Missing or Permissive SSL Hostname Verifier

Overview

• Rule ID: java_lang_ssl_hostname_verifier

• Applicable Languages: Java

• Weakness ID: CWE-295

Description

Always verify the hostname when establishing an SSL/TLS connection as a best security practice. Neglecting this step exposes your application to Man-in-the-Middle attacks, a vulnerability that occurs when the application does not ensure that the server's hostname matches the hostname specified in the server's SSL certificate.

Remediation Guidelines

• Do not use ALLOW_ALL_HOSTNAME_VERIFIER or any similarly permissive hostname verifiers. These verifiers fail to properly validate if the server's hostname matches the SSL certificate, compromising the security of your connection.

  Copy

  HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
  HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); // unsafe

References

• CWE-295: Improper Certificate Validation

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL