Javascript Tls Reject Unauthorized False
Description
Detects when Node.js HTTPS requests are configured to skip TLS certificate validation by setting rejectUnauthorized to false. This configuration bypasses verification of server certificates, enabling man-in-the-middle attacks where attackers could intercept and modify supposedly secure HTTPS traffic.
Detection Strategy
• Search for HTTPS Agent constructor calls in JavaScript/Node.js code (https.Agent)
• Check if the Agent is initialized with configuration options
• Look for 'rejectUnauthorized: false' in the configuration options
• Report a vulnerability when certificate verification is explicitly disabled
Vulnerable code example
const https = require('https');
// Vulnerable: Disables SSL/TLS certificate validation
const agent = new https.Agent({
rejectUnauthorized: false // Security risk: Bypasses certificate verification
});
https.get('https://example.com', { httpsAgent: agent }, (res) => {...✅ Secure code example
const https = require('https');
// Secure: Enforce SSL/TLS certificate validation (default behavior)
const agent = new https.Agent({
rejectUnauthorized: true // Explicitly enable certificate verification
});
https.get('https://example.com', { httpsAgent: agent }, (res) => {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.