34814f787b
These links are no longer relevant since SANS now just link to CWE, and we already have links to CWEs.
88 lines
3.1 KiB
Plaintext
88 lines
3.1 KiB
Plaintext
Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:
|
|
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574]
|
|
|
|
SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).
|
|
|
|
|
|
This rule will raise an issue when a method named ``++onReceivedSslError++`` with first argument of type ``++android.webkit.WebView++`` is defined.
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* invalid SSL/TLS certificates are accepted automatically.
|
|
* The user is asked to accept invalid SSL/TLS certificates.
|
|
|
|
You are at risk if you answered yes to any of those questions.
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* Accept only trusted SSL/TLS certificates.
|
|
* Do not ask users to accept unsafe connections as they are unlikely to make an informed security decision.
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."])
|
|
|
|
----
|
|
package com.example.myapplication.rspec_5326;
|
|
|
|
import android.net.http.SslError;
|
|
import android.os.Build;
|
|
import android.support.annotation.RequiresApi;
|
|
import android.webkit.SslErrorHandler;
|
|
import android.webkit.WebView;
|
|
import android.webkit.WebViewClient;
|
|
|
|
import java.util.function.Function;
|
|
|
|
public class SSLTLSValidation extends WebViewClient {
|
|
private final Function<SslError, Boolean> acceptSslError;
|
|
|
|
SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
|
|
this.acceptSslError = acceptSslError;
|
|
}
|
|
|
|
@RequiresApi(api = Build.VERSION_CODES.N)
|
|
@Override
|
|
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
|
|
if (acceptSslError.apply(error)) {
|
|
handler.proceed();
|
|
} else {
|
|
handler.cancel();
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure that SSL/TLS connections are validated safely here
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 2 Apr 2019, 11:37:57 Nicolas Harraudeau wrote:
|
|
We could define a vulnerability rule as many projects on Github have just ``++handler.proceed();++`` in ``++onReceivedSslError++``. But the usefulness of such a rule might be limited as it seems that https://support.google.com/faqs/answer/7071387?hl=en[Google validates the plugins]. We should first check if Google is able to detect every simple case.
|
|
|
|
endif::env-github,rspecator-view[]
|