C Sharp Revocation Check Disabled
Description
Detects when certificate revocation list (CRL) checking is disabled in C# HTTP client configurations. This creates a security risk since the application won't verify if SSL/TLS certificates have been revoked, potentially allowing connections to compromised servers using revoked certificates.
Detection Strategy
• Identifies assignments or configurations where CheckCertificateRevocationList property is set
• Verifies if the configuration is applied to an HttpClient or related network client object
• Confirms the property is set to disable certificate revocation checks
• Reports a vulnerability when certificate revocation checking is explicitly disabled
Vulnerable code example
using System.Net.Http;
class Program {
void ConfigureHandler() {
var handler = new WinHttpHandler();
handler.CheckCertificateRevocationList = false; // Vulnerable: Disables certificate revocation checking
bool checkRevocation = false;...✅ Secure code example
using System.Net.Http;
class Program {
void ConfigureHandler() {
var handler = new WinHttpHandler();
handler.CheckCertificateRevocationList = true; // Secure: Enable certificate revocation checking
bool checkRevocation = true; // Always enable revocation checking...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.