Improper Certificate Validation (CWE-295)

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.

보급률

보통

3개 언어 지원

영향

높음

4개의 높은 심각도 규칙

예방

문서화됨

4개의 수정 예시

2 예방

이 취약점을 수정하는 방법

4개의 Shoulder 탐지 규칙을 기반으로 한 Improper Certificate Validation 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

Insecure TLS/SSL Configuration HIGH

Use TLS 1.2+ minimum version and always verify certificates

+2 -1 go

  client := &http.Client{
      Transport: &http.Transport{
          TLSClientConfig: &tls.Config{
-             InsecureSkipVerify: true,
+             MinVersion:         tls.VersionTLS12,
+             InsecureSkipVerify: false,
          },
      },
  }

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Insecure TLS/SSL Configuration HIGH

Keep certificate verification enabled and enforce TLS 1.2 or higher

+2 -1 javascript

  const agent = new https.Agent({
-   rejectUnauthorized: false
+   rejectUnauthorized: true,
+   minVersion: 'TLSv1.2'
  });

🐍 Python 모두 보기 Python 자세히 →

SSL/TLS Certificate Validation Disabled HIGH

Keep SSL certificate verification enabled; use custom CA bundles for internal certs

+5 -1 python

  import requests
  
- response = requests.get('https://api.example.com', verify=False)
+ # Default verification (recommended)
+ response = requests.get('https://api.example.com')
+ 
+ # Custom CA for internal services
+ response = requests.get('https://internal.example.com', verify='/path/to/ca-bundle.crt')

SSL/TLS Certificate Verification Disabled HIGH

Keep SSL verification enabled (the default) or use custom CA bundles

+5 -1 python

  import requests
  
- response = requests.get(url, verify=False)
+ # Default: verify=True
+ response = requests.get(url, verify=True, timeout=10)
+ 
+ # For custom CA certificates:
+ response = requests.get(url, verify='/path/to/ca-bundle.crt')

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Improper Certificate Validation 패턴을 스캔하세요. 4 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=295

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (4)

🐍 Python 2 rules

SSL/TLS Certificate Validation Disabled HIGH

Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks.

SSL/TLS Certificate Verification Disabled HIGH

Detects disabled SSL/TLS certificate verification in HTTP requests. This makes the application vulnerable to man-in-the-middle (MITM) attacks where attackers can intercept and modify encrypted traffic. Always verify SSL certificates.

🐹 Go 1 rules

Insecure TLS/SSL Configuration HIGH

TLS config uses InsecureSkipVerify, weak TLS version, or deprecated ciphers.

🟨 Javascript 1 rules

Insecure TLS/SSL Configuration HIGH

Detects insecure TLS/SSL configurations in Node.js applications that weaken transport security. Common misconfigurations: - rejectUnauthorized: false (disables certificate validation) - NODE_TLS_REJECT_UNAUTHORIZED=0 (globally disables TLS verification) - Weak TLS versions (TLS 1.0, 1.1) - Insecure SSL options in HTTPS requests These misconfigurations allow man-in-the-middle attacks.

🔷 Typescript 1 rules

Insecure TLS/SSL Configuration HIGH

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Improper Certificate Validation 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

TLS configuration disables security features or uses weak settings go-insecure-tls-config

🟠

insecure TLS/SSL configurations in Node javascript-insecure-tls-config

🟠

disabled SSL/TLS certificate validation python-certificate-validation-bypass

🔍

코드베이스를 스캔하세요: Improper Certificate Validation

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기