Json Yaml Tls Verification Disabled Env

Description

Detects when TLS certificate verification is disabled by setting NODE_TLS_REJECT_UNAUTHORIZED=0 in CloudFormation environment variables. This configuration bypasses certificate validation, allowing connections to unverified TLS/SSL endpoints and exposing the application to man-in-the-middle attacks.

Weakness:

313 - Insecure service configuration - Certificates

Category: Functionality Abuse

Detection Strategy

• Search for environment variable configurations in CloudFormation templates

• Check if the environment variable name is 'NODE_TLS_REJECT_UNAUTHORIZED'

• Verify if the environment variable value is set to '0'

• Report a vulnerability if both conditions are met within an environment configuration block

Vulnerable code example

provider:
  name: aws
  runtime: nodejs14.x
  region: us-east-1
  environment:
    NODE_TLS_REJECT_UNAUTHORIZED: 0  # Disables SSL/TLS certificate validation - SEVERE security risk
    CIPHER_DEF: "ECDHE_ECDSA"  # Using potentially weak cipher configuration

✅ Secure code example

provider:
  name: aws
  runtime: nodejs14.x
  region: us-east-1
  environment: 
    # Remove NODE_TLS_REJECT_UNAUTHORIZED: 0 to ensure proper certificate validation
    # Let Node.js use system default secure ciphers instead of explicitly setting them

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.