Clear-text protocols as ftp, telnet or non secure http are lacking encryption of transported data. They are
also missing the capability to build an authenticated connection. This mean that any attacker who can sniff traffic from the network can read, modify
or corrupt the transported content. These protocol are not secure as they expose applications to a large range of risk:
Note also that using the http protocol is being deprecated by major web browser.
In the past, it has led to the following vulnerabilities:
This rule raises an issue when
http://, ftp:// or telnet://. (case insensitive) telnetlib.Telnet class is instantiated ftplib.FTP class is instantiated ssh as an alternative to telnet sftp, scp or ftps instead of ftp https instead of http It is recommended to secure all transport channels (event local network) as it can take a single non secure connection to compromise an entire application or system.
Exception: the url domain component is a loopback address.
url = "http://exemple.com" # Sensitive
url = "ftp://anonymous@exemple.com" # Sensitive
url = "telnet://anonymous@exemple.com" # Sensitive
import telnetlib
cnx = telnetlib.Telnet("towel.blinkenlights.nl") # Sensitive
import ftplib
cnx = ftplib.FTP("194.244.111.175") # Sensitive
url = "http://exemple.com" # Noncompliant
url = "ftp://anonymous@exemple.com" # Noncompliant
url = "ssh://anonymous@exemple.com" # Noncompliant
import ftplib
cnx = ftplib.FTP_TLS("secure.example.com") # Compliant
No issue is reported for the following cases because they are not considered sensitive:
localhost