Fluid Attacks Database

Description

Detects when SSL/TLS hostname verification is disabled by using a permissive hostname verifier implementation. This creates a serious security vulnerability by accepting any hostname presented in SSL certificates as valid, making the application susceptible to man-in-the-middle attacks.

Weakness:

350 - Insecure digital certificates - Chain of trust

Category: Access Subversion

Detection Strategy

• Identifies method calls to 'setSSLHostnameVerifier' or 'setHostnameVerifier'

• Checks if the hostname verifier implementation is empty or accepts all hosts without validation

• Flags instances where SSL certificate hostname checking is effectively disabled

• Reports vulnerability when a permissive hostname verifier is used that bypasses proper certificate validation

Vulnerable code example

import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.impl.client.HttpClients;
import javax.net.ssl.SSLSocketFactory;

public class InsecureSSLConfig {
    public void createInsecureHttpClient() {
        // Vulnerable: Disables hostname verification, allowing MitM attacks
        var httpClient = HttpClients.custom()...

✅ Secure code example

import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import javax.net.ssl.SSLContext;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;

public class SecureSSLConfig {
    public void createSecureHttpClient() {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.