Improper Certificate Validation

Description

The `HostnameVerifier` has been set to always return `true`, effectively disabling the validation of server or client certificates. This could allow an adversary to launch a Man-in-the-Middle (MITM) attack, intercepting potentially sensitive information or injecting malicious content into the communication stream.

Examples

Insecure Code

java

class CustomVerifier implements HostnameVerifier {
  @Override
  public boolean verify(String hostname, SSLSession session) {
    return true;
  }
}

Secure Code

java

HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setHostnameVerifier(HttpsURLConnection.getDefaultHostnameVerifier());

Remediation

Use the default `HostnameVerifier` by calling `HttpsURLConnection.getDefaultHostnameVerifier()`

Rule Details

Field	Value
ID	CODE-0700
Category	Crypto
Severity	MEDIUM
CWE	CWE-295
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	certificate validation, MITM attack
OWASP	A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Improper Certificate Validation

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Improper Certificate Validation ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Improper Certificate Validation

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details