Recipe Name:
TLS: Disabled Certificate validation
Description:
The verify method has been overridden, and always returns true
Level:
warning
Language:
- java
Tags:
- security
- web
- TLS
- OWASP Top 10
Documentation
When using transport layer security (TLS), the certificates involved need to be validated to authenticate the parties involved.
Not validating certificates may result in unauthenicated parties connecting to the service under the name of other parties (certificate spoofing) or the use of outdated and self-signed certificates. To prevent these types of attacks, perform validation of the certificates including verification of the issuer, issue date and the certificate chain.
References
Recipe
id: scw:web:cert-validation-disabled
version: 10
metadata:
name: 'TLS: Disabled Certificate validation'
shortDescription: The verify method has been overridden, and always returns true
level: warning
language: java
scwCategory: insufficient_transport_layer_protection:weak_certificate_validation
enabled: true
descriptionFile: descriptions/TLS__Disabled_Certificate_validation.html
tags: security;web;TLS;OWASP Top 10
search:
method:
annotation:
type: java.lang.Override
name: verify
type: javax.net.ssl.HostnameVerifier
returnType: boolean
child:
return:
value:
literal:
value: "true"
availableFixes: []