insecure-websocket
var scheme = "ws://";
var uri = scheme + window.document.location.host + "/";
var ws = new WebSocket(uri);
ws.onmessage = function(message) {}
// at start of the line
// ruleid: detect-insecure-websocket
ws://foo/bar
// ok: detect-insecure-websocket
var secure_url = "wss://my/url";
// ok: detect-insecure-websocket
var amazon_url = "aws://my/url";
// from https://github.com/ytdl-org/youtube-dl/blob/master/youtube_dl/extractor/yahoo.py#L124
// ok: detect-insecure-websocket
// # ytwnews://cavideo/
// ok: detect-insecure-websocket
var localhost = "ws://localhost:27017/freecodecamp?directConnection=true";
// ok: detect-insecure-websocket
var local = "ws://127.0.0.1:3000"
Short Link: https://sg.run/GWyz