# Improper Certificate Validation (CWE-295)

The product does not validate, or incorrectly validates, a certificate.

- Prevalence: Medium 3 languages covered
- Impact: High 4 high-severity rules
- Prevention: Documented 4 fix examples

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.

## Prevention

Prevention strategies for Improper Certificate Validation based on 4 Shoulder detection rules.

### Go

Use TLS 1.2+ minimum version and always verify certificates

### Node.js

Keep certificate verification enabled and enforce TLS 1.2 or higher

### Python

Keep SSL certificate verification enabled; use custom CA bundles for internal certs

Keep SSL verification enabled (the default) or use custom CA bundles

## Warning Signs

- [HIGH] TLS configuration disables security features or uses weak settings
- [HIGH] insecure TLS/SSL configurations in Node
- [HIGH] disabled SSL/TLS certificate validation

## Consequences

- Bypass Protection Mechanism
- Read Application Data
- Modify Application Data

## Mitigations

- Certificates should be carefully managed and checked to assure they are still valid
- If certificate pinning is being used, ensure it is implemented correctly
- Use SSL/TLS client certificate validation properly

## Detection

- Total rules: 4
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (2 rules)

- **SSL/TLS Certificate Validation Disabled** [HIGH]: Detects disabled SSL/TLS certificate validation. Disabling certificate
validation makes connections vulnerable to man-in-the-middle attacks.
  - Remediation: Keep SSL certificate verification enabled (default behavior).

```python
import requests

# Certificate verification is enabled by default
response = requests.get('https://api.example.com')

# For custom CA certificates
response = requests.get('https://api.example.com', verify='/path/to/ca-bundle.crt')
```

Learn more: https://shoulder.dev/learn/python/cwe-295/certificate-validation-bypass
- **SSL/TLS Certificate Verification Disabled** [HIGH]: Detects disabled SSL/TLS certificate verification in HTTP requests. This makes
the application vulnerable to man-in-the-middle (MITM) attacks where attackers
can intercept and modify encrypted traffic. Always verify SSL certificates.
  - Remediation: Keep SSL verification enabled (verify=True is the default).

```python
import requests

response = requests.get(url, verify=True, timeout=10)

# For custom CA certificates:
response = requests.get(url, verify='/path/to/ca-bundle.crt')
```

Learn more: https://shoulder.dev/learn/python/cwe-295/ssl-verification-disabled

### Go (1 rules)

- **Insecure TLS/SSL Configuration** [HIGH]: TLS config uses InsecureSkipVerify, weak TLS version, or deprecated ciphers.
  - Remediation: Set MinVersion to TLS 1.2+ and never skip certificate verification.

```go
tlsConfig := &tls.Config{
    MinVersion:         tls.VersionTLS12,
    InsecureSkipVerify: false, // Always verify certificates
}
```

Learn more: https://shoulder.dev/learn/go/cwe-295/insecure-tls-config

### Javascript (1 rules)

- **Insecure TLS/SSL Configuration** [HIGH]: Detects insecure TLS/SSL configurations in Node.js applications that weaken transport security.

Common misconfigurations:
- rejectUnauthorized: false (disables certificate validation)
- NODE_TLS_REJECT_UNAUTHORIZED=0 (globally disables TLS verification)
- Weak TLS versions (TLS 1.0, 1.1)
- Insecure SSL options in HTTPS requests

These misconfigurations allow man-in-the-middle attacks.
  - Remediation: Keep certificate verification enabled and use TLS 1.2 or higher.

```javascript
const agent = new https.Agent({
  rejectUnauthorized: true,
  minVersion: 'TLSv1.2'
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-295/insecure-tls-config

### Typescript (1 rules)

- **Insecure TLS/SSL Configuration** [HIGH]: Detects insecure TLS/SSL configurations in Node.js applications that weaken transport security.

Common misconfigurations:
- rejectUnauthorized: false (disables certificate validation)
- NODE_TLS_REJECT_UNAUTHORIZED=0 (globally disables TLS verification)
- Weak TLS versions (TLS 1.0, 1.1)
- Insecure SSL options in HTTPS requests

These misconfigurations allow man-in-the-middle attacks.
  - Remediation: Keep certificate verification enabled and use TLS 1.2 or higher.

```javascript
const agent = new https.Agent({
  rejectUnauthorized: true,
  minVersion: 'TLSv1.2'
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-295/insecure-tls-config