java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
86,563
Download Count*
LGPL Commons Clause
License

Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-hostname-verifier
    message: Insecure HostnameVerifier implementation detected. This will accept any
      SSL certificate with any hostname, which creates the possibility for
      man-in-the-middle attacks.
    metadata:
      cwe:
        - "CWE-295: Improper Certificate Validation"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A07:2021 - Identification and Authentication Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER
      asvs:
        section: V9 Communications Verification Requirements
        control_id: 9.2.1 Weak TLS
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    severity: WARNING
    languages:
      - java
    pattern-either:
      - pattern: |
          class $CLASS implements HostnameVerifier {
            ...
            public boolean verify(...) { return true; }
          }
      - pattern: |-
          new HostnameVerifier(...){
            public boolean verify(...) {
              return true;
            }
          }
      - pattern: import org.apache.http.conn.ssl.NoopHostnameVerifier;

Examples

insecure-hostname-verifier.java

package verify;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;

// ruleid:insecure-hostname-verifier
public class AllHosts implements HostnameVerifier {
    public boolean verify(final String hostname, final SSLSession session) {
        return true;
    }
}

// ok:insecure-hostname-verifier
public class LocalHost implements HostnameVerifier {
    public boolean verify(final String hostname, final SSLSession session) {
        return hostname.equals("localhost");
    }
}


// cf. https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
public class InlineVerifier {
    public InlineVerifier() {
        // ruleid:insecure-hostname-verifier
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        });
    }
}