Java Strict Host Key Checking Bypassed

Description

Detects when JSch SSH client is configured to disable strict host key checking through the 'StrictHostKeyChecking=no' property. This is a security vulnerability as it bypasses SSH host verification, making the connection susceptible to man-in-the-middle attacks by accepting any host key without validation.

Weakness:

368 - Unrestricted access between network segments - StrictHostKeyChecking

Category: Access Subversion

Detection Strategy

• Look for calls to the 'put' method with exactly two arguments

• Check if first argument is exactly 'StrictHostKeyChecking'

• Check if second argument is 'no' (case insensitive)

• Report vulnerability when both conditions are met in the same put() call

Vulnerable code example

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;
import java.util.Properties;

public class SSHExample {
    public void connect() {
        try {
            JSch jsch = new JSch();...

✅ Secure code example

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;
import java.util.Properties;

public class SSHExample {
    public void connect() {
        try {
            JSch jsch = new JSch();...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.