Java Hostname Verification Disabled
Description
Detects when MongoDB hostname verification is disabled through the 'invalidHostNameAllowed' setting in Java applications. This misconfiguration bypasses certificate hostname validation during SSL/TLS connections, making the application vulnerable to man-in-the-middle attacks.
Detection Strategy
• Check if MongoDB-related packages are imported in the codebase
• Search for 'invalidHostNameAllowed' configuration settings
• Verify if the setting is explicitly set to true/enabled
• Report a vulnerability if hostname verification is disabled
Vulnerable code example
import com.mongodb.MongoClientSettings;
class MongoConfig {
void configureConnection() {
// Disables hostname verification, allowing MITM attacks
MongoClientSettings settings = MongoClientSettings.builder()
.applyToSslSettings(builder -> {
builder.enabled(true);...✅ Secure code example
import com.mongodb.MongoClientSettings;
class MongoConfig {
void configureConnection() {
// Enable SSL with proper hostname verification for security
MongoClientSettings settings = MongoClientSettings.builder()
.applyToSslSettings(builder -> {
builder.enabled(true);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.