Improper Certificate Validation
Description
The `org.apache.http.impl.client.DefaultHttpClient` does not verify the hostnames upon connection, allowing an adversary to intercept sensitive information or transmit malicious data.
Examples
Insecure Code
java
new org.apache.http.impl.client.DefaultHttpClient();Secure Code
java
HttpClient httpClient = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder().uri(URI.create("https://www.example.com/")).build();
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());Remediation
Use the new `java.net.http.HttpClient` instead of `org.apache.http.impl.client.DefaultHttpClient` to enable TLS validation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0697 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-295 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | TLS validation, certificate validation |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |