Python Httpx Ssl Verification Bypass
Description
Detects when SSL/TLS certificate verification is disabled in HTTPX HTTP client requests. This represents a significant security risk as it bypasses certificate validation, making HTTPS connections vulnerable to man-in-the-middle attacks and potentially exposing sensitive data.
Detection Strategy
• Check for imports of the 'httpx' library in Python code
• Look for HTTPX HTTP client method calls (like get, post, request, etc.)
• Identify when these methods are called with verify=False parameter
• Report a vulnerability when certificate verification is explicitly disabled
Vulnerable code example
import httpx
# Direct request with disabled SSL verification
httpx.get("https://example.com", verify=False) # VULNERABLE: Explicitly disables SSL certificate validation
# Client instance with disabled verification
client = httpx.Client(verify=False) # VULNERABLE: All requests from this client will skip SSL checks
client.get("https://example.com")✅ Secure code example
import httpx
import ssl
import certifi
# SAFE: Using default SSL verification (verify=True is default)
httpx.get("https://example.com")
# If custom certificate validation is needed, use a valid CA bundle...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.