Improper Certificate Validation
ID |
javascript.improper_certificate_validation |
Severity |
critical |
Resource |
Authentication |
Language |
JavaScript |
Tags |
CWE:295, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:4.1 |
Description
Certificate validation is the process of verifying the authenticity and integrity of digital certificates used in secure communications.
A digital certificate (often in X.509 format) links a public key to an identity, such as a user, a server, or a device, and it is digitally signed by a Certification Authority (CA).
Certificates are often used in TLS-secured communications, and it is important to ensure that the certificates are properly validated to prevent man-in-the-middle attacks and other security vulnerabilities.
TLS/SSL libraries often provide strong certificate validation by default, but sometimes this validation is disabled for testing or development purposes. This detector checks whether the certificate validation is disabled for common TLS/SSL libraries.
Rationale
The impact of improper certificate validation can be severe: Attackers can spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Improper certificate validation is a common flaw in web applications for several reasons:
-
Developers may not fully understand the importance of proper validation, or do not implement it correctly. Certificate validation is complex and is error-prone.
-
Some applications accept self-signed certificates or certificates issued by untrusted certificate authorities. Attackers may easily generate self-signed certificates and link the public key to the identity of their choice.
-
Incorrect implementation of certificate checks, such as not verifying the entire certificate chain, or not verifying the validity of each certificate, the signature from the issuing CA, the trust anchor to root CAs, or the revocation status.
The following example disables certificate validation, which is insecure:
const https = require('https');
https.request(
{
hostname: 'example.com',
port: 443,
method: "POST",
path: "top-secret",
rejectUnauthorized: false // NEVER DO THIS !
},
res => {
// ...
}
);
In Node.js, setting process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' globally disables certificate validation. Never do that !
|
Remediation
Never disable the default certificate validation provided by TLS/SSL libraries.
Never configure TLS/SSL transports that do not reject invalid or unauthorized certificate chains.
Self-signed certificates should not be used in production environments.
const https = require('https');
https.request(
{
hostname: 'example.com',
port: 443,
method: "POST",
path: "top-secret",
rejectUnauthorized: true // FIXED, the default
},
res => {
// ...
}
);References
-
CWE-295 : Improper Certificate Validation.
-
OWASP - Top 10 2021 Category A07 : Identification and Authentication Failures.
-
Transport Layer Security in OWASP Cheat Sheet Series.
-
The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software, a well-known technical paper on the subject.