Missing or Permissive SSL Hostname Verifier

PreviousMissing Optimal Asymmetric Encryption Padding (OAEP)NextMissing Protection against Session Fixation Attacks

Last updated 9 months ago

Missing or Permissive SSL Hostname Verifier

Overview

Rule ID: java_lang_ssl_hostname_verifier
Applicable Languages: Java
Weakness ID: CWE-295

Description

Always verify the hostname when establishing an SSL/TLS connection as a best security practice. Neglecting this step exposes your application to Man-in-the-Middle attacks, a vulnerability that occurs when the application does not ensure that the server's hostname matches the hostname specified in the server's SSL certificate.

Remediation Guidelines

Do not use ALLOW_ALL_HOSTNAME_VERIFIER or any similarly permissive hostname verifiers. These verifiers fail to properly validate if the server's hostname matches the SSL certificate, compromising the security of your connection.
```
HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); // unsafe
```

References

Configuration

PreviousMissing Optimal Asymmetric Encryption Padding (OAEP)NextMissing Protection against Session Fixation Attacks

Last updated 9 months ago