Python Ssl Certificate Verification Bypass
Description
Detects code patterns that bypass SSL/TLS certificate verification in Python applications. This vulnerability allows man-in-the-middle attacks by accepting invalid or malicious certificates, making encrypted connections insecure and exposing sensitive data to potential attackers.
Detection Strategy
• Check if the 'ssl' module is imported in the Python code
• Search for SSL configuration code that disables certificate verification (e.g., verify=False, check_hostname=False)
• Look for direct HTTPS connection calls with certificate verification disabled
• Report vulnerable code locations where certificate validation is explicitly bypassed
Vulnerable code example
import ssl
import socket
# VULNERABLE: Creates SSL context that skips certificate validation
ctx = ssl._create_unverified_context()
# VULNERABLE: Using context that doesn't verify certificates
sock = socket.socket()...✅ Secure code example
import ssl
import socket
# SAFE: Creates default context that properly validates certificates
ctx = ssl.create_default_context()
# SAFE: Using secure context that requires and verifies certificates
sock = socket.socket()...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.