# Improper Certificate Validation (CWE-295) The product does not validate, or incorrectly validates, a certificate. **Stack:** Python - Prevalence: Moyenne 3 langages couverts - Impact: Élevé 4 règles de sévérité élevée - Prevention: Documentée 4 exemples de correctifs **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. ## Prevention Stratégies de prévention pour Improper Certificate Validation basées sur 2 règles de détection Shoulder. ### Python Keep SSL certificate verification enabled; use custom CA bundles for internal certs Keep SSL verification enabled (the default) or use custom CA bundles ## Warning Signs - [HIGH] disabled SSL/TLS certificate validation ## Consequences - Contourner le mécanisme de protection - Lecture des données de l'application - Modification des données de l'application ## Mitigations - Les certificats doivent être soigneusement gérés et vérifiés afin de s'assurer qu'ils restent valides - Si l'épinglage de certificats est utilisé, assurez-vous qu'il est correctement implémenté - Utilisez correctement la validation des certificats client SSL/TLS ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **SSL/TLS Certificate Validation Disabled** [HIGH]: Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks. - Remediation: Keep SSL certificate verification enabled (default behavior). ```python import requests # Certificate verification is enabled by default response = requests.get('https://api.example.com') # For custom CA certificates response = requests.get('https://api.example.com', verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/certificate-validation-bypass - **SSL/TLS Certificate Verification Disabled** [HIGH]: Detects disabled SSL/TLS certificate verification in HTTP requests. This makes the application vulnerable to man-in-the-middle (MITM) attacks where attackers can intercept and modify encrypted traffic. Always verify SSL certificates. - Remediation: Keep SSL verification enabled (verify=True is the default). ```python import requests response = requests.get(url, verify=True, timeout=10) # For custom CA certificates: response = requests.get(url, verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/ssl-verification-disabled