Python Aiohttp Ssl Verification Bypass
Description
Detects when SSL certificate verification is disabled in Python aiohttp HTTP clients. This creates a security risk as it allows untrusted or malicious certificates to be accepted, potentially enabling man-in-the-middle attacks where an attacker could intercept and modify HTTPS traffic.
Detection Strategy
• Checks if aiohttp library is imported in the code
• Identifies aiohttp client method calls or session creations
• Flags cases where the 'ssl' parameter is explicitly set to False
• Reports a vulnerability when SSL certificate verification is disabled through any supported mechanism
Vulnerable code example
import aiohttp
async def insecure_client():
# Vulnerable: Explicitly disables SSL certificate verification
connector = aiohttp.TCPConnector(ssl=False)
# Vulnerable: Creates session with SSL verification disabled
async with aiohttp.ClientSession(ssl=False) as session:...✅ Secure code example
import aiohttp
async def secure_client():
# Safe: Uses default SSL verification (True)
connector = aiohttp.TCPConnector()
# Safe: SSL verification enabled by default
async with aiohttp.ClientSession() as session:...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.