ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5326/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

88 lines
3.1 KiB
Plaintext
Raw Blame History

Validating SSL/TLS connections is security-sensitive. For example, it has led in the past to the following vulnerabilities:
* https://nvd.nist.gov/vuln/detail/CVE-2014-5531[CVE-2014-5531]
* https://nvd.nist.gov/vuln/detail/CVE-2014-5524[CVE-2014-5524]
* https://nvd.nist.gov/vuln/detail/CVE-2014-5574[CVE-2014-5574]
SSL/TLS protocols encrypt network connections. The server usually provides a digital certificate to prove its identity. Accepting all SSL/TLS certificates makes your application vulnerable to Man-in-the-middle attacks (MITM).
This rule will raise an issue when a method named ``++onReceivedSslError++`` with first argument of type ``++android.webkit.WebView++`` is defined.
== Ask Yourself Whether
* invalid SSL/TLS certificates are accepted automatically.
* The user is asked to accept invalid SSL/TLS certificates.
You are at risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
* Accept only trusted SSL/TLS certificates.
* Do not ask users to accept unsafe connections as they are unlikely to make an informed security decision.
== Sensitive Code Example
Android (See also https://support.google.com/faqs/answer/7071387?hl=en["How to address WebView SSL Error Handler alerts in your apps."])
----
package com.example.myapplication.rspec_5326;
import android.net.http.SslError;
import android.os.Build;
import android.support.annotation.RequiresApi;
import android.webkit.SslErrorHandler;
import android.webkit.WebView;
import android.webkit.WebViewClient;
import java.util.function.Function;
public class SSLTLSValidation extends WebViewClient {
private final Function<SslError, Boolean> acceptSslError;
SSLTLSValidation(Function<SslError, Boolean> acceptSslError) {
this.acceptSslError = acceptSslError;
}
@RequiresApi(api = Build.VERSION_CODES.N)
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Sensitive
if (acceptSslError.apply(error)) {
handler.proceed();
} else {
handler.cancel();
}
}
}
----
== See
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure that SSL/TLS connections are validated safely here
'''
== Comments And Links
(visible only on this page)
=== on 2 Apr 2019, 11:37:57 Nicolas Harraudeau wrote:
We could define a vulnerability rule as many projects on Github have just ``++handler.proceed();++`` in ``++onReceivedSslError++``. But the usefulness of such a rule might be limited as it seems that https://support.google.com/faqs/answer/7071387?hl=en[Google validates the plugins]. We should first check if Google is able to detect every simple case.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink