Recipe Name:
TLS: Disabled Certificate validation
Description:
The verify method has been overridden, and always returns true
Level:
warning
Language:
- java
Tags:
- security
- web
- TLS
- OWASP Top 10
Documentation
When using transport layer security (TLS), the certificates involved need to be validated to authenticate the parties involved.
Not validating certificates may result in unauthenicated parties connecting to the service under the name of other parties (certificate spoofing) or the use of outdated and self-signed certificates. To prevent these types of attacks, perform validation of the certificates including verification of the issuer, issue date and the certificate chain.
References
Recipe
id: scw:web:cert-validation-disabled version: 10 metadata: name: 'TLS: Disabled Certificate validation' shortDescription: The verify method has been overridden, and always returns true level: warning language: java scwCategory: insufficient_transport_layer_protection:weak_certificate_validation enabled: true descriptionFile: descriptions/TLS__Disabled_Certificate_validation.html tags: security;web;TLS;OWASP Top 10 search: method: annotation: type: java.lang.Override name: verify type: javax.net.ssl.HostnameVerifier returnType: boolean child: return: value: literal: value: "true" availableFixes: []