Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.
이 취약점을 수정하는 방법
4개의 Shoulder 탐지 규칙을 기반으로 한 Improper Certificate Validation 예방 전략.
Use TLS 1.2+ minimum version and always verify certificates
client := &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: false, }, }, }
Keep certificate verification enabled and enforce TLS 1.2 or higher
const agent = new https.Agent({ - rejectUnauthorized: false + rejectUnauthorized: true, + minVersion: 'TLSv1.2' });
Keep SSL certificate verification enabled; use custom CA bundles for internal certs
import requests - response = requests.get('https://api.example.com', verify=False) + # Default verification (recommended) + response = requests.get('https://api.example.com') + + # Custom CA for internal services + response = requests.get('https://internal.example.com', verify='/path/to/ca-bundle.crt')
Keep SSL verification enabled (the default) or use custom CA bundles
import requests - response = requests.get(url, verify=False) + # Default: verify=True + response = requests.get(url, verify=True, timeout=10) + + # For custom CA certificates: + response = requests.get(url, verify='/path/to/ca-bundle.crt')
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Improper Certificate Validation 패턴을 스캔하세요. 4 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=295 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (4)
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Improper Certificate Validation 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
코드베이스를 스캔하세요: Improper Certificate Validation
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.