Improper Certificate Validation (CWE-295)

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.

普遍性

中

覆盖 3 种语言

影响

高

4 条严重级别为高的规则

预防

已记录

4 个修复示例

2 预防

如何修复此漏洞

基于 4 条 Shoulder 检测规则的 Improper Certificate Validation 预防策略。

🐹 Go 查看全部 Go 详情 →

Insecure TLS/SSL Configuration HIGH

Use TLS 1.2+ minimum version and always verify certificates

+2 -1 go

  client := &http.Client{
      Transport: &http.Transport{
          TLSClientConfig: &tls.Config{
-             InsecureSkipVerify: true,
+             MinVersion:         tls.VersionTLS12,
+             InsecureSkipVerify: false,
          },
      },
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

Insecure TLS/SSL Configuration HIGH

Keep certificate verification enabled and enforce TLS 1.2 or higher

+2 -1 javascript

  const agent = new https.Agent({
-   rejectUnauthorized: false
+   rejectUnauthorized: true,
+   minVersion: 'TLSv1.2'
  });

🐍 Python 查看全部 Python 详情 →

SSL/TLS Certificate Validation Disabled HIGH

Keep SSL certificate verification enabled; use custom CA bundles for internal certs

+5 -1 python

  import requests
  
- response = requests.get('https://api.example.com', verify=False)
+ # Default verification (recommended)
+ response = requests.get('https://api.example.com')
+ 
+ # Custom CA for internal services
+ response = requests.get('https://internal.example.com', verify='/path/to/ca-bundle.crt')

SSL/TLS Certificate Verification Disabled HIGH

Keep SSL verification enabled (the default) or use custom CA bundles

+5 -1 python

  import requests
  
- response = requests.get(url, verify=False)
+ # Default: verify=True
+ response = requests.get(url, verify=True, timeout=10)
+ 
+ # For custom CA certificates:
+ response = requests.get(url, verify='/path/to/ca-bundle.crt')

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Improper Certificate Validation模式。 4 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=295

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (4)

🐍 Python 2 rules

SSL/TLS Certificate Validation Disabled HIGH

Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks.

SSL/TLS Certificate Verification Disabled HIGH

Detects disabled SSL/TLS certificate verification in HTTP requests. This makes the application vulnerable to man-in-the-middle (MITM) attacks where attackers can intercept and modify encrypted traffic. Always verify SSL certificates.

🐹 Go 1 rules

Insecure TLS/SSL Configuration HIGH

TLS config uses InsecureSkipVerify, weak TLS version, or deprecated ciphers.

🟨 Javascript 1 rules

Insecure TLS/SSL Configuration HIGH

Detects insecure TLS/SSL configurations in Node.js applications that weaken transport security. Common misconfigurations: - rejectUnauthorized: false (disables certificate validation) - NODE_TLS_REJECT_UNAUTHORIZED=0 (globally disables TLS verification) - Weak TLS versions (TLS 1.0, 1.1) - Insecure SSL options in HTTPS requests These misconfigurations allow man-in-the-middle attacks.

🔷 Typescript 1 rules

Insecure TLS/SSL Configuration HIGH

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Improper Certificate Validation漏洞。在代码审查和安全审计中注意查找。

🟠

TLS configuration disables security features or uses weak settings go-insecure-tls-config

🟠

insecure TLS/SSL configurations in Node javascript-insecure-tls-config

🟠

disabled SSL/TLS certificate validation python-certificate-validation-bypass

🔍

扫描你的代码库: Improper Certificate Validation

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则