Improper Certificate Validation
Description
The application uses the `requests` module without configuring a timeout value for connections and has the `verify=False` argument set, which disables server certificate validation. This allows an adversary to intercept sensitive information or transmit malicious data.
Examples
Insecure Code
python
response = requests.get('https://example.com', verify=False)Secure Code
python
response = requests.get('https://example.com', timeout=10, verify=True)Remediation
Remove the `verify=False` argument or set `verify=True` for each `requests` call.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0164 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-295 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | certificate validation, server certificate |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |