84 lines
2.8 KiB
Plaintext
84 lines
2.8 KiB
Plaintext
Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:
|
|
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574]
|
|
|
|
SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).
|
|
|
|
|
|
This rule will raise an issue when a method named ``++onReceivedSslError++`` with first argument of type ``++android.webkit.WebView++`` is defined.
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* invalid SSL/TLS certificates are accepted automatically.
|
|
* The user is asked to accept invalid SSL/TLS certificates.
|
|
|
|
You are at risk if you answered yes to any of those questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* Accept only trusted SSL/TLS certificates.
|
|
* Do not ask users to accept unsafe connections as they are unlikely to make an informed security decision.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."])
|
|
|
|
----
|
|
package com.example.myapplication.rspec_5326;
|
|
|
|
import android.net.http.SslError;
|
|
import android.os.Build;
|
|
import android.support.annotation.RequiresApi;
|
|
import android.webkit.SslErrorHandler;
|
|
import android.webkit.WebView;
|
|
import android.webkit.WebViewClient;
|
|
|
|
import java.util.function.Function;
|
|
|
|
public class SSLTLSValidation extends WebViewClient {
|
|
private final Function<SslError, Boolean> acceptSslError;
|
|
|
|
SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
|
|
this.acceptSslError = acceptSslError;
|
|
}
|
|
|
|
@RequiresApi(api = Build.VERSION_CODES.N)
|
|
@Override
|
|
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
|
|
if (acceptSslError.apply(error)) {
|
|
handler.proceed();
|
|
} else {
|
|
handler.cancel();
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation
|
|
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|