Java Insecure Hostname Verifier
Description
The NoopHostnameVerifier vulnerability occurs when SSL/TLS hostname verification is disabled by using org.apache.http.conn.ssl.NoopHostnameVerifier. This allows attackers to perform man-in-the-middle attacks since the application will accept connections to servers presenting certificates for any hostname, even if it doesn't match the intended destination.
Detection Strategy
• Search for direct usage of the class 'org.apache.http.conn.ssl.NoopHostnameVerifier' in Java code
• Check for class references in variable declarations, object instantiations, and method parameters
• Report a vulnerability when NoopHostnameVerifier is referenced in the code, as its mere presence indicates disabled hostname verification
Vulnerable code example
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
// Vulnerable: Allows any hostname to match without verification
public class InsecureVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true; // Security risk: Accepts all hostnames without validation
}...✅ Secure code example
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
public class SecureVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
// Use default verifier to properly validate SSL hostname
HostnameVerifier defaultVerifier = HttpsURLConnection.getDefaultHostnameVerifier();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.