trailofbits.generic.curl-insecure.curl-insecure
trailofbits
Author
unknown
Download Count*
License
Found curl
command disabling SSL verification
Run Locally
Run in CI
Defintion
rules:
- id: curl-insecure
message: Found `curl` command disabling SSL verification
languages:
- generic
severity: WARNING
metadata:
category: security
subcategory:
- audit
technology:
- shell
cwe: "CWE-295: Improper Certificate Validation"
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
references:
- https://curl.se/docs/manpage.html
license: AGPL-3.0 license
vulnerability_class:
- Improper Authentication
pattern-either:
- pattern: "curl ... -k "
- pattern: curl ... --insecure
Examples
curl-insecure.sh
#!/bin/bash
# ruleid: curl-insecure
curl -k https://google.com > /dev/null
# ruleid: curl-insecure
curl --insecure https://google.com > /dev/null
# ok: curl-insecure
curl --ksomeotherflag https://google.com > /dev/null
# ok: curl-insecure
curl https://google.com > /dev/null
Short Link: https://sg.run/YG37D