# Improper Certificate Validation (CWE-295) The product does not validate, or incorrectly validates, a certificate. **Stack:** Python - Prevalence: Mittel 3 Sprachen abgedeckt - Impact: Hoch 4 Regeln mit hohem Schweregrad - Prevention: Dokumentiert 4 Fix-Beispiele **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. ## Prevention Präventionsstrategien für Improper Certificate Validation basierend auf 2 Shoulder-Erkennungsregeln. ### Python Keep SSL certificate verification enabled; use custom CA bundles for internal certs Keep SSL verification enabled (the default) or use custom CA bundles ## Warning Signs - [HIGH] disabled SSL/TLS certificate validation ## Consequences - Schutzmechanismus umgehen - Anwendungsdaten lesen - Anwendungsdaten ändern ## Mitigations - Zertifikate müssen sorgfältig verwaltet und auf Gültigkeit überprüft werden - Wenn Certificate Pinning eingesetzt wird, korrekt implementieren - SSL/TLS-Clientzertifikat-Validierung korrekt einsetzen ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **SSL/TLS Certificate Validation Disabled** [HIGH]: Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks. - Remediation: Keep SSL certificate verification enabled (default behavior). ```python import requests # Certificate verification is enabled by default response = requests.get('https://api.example.com') # For custom CA certificates response = requests.get('https://api.example.com', verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/certificate-validation-bypass - **SSL/TLS Certificate Verification Disabled** [HIGH]: Detects disabled SSL/TLS certificate verification in HTTP requests. This makes the application vulnerable to man-in-the-middle (MITM) attacks where attackers can intercept and modify encrypted traffic. Always verify SSL certificates. - Remediation: Keep SSL verification enabled (verify=True is the default). ```python import requests response = requests.get(url, verify=True, timeout=10) # For custom CA certificates: response = requests.get(url, verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/ssl-verification-disabled