problem-based-packs.insecure-transport.java-stdlib.bypass-tls-verification.bypass-tls-verification

profile photo of returntocorpreturntocorp
Author
6,272
Download Count*

Checks for redefinitions of the checkServerTrusted function in the X509TrustManager class that disables TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.

Run Locally

Run in CI

Defintion

rules:
  - id: bypass-tls-verification
    message: Checks for redefinitions of the checkServerTrusted function in the
      X509TrustManager class that disables TLS/SSL certificate verification.
      This should only be used for debugging purposes because it leads to
      vulnerability to MTM attacks.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      owasp: A03:2017 - Sensitive Data Exposure
      references:
        - https://riptutorial.com/java/example/16517/temporarily-disable-ssl-verification--for-testing-purposes-
        - https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1
      subcategory:
        - vuln
      technology:
        - java
      vulnerability: Insecure Transport
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - java
    patterns:
      - pattern: >
          new X509TrustManager() {
            ...
            public void checkClientTrusted(X509Certificate[] certs, String authType) {...}
            ...
          }
      - pattern-not: >
          new X509TrustManager() {
            ...
            public void checkServerTrusted(X509Certificate[] certs, String authType) {
              ...
              throw new CertificateException(...);
              ...
            }
            ...
          }
      - pattern-not: >
          new X509TrustManager() {
            ...
            public void checkServerTrusted(X509Certificate[] certs, String authType) {
              ...
              throw new IllegalArgumentException(...);
              ...
            }
            ...
          }

Examples

bypass-tls-verification.java

public class Bad {
    public void bad_bypass() {
        // ruleid: bypass-tls-verification
        new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            public void checkClientTrusted(X509Certificate[] certs, String authType) {  }

            public void checkServerTrusted(X509Certificate[] certs, String authType) {  }
        }
    }
}
public class Ok {
    public void ok_bypass() {
        // ok: bypass-tls-verification
        new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            public void checkClientTrusted(X509Certificate[] certs, String authType) { }

            public void checkServerTrusted(X509Certificate[] certs, String authType) {
                try {
                    checkValidity();
                } catch (Exception e) {
                    throw new CertificateException("Certificate not valid or trusted.");
                }
             }
        }
    }

    public void ok_bypass() {
        // ok: bypass-tls-verification
        new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            public void checkClientTrusted(X509Certificate[] certs, String authType) { }

            public void checkServerTrusted(X509Certificate[] certs, String authType) {
                try {
                    checkValidity();
                } catch (Exception e) {
                    throw new IllegalArgumentException("Certificate not valid or trusted.");
                }
             }
        }
    }

}