74 lines
2.5 KiB
Plaintext
74 lines
2.5 KiB
Plaintext
== Why is this an issue?
|
|
|
|
To prevent URL spoofing, ``++HostnameVerifier.verify()++`` methods should do more than simply ``++return true++``. Doing so may get you quickly past an exception, but that comes at the cost of opening a security hole in your application.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
SSLContext sslcontext = SSLContext.getInstance( "TLS" );
|
|
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
|
|
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
|
|
|
|
}}, new java.security.SecureRandom());
|
|
|
|
Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
|
|
@Override
|
|
public boolean verify(String requestedHost, SSLSession remoteServerSession) {
|
|
return true; // Noncompliant
|
|
}
|
|
}).build();
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
SSLContext sslcontext = SSLContext.getInstance( "TLSv1.2" );
|
|
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
|
|
@Override
|
|
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
@Override
|
|
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
@Override
|
|
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
|
|
|
|
}}, new java.security.SecureRandom());
|
|
|
|
Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
|
|
@Override
|
|
public boolean verify(String requestedHost, SSLSession remoteServerSession) {
|
|
return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant
|
|
}
|
|
}).build();
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER[WEAK_HOSTNAME_VERIFIER]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|