# Improper Certificate Validation (CWE-295)

The product does not validate, or incorrectly validates, a certificate.

**Stack:** Python

- Prevalence: मध्यम 3 भाषाएँ कवर की गईं
- Impact: उच्च 4 उच्च गंभीरता वाले नियम
- Prevention: प्रलेखित 4 फिक्स उदाहरण

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.

## Prevention

2 Shoulder डिटेक्शन नियमों पर आधारित Improper Certificate Validation के लिए रोकथाम रणनीतियाँ।

### Python

Keep SSL certificate verification enabled; use custom CA bundles for internal certs

Keep SSL verification enabled (the default) or use custom CA bundles

## Warning Signs

- [HIGH] disabled SSL/TLS certificate validation

## Consequences

- सुरक्षा तंत्र को बायपास करना
- एप्लिकेशन डेटा पढ़ना
- एप्लिकेशन डेटा संशोधित करना

## Mitigations

- प्रमाणपत्रों को सावधानीपूर्वक प्रबंधित और जाँचें कि वे अब भी मान्य हैं
- यदि certificate pinning का उपयोग किया जा रहा है, तो सुनिश्चित करें कि वह सही ढंग से लागू हो
- SSL/TLS क्लाइंट प्रमाणपत्र सत्यापन का सही ढंग से उपयोग करें

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (2 rules)

- **SSL/TLS Certificate Validation Disabled** [HIGH]: Detects disabled SSL/TLS certificate validation. Disabling certificate
validation makes connections vulnerable to man-in-the-middle attacks.
  - Remediation: Keep SSL certificate verification enabled (default behavior).

```python
import requests

# Certificate verification is enabled by default
response = requests.get('https://api.example.com')

# For custom CA certificates
response = requests.get('https://api.example.com', verify='/path/to/ca-bundle.crt')
```

Learn more: https://shoulder.dev/learn/python/cwe-295/certificate-validation-bypass
- **SSL/TLS Certificate Verification Disabled** [HIGH]: Detects disabled SSL/TLS certificate verification in HTTP requests. This makes
the application vulnerable to man-in-the-middle (MITM) attacks where attackers
can intercept and modify encrypted traffic. Always verify SSL certificates.
  - Remediation: Keep SSL verification enabled (verify=True is the default).

```python
import requests

response = requests.get(url, verify=True, timeout=10)

# For custom CA certificates:
response = requests.get(url, verify='/path/to/ca-bundle.crt')
```

Learn more: https://shoulder.dev/learn/python/cwe-295/ssl-verification-disabled