Certificate validation disabled
Description
The `ServicePointManager.ServerCertificateValidationCallback` event has been set to always return `true`, which effectively disables the validation of server certificates. This allows for an adversary who is in between the application and the target host to intercept potentially sensitive information or transmit malicious data.
Examples
Insecure Code
c#
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;Secure Code
c#
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => { return sslPolicyErrors == SslPolicyErrors.None; };Remediation
Remove the callback function that is returning true to allow normal certificate validation to proceed.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0441 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-295 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | certificate validation, server certificate |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |