Php Ssl Verification Disabled Setopt
Description
This detector identifies when SSL certificate verification is disabled in PHP cURL operations through curl_setopt function calls. Disabling SSL verification makes applications vulnerable to man-in-the-middle attacks by allowing connections to servers with invalid or untrusted certificates.
Detection Strategy
• Scans PHP source code for curl_setopt function calls
• Examines the parameters of each curl_setopt call to identify SSL-related options
• Reports a vulnerability when SSL verification options are explicitly disabled (such as setting CURLOPT_SSL_VERIFYPEER to false or CURLOPT_SSL_VERIFYHOST to 0)
• Triggers when code intentionally bypasses SSL certificate validation mechanisms
Vulnerable code example
<?php
function vulnerable_ssl_check(): void
{
$ch = curl_init("https://example.com/api");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disables SSL certificate verification
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // Disables SSL hostname verification
$response = curl_exec($ch);...✅ Secure code example
<?php
function secure_ssl_check(): void
{
$ch = curl_init("https://example.com/api");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // Enables SSL certificate verification
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // Enables SSL hostname verification
$response = curl_exec($ch);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.