Typescript Ssl Verification Bypass

Description

Detects code patterns that disable SSL/TLS certificate verification in TypeScript applications. This vulnerability allows applications to accept invalid SSL certificates, potentially enabling man-in-the-middle attacks where attackers can intercept and tamper with supposedly secure HTTPS communications.

Weakness:

313 - Insecure service configuration - Certificates

Category: Functionality Abuse

Detection Strategy

• Identifies usage of HTTPS, TLS or request modules by analyzing imports and module aliases

• Looks for configurations where certificate verification is disabled through properties like 'rejectUnauthorized: false'

• Examines HTTPS/TLS client configurations in module methods and request options

• Flags code that explicitly disables certificate validation or uses insecure verification settings

Vulnerable code example

import * as https from 'node:https';

const options = {
  hostname: 'example.com',
  port: 443,
  path: '/',
  method: 'GET',
  rejectUnauthorized: false  // VULNERABLE: Disables SSL certificate validation...

✅ Secure code example

import * as https from 'node:https';

const options = {
  hostname: 'example.com',
  port: 443,
  path: '/',
  method: 'GET',
  // Removed rejectUnauthorized: false to enable certificate validation...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.