problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*

Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.

Run Locally

Run in CI

Defintion

rules:
  - id: bypass-tls-verification
    message: Checks for redefinitions of functions that check TLS/SSL certificate
      verification. This can lead to vulnerabilities, as simple errors in the
      code can result in lack of proper certificate validation. This should only
      be used for debugging purposes because it leads to vulnerability to MTM
      attacks.
    severity: WARNING
    metadata:
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate
        - https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1
      subcategory:
        - vuln
      technology:
        - spring
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    pattern-either:
      - pattern: |
          new HostnameVerifier() {
            ...
            public boolean verify(String hostname, SSLSession session) {
              ...
            }
            ...
          };
      - pattern: >
          public RestTemplate restTemplate() throws KeyStoreException,
          NoSuchAlgorithmException, KeyManagementException {
            ...
            TrustStrategy $FUNCNAME = (X509Certificate[] chain, String authType) -> ...;
            ...
          }
      - pattern: >
          TrustStrategy $FUNCNAME= new TrustStrategy() {
            ...
            public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
              ...
            }
            ...
          };

Examples

bypass-tls-verification.java

public class Bad {
    public void bad1() {
        // ruleid: bypass-tls-verification
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });
    }

    // ruleid: bypass-tls-verification
    public RestTemplate restTemplate()
                        throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
            TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

            SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                            .loadTrustMaterial(null, acceptingTrustStrategy)
                            .build();

            SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

            CloseableHttpClient httpClient = HttpClients.custom()
                            .setSSLSocketFactory(csf)
                            .build();

            HttpComponentsClientHttpRequestFactory requestFactory =
                            new HttpComponentsClientHttpRequestFactory();

            requestFactory.setHttpClient(httpClient);
            RestTemplate restTemplate = new RestTemplate(requestFactory);
            return restTemplate;
    }

    public RestTemplate getRestTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
        // ruleid: bypass-tls-verification
        TrustStrategy acceptingTrustStrategy = new TrustStrategy() {
            @Override
            public boolean isTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
                return true;
            }
        };
        SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
        SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier());
        CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
        HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
        requestFactory.setHttpClient(httpClient);
        RestTemplate restTemplate = new RestTemplate(requestFactory);
        return restTemplate;
    }
}