Improper Certificate Validation

Description

The application uses `OpenSSL::SSL::VERIFY_NONE`, which disables the validation of TLS certificates. This allows an adversary to intercept sensitive information or transmit malicious data.

Examples

Insecure Code

ruby

OpenSSL::SSL::VERIFY_NONE

Secure Code

ruby

OpenSSL::SSL::VERIFY_PEER

Remediation

Replace `OpenSSL::SSL::VERIFY_NONE` with `OpenSSL::SSL::VERIFY_PEER`

Rule Details

Field	Value
ID	CODE-0553
Category	Crypto
Severity	MEDIUM
CWE	CWE-295
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	TLS, certificate validation
OWASP	A3:2017-Sensitive Data Exposure, A07:2021-Identification and Authentication Failures

References

https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/ssl-mode-no-verify.yaml

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Improper Certificate Validation

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Improper Certificate Validation ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Improper Certificate Validation

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References