Java Strict Host Key Checking Disabled
Description
Detects when SSH host key verification is disabled in Java code, which could allow man-in-the-middle attacks. This configuration change removes validation of remote SSH server identities, making connections vulnerable to interception by malicious hosts.
Weakness:
368 - Unrestricted access between network segments - StrictHostKeyChecking
Category: Access Subversion
Detection Strategy
• Identifies calls to setConfig() method in Java code
• Checks if the configuration is modifying SSH host key verification settings
• Reports issues when strict host key checking is explicitly disabled
• Specifically looks for patterns that weaken SSH connection security
Vulnerable code example
import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;
public class SSHConnection {
public void connect(String host) {
JSch jsch = new JSch();
Session session = jsch.getSession("user", host, 22);
session.setConfig("StrictHostKeyChecking", "No"); // Vulnerable: Disables SSH host verification...✅ Secure code example
import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;
import java.util.Properties;
public class SSHConnection {
public void connect(String host, String user, String knownHostsPath) {
try {
JSch jsch = new JSch();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.