# Improper Certificate Validation (CWE-295) The product does not validate, or incorrectly validates, a certificate. **Stack:** Python - Prevalence: Średnia Pokryto 3 języków - Impact: Wysoki 4 reguł o wysokim poziomie - Prevention: Udokumentowane 4 przykładów poprawek **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. ## Prevention Strategie zapobiegania dla Improper Certificate Validation oparte na 2 regułach detekcji Shoulder. ### Python Keep SSL certificate verification enabled; use custom CA bundles for internal certs Keep SSL verification enabled (the default) or use custom CA bundles ## Warning Signs - [HIGH] disabled SSL/TLS certificate validation ## Consequences - Obejście mechanizmu ochrony - Odczyt danych aplikacji - Modyfikacja danych aplikacji ## Mitigations - Certyfikaty należy starannie zarządzać i sprawdzać, czy nadal są ważne - Jeśli stosowany jest certificate pinning, upewnij się, że jest poprawnie wdrożony - Poprawnie stosuj walidację certyfikatów klienta SSL/TLS ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **SSL/TLS Certificate Validation Disabled** [HIGH]: Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks. - Remediation: Keep SSL certificate verification enabled (default behavior). ```python import requests # Certificate verification is enabled by default response = requests.get('https://api.example.com') # For custom CA certificates response = requests.get('https://api.example.com', verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/certificate-validation-bypass - **SSL/TLS Certificate Verification Disabled** [HIGH]: Detects disabled SSL/TLS certificate verification in HTTP requests. This makes the application vulnerable to man-in-the-middle (MITM) attacks where attackers can intercept and modify encrypted traffic. Always verify SSL certificates. - Remediation: Keep SSL verification enabled (verify=True is the default). ```python import requests response = requests.get(url, verify=True, timeout=10) # For custom CA certificates: response = requests.get(url, verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/ssl-verification-disabled