Improper Certificate Validation (CWE-295)

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.

普及度

中

3 言語をカバー

影響度

ハイ

4 件の重大度ハイのルール

予防

文書化済み

4 件の修正例

2 予防

この脆弱性の修正方法

4 件の Shoulder 検出ルールに基づく Improper Certificate Validation の予防策。

🐹 Go すべて表示 Go 詳細 →

Insecure TLS/SSL Configuration HIGH

Use TLS 1.2+ minimum version and always verify certificates

+2 -1 go

  client := &http.Client{
      Transport: &http.Transport{
          TLSClientConfig: &tls.Config{
-             InsecureSkipVerify: true,
+             MinVersion:         tls.VersionTLS12,
+             InsecureSkipVerify: false,
          },
      },
  }

🟨 JavaScript すべて表示 JavaScript 詳細 →

Insecure TLS/SSL Configuration HIGH

Keep certificate verification enabled and enforce TLS 1.2 or higher

+2 -1 javascript

  const agent = new https.Agent({
-   rejectUnauthorized: false
+   rejectUnauthorized: true,
+   minVersion: 'TLSv1.2'
  });

🐍 Python すべて表示 Python 詳細 →

SSL/TLS Certificate Validation Disabled HIGH

Keep SSL certificate verification enabled; use custom CA bundles for internal certs

+5 -1 python

  import requests
  
- response = requests.get('https://api.example.com', verify=False)
+ # Default verification (recommended)
+ response = requests.get('https://api.example.com')
+ 
+ # Custom CA for internal services
+ response = requests.get('https://internal.example.com', verify='/path/to/ca-bundle.crt')

SSL/TLS Certificate Verification Disabled HIGH

Keep SSL verification enabled (the default) or use custom CA bundles

+5 -1 python

  import requests
  
- response = requests.get(url, verify=False)
+ # Default: verify=True
+ response = requests.get(url, verify=True, timeout=10)
+ 
+ # For custom CA certificates:
+ response = requests.get(url, verify='/path/to/ca-bundle.crt')

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのImproper Certificate Validationパターンをスキャンしましょう。 4 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=295

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (4)

🐍 Python 2 rules

SSL/TLS Certificate Validation Disabled HIGH

Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks.

SSL/TLS Certificate Verification Disabled HIGH

Detects disabled SSL/TLS certificate verification in HTTP requests. This makes the application vulnerable to man-in-the-middle (MITM) attacks where attackers can intercept and modify encrypted traffic. Always verify SSL certificates.

🐹 Go 1 rules

Insecure TLS/SSL Configuration HIGH

TLS config uses InsecureSkipVerify, weak TLS version, or deprecated ciphers.

🟨 Javascript 1 rules

Insecure TLS/SSL Configuration HIGH

Detects insecure TLS/SSL configurations in Node.js applications that weaken transport security. Common misconfigurations: - rejectUnauthorized: false (disables certificate validation) - NODE_TLS_REJECT_UNAUTHORIZED=0 (globally disables TLS verification) - Weak TLS versions (TLS 1.0, 1.1) - Insecure SSL options in HTTPS requests These misconfigurations allow man-in-the-middle attacks.

🔷 Typescript 1 rules

Insecure TLS/SSL Configuration HIGH

4 警告サイン

コードレビューで注目すべき点

これらのパターンはImproper Certificate Validationの潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠

TLS configuration disables security features or uses weak settings go-insecure-tls-config

🟠

insecure TLS/SSL configurations in Node javascript-insecure-tls-config

🟠

disabled SSL/TLS certificate validation python-certificate-validation-bypass

🔍

コードベースをスキャン: Improper Certificate Validation

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示