Php Ssl Verification Disabled
Description
Identifies PHP code that disables SSL/TLS certificate verification in HTTP requests. This vulnerability allows requests to proceed even with invalid SSL certificates, making the application susceptible to man-in-the-middle attacks and potential data breaches.
Detection Strategy
• Scans for calls to Http::withOptions() method in PHP code
• Checks if the options parameter includes settings that disable SSL certificate verification
• Reports a vulnerability when SSL verification is explicitly disabled or set to ignore certificate validation
• Examines the configuration context to ensure the unsafe settings are actually being applied to HTTP requests
Vulnerable code example
<?php
use Illuminate\Support\Facades\Http;
// Disabling SSL verification allows MITM attacks
$response = Http::withOptions([
'verify' => false // VULNERABLE: Disables SSL certificate verification
])->get('https://example.com');
...✅ Secure code example
<?php
use Illuminate\Support\Facades\Http;
// Always enable SSL verification for secure HTTPS connections
$response = Http::withOptions([
'verify' => true // SECURE: Enables SSL certificate verification
])->get('https://example.com');
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.