Python Boto3 Ssl Verification Bypass
Description
Detects when SSL/TLS certificate verification is disabled in AWS boto3 SDK calls, which makes connections vulnerable to man-in-the-middle attacks. This check identifies boto3 client or resource instantiations where the 'verify' parameter is explicitly set to False, disabling certificate validation.
Detection Strategy
• Identifies Python code that imports the boto3 library
• Checks for boto3 client/resource creation calls (like boto3.client() or boto3.resource())
• Looks for 'verify=False' parameter in these boto3 initialization calls
• Reports a vulnerability when SSL certificate verification is explicitly disabled
Vulnerable code example
import boto3
# VULNERABLE: Creating AWS clients with SSL verification disabled
s3 = boto3.client('s3', verify=False) # Critical security risk: SSL verification disabled
dynamodb = boto3.resource('dynamodb', verify=False) # Allows MiTM attacks
# Using session with disabled verification
session = boto3.Session()...✅ Secure code example
import boto3
# Safe: Using default SSL verification (verify=True)
s3 = boto3.client('s3') # SSL verification enabled by default
# Safe: Using explicit SSL verification
dynamodb = boto3.resource('dynamodb', verify=True) # Ensures proper certificate validation
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.