rspec/rules/S5435/python/rule.adoc

On Python versions earlier than 2.7.9 and 3.4.3, standard libraries that perform HTTPS request have a vulnerable SSL/TLS configuration by default. In the past, it has led to the following vulnerabilities:

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2191[CVE-2013-2191]
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396[CVE-2013-6396]

By default, those library would simply ignore verification of X509 certificate signatures, as well as hostname verification. This mean that nothing is preventing an attacker to intercept network traffic. He would then be able to read and modify sensitive information that should normally be safe from this threat.


This rule raises an issue when one of the following standard library is used for networking with its default SSL/TLS configuration: ``++urllib++``, ``++urllib++``, ``++http++`` or ``++httplib++``.


== Ask Yourself Whether

* Your application is using _urllib_, _urllib2_, _http_, and _httplib_ modules to perform HTTPS requests
* You rely on the library default SSL/TLS configuration.
* You are using a version of Python prior to 2.7.9 or 3.4.3.

You are at risk if you answered yes to all those questions.


== Recommended Secure Coding Practices

* Avoid versions of Python where standard library have vulnerable SSL/TLS configuration by default. Your Python version should be at least 2.7.9 or 3.4.3. 
* Prefer using http://requests.readthedocs.org/[Requests package] which has secure SSL/TLS configuration by default.


== See

* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities
* https://cwe.mitre.org/data/definitions/295.html[MITRE, CWE-295] - Improper Certificate Validation
* https://www.python.org/dev/peps/pep-0476/[PEP-476]
* https://www.youtube.com/watch?v=4o-xqqidvKA[Benjamin Peterson - A Dive into TLS - PyCon 2015]
* https://wiki.openstack.org/wiki/OSSN/OSSN-0033[OSSN/OSSN-0033]


ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`On Python versions earlier than 2.7.9 and 3.4.3, standard libraries that perform HTTPS request have a vulnerable SSL/TLS configuration by default. In the past, it has led to the following vulnerabilities:`

			`* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2191[CVE-2013-2191]`
			`* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396[CVE-2013-6396]`

			`By default, those library would simply ignore verification of X509 certificate signatures, as well as hostname verification. This mean that nothing is preventing an attacker to intercept network traffic. He would then be able to read and modify sensitive information that should normally be safe from this threat.`


			This rule raises an issue when one of the following standard library is used for networking with its default SSL/TLS configuration: ``++urllib++``, ``++urllib++``, ``++http++`` or ``++httplib++``.


			`== Ask Yourself Whether`

			`* Your application is using _urllib_, _urllib2_, _http_, and _httplib_ modules to perform HTTPS requests`
			`* You rely on the library default SSL/TLS configuration.`
			`* You are using a version of Python prior to 2.7.9 or 3.4.3.`

			`You are at risk if you answered yes to all those questions.`


			`== Recommended Secure Coding Practices`

			`* Avoid versions of Python where standard library have vulnerable SSL/TLS configuration by default. Your Python version should be at least 2.7.9 or 3.4.3.`
			`* Prefer using http://requests.readthedocs.org/[Requests package] which has secure SSL/TLS configuration by default.`


			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/[OWASP Top 10 2021 Category A6] - Vulnerable and Outdated Components`
			`* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
			`* https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities[OWASP Top 10 2017 Category A9] - Using Components with Known Vulnerabilities`
Update CWE mapping (#534) 2021-10-28 10:07:16 +02:00			`* https://cwe.mitre.org/data/definitions/295.html[MITRE, CWE-295] - Improper Certificate Validation`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`* https://www.python.org/dev/peps/pep-0476/[PEP-476]`
			`* https://www.youtube.com/watch?v=4o-xqqidvKA[Benjamin Peterson - A Dive into TLS - PyCon 2015]`
			`* https://wiki.openstack.org/wiki/OSSN/OSSN-0033[OSSN/OSSN-0033]`



			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
			`endif::env-github,rspecator-view[]`