Certificate Validation Disabled
What does this mean ?
A certificate is not validated or is validated improperly by the software. A certificate can links an identity (principal) to a cryptographic key. Certificates can be used to determine whether or not a public key belongs to the presumed owner.
What can happen ?
When a certificate is incorrect or fraudulent, an attacker may be able to impersonate a trusted entity by interfering with the communication flow between the host and client. The program may connect to a malicious host while believing it is connecting to a trustworthy host, or the software may be duped into accepting faked data that looks to originate from a trusted host.
Recommendation
Certificates should be properly handled and reviewed to ensure that data is encrypted with the public key of the intended owner. If certificate pinning is utilized, verify that all essential characteristics of the certificate, including the hostname, are completely validated before the certificate is pinned.
Sample Code
Vulnerable :
ServicePointManager.ServerCertificateValidationCallback +=
(sender, certificate, chain, errors) => {
return true; // Noncompliant: trust all certificates
};
Non Vulnerable :
ServicePointManager.ServerCertificateValidationCallback +=
(sender, certificate, chain, errors) =>
{
if (development) return true; // for development, trust all certificates
return errors == SslPolicyErrors.None
&& validCerts.Contains(certificate.GetCertHashString()); // Compliant: trust only some certificates
};
Vulnerable :
class TrustAllManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Noncompliant, nothing means trust any client
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Noncompliant, this method never throws exception, it means trust any server
LOG.log(Level.SEVERE, ERROR_MESSAGE);
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
Vulnerable :
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // Noncompliant
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); // Noncompliant
Non Vulnerable :
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE); // Compliant; default value is TRUE
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1); // Compliant
Vulnerable :
const options = {
hostname: 'www.sample.com',
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Vulnerable
};
const req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Vulnerable
Non Vulnerable :
const options = {
hostname: 'www.sample.com',
port: 443,
path: '/',
method: 'GET',
secureProtocol: 'TLSv1_2_method'
};
const req = https.request(options, (res) => {
res.on('data', (d) => {
process.stdout.write(d);
});
}); // Non Vulnerable
Vulnerable :
const socket = request.get({
url: 'www.sample.com',
secureProtocol: 'TLSv1_2_method',
rejectUnauthorized: false ; // Vulnerable
});
Non Vulnerable :
const socket = request.get({
url: 'https://www.sample.com/',
secureProtocol: 'TLSv1_2_method'
}); // Non Vulnerable