problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification
semgrep
Author
6,272
Download Count*
License
Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.
Run Locally
Run in CI
Defintion
rules:
- id: bypass-tls-verification
message: Checks for redefinitions of the checkServerTrusted function in the
X509TrustManager class that disables TLS/SSL certificate verification.
This should only be used for debugging purposes because it leads to
vulnerability to MTM attacks.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
owasp: A03:2017 - Sensitive Data Exposure
references:
- https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-
- https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1
subcategory:
- vuln
technology:
- java
vulnerability: Insecure Transport
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
patterns:
- pattern: >
new X509TrustManager() {
...
public void checkClientTrusted(X509Certificate[] certs, String authType) {...}
...
}
- pattern-not: >
new X509TrustManager() {
...
public void checkServerTrusted(X509Certificate[] certs, String authType) {
...
throw new CertificateException(...);
...
}
...
}
- pattern-not: >
new X509TrustManager() {
...
public void checkServerTrusted(X509Certificate[] certs, String authType) {
...
throw new IllegalArgumentException(...);
...
}
...
}
Examples
bypass-tls-verification.java
public class Bad {
public void bad_bypass() {
// ruleid: bypass-tls-verification
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) { }
}
}
}
public class Ok {
public void ok_bypass() {
// ok: bypass-tls-verification
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) {
try {
checkValidity();
} catch (Exception e) {
throw new CertificateException("Certificate not valid or trusted.");
}
}
}
}
public void ok_bypass() {
// ok: bypass-tls-verification
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) {
try {
checkValidity();
} catch (Exception e) {
throw new IllegalArgumentException("Certificate not valid or trusted.");
}
}
}
}
}
Short Link: https://sg.run/qxD7