java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier
Verifed by r2c
Community Favorite

Author
86,563
Download Count*
License
Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-hostname-verifier
message: Insecure HostnameVerifier implementation detected. This will accept any
SSL certificate with any hostname, which creates the possibility for
man-in-the-middle attacks.
metadata:
cwe:
- "CWE-295: Improper Certificate Validation"
owasp:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER
asvs:
section: V9 Communications Verification Requirements
control_id: 9.2.1 Weak TLS
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements
version: "4"
category: security
technology:
- java
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
severity: WARNING
languages:
- java
pattern-either:
- pattern: |
class $CLASS implements HostnameVerifier {
...
public boolean verify(...) { return true; }
}
- pattern: |-
new HostnameVerifier(...){
public boolean verify(...) {
return true;
}
}
- pattern: import org.apache.http.conn.ssl.NoopHostnameVerifier;
Examples
insecure-hostname-verifier.java
package verify;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
// ruleid:insecure-hostname-verifier
public class AllHosts implements HostnameVerifier {
public boolean verify(final String hostname, final SSLSession session) {
return true;
}
}
// ok:insecure-hostname-verifier
public class LocalHost implements HostnameVerifier {
public boolean verify(final String hostname, final SSLSession session) {
return hostname.equals("localhost");
}
}
// cf. https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
public class InlineVerifier {
public InlineVerifier() {
// ruleid:insecure-hostname-verifier
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
}
}
Short Link: https://sg.run/5QoD