C Sharp Server Certificate Validation Always True
Description
Detects when SSL/TLS certificate validation is disabled in C# applications by setting ServicePointManager.ServerCertificateValidationCallback to always return true. This is a critical security vulnerability that bypasses certificate validation, allowing potential man-in-the-middle attacks and exposure to fraudulent certificates.
Detection Strategy
• Identifies assignments to ServicePointManager.ServerCertificateValidationCallback property
• Checks if the callback is set to a lambda or delegate that always returns true
• Reports a vulnerability when certificate validation is effectively disabled through this configuration
• Focuses on global certificate validation settings that affect all HTTPS connections in the application
Vulnerable code example
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
class Program
{
public void ConfigureSSL()
{...✅ Secure code example
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
class Program
{
public void ConfigureSSL()
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.