# Improper Certificate Validation (CWE-295) The product does not validate, or incorrectly validates, a certificate. **Stack:** Python - Prevalence: Medium 3 languages covered - Impact: High 4 high-severity rules - Prevention: Documented 4 fix examples **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. ## Prevention Prevention strategies for Improper Certificate Validation based on 2 Shoulder detection rules. ### Python Keep SSL certificate verification enabled; use custom CA bundles for internal certs Keep SSL verification enabled (the default) or use custom CA bundles ## Warning Signs - [HIGH] disabled SSL/TLS certificate validation ## Consequences - Bypass Protection Mechanism - Read Application Data - Modify Application Data ## Mitigations - Certificates should be carefully managed and checked to assure they are still valid - If certificate pinning is being used, ensure it is implemented correctly - Use SSL/TLS client certificate validation properly ## Detection - Total rules: 4 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **SSL/TLS Certificate Validation Disabled** [HIGH]: Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks. - Remediation: Keep SSL certificate verification enabled (default behavior). ```python import requests # Certificate verification is enabled by default response = requests.get('https://api.example.com') # For custom CA certificates response = requests.get('https://api.example.com', verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/certificate-validation-bypass - **SSL/TLS Certificate Verification Disabled** [HIGH]: Detects disabled SSL/TLS certificate verification in HTTP requests. This makes the application vulnerable to man-in-the-middle (MITM) attacks where attackers can intercept and modify encrypted traffic. Always verify SSL certificates. - Remediation: Keep SSL verification enabled (verify=True is the default). ```python import requests response = requests.get(url, verify=True, timeout=10) # For custom CA certificates: response = requests.get(url, verify='/path/to/ca-bundle.crt') ``` Learn more: https://shoulder.dev/learn/python/cwe-295/ssl-verification-disabled