Recipe Name:
TLS: Disabled Certificate validation
Description:
The verify method has been overridden, and always returns true
Level:
warning
Language:
  • java
Tags:
  • security
  • web
  • TLS
  • OWASP Top 10
Documentation

When using transport layer security (TLS), the certificates involved need to be validated to authenticate the parties involved.

Not validating certificates may result in unauthenicated parties connecting to the service under the name of other parties (certificate spoofing) or the use of outdated and self-signed certificates. To prevent these types of attacks, perform validation of the certificates including verification of the issuer, issue date and the certificate chain.

References
Recipe
id: scw:web:cert-validation-disabled
version: 10
metadata:
  name: 'TLS: Disabled Certificate validation'
  shortDescription: The verify method has been overridden, and always returns true
  level: warning
  language: java
  scwCategory: insufficient_transport_layer_protection:weak_certificate_validation
  enabled: true
  descriptionFile: descriptions/TLS__Disabled_Certificate_validation.html
  tags: security;web;TLS;OWASP Top 10
search:
  method:
    annotation:
      type: java.lang.Override
    name: verify
    type: javax.net.ssl.HostnameVerifier
    returnType: boolean
    child:
      return:
        value:
          literal:
            value: "true"
availableFixes: []