Ruby Insecure Open Ssl Mode
Description
Detects when SSL/TLS certificate verification is disabled or configured insecurely in Ruby applications using OpenSSL. This creates a security risk by allowing man-in-the-middle attacks since the authenticity of TLS connections is not properly verified.
Detection Strategy
• Check if the OpenSSL library is imported in the Ruby code
• Identify assignments to the 'verify_mode' property on OpenSSL objects
• Verify if the assigned value disables or weakens certificate verification (e.g., VERIFY_NONE)
• Report a vulnerability when SSL/TLS verification is configured to be disabled or insecure
Vulnerable code example
require 'net/http'
require 'openssl'
uri = URI('https://example.com')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# VULNERABLE: Disables SSL certificate verification, allowing MITM attacks...✅ Secure code example
require 'net/http'
require 'openssl'
uri = URI('https://example.com')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# SAFE: Explicitly require SSL certificate verification...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.