Missing SSL certificate verification

• Rule ID: go_lang_ssl_verification
• Languages: go
• Source: ssl_verification.yml

Description

Your application's security is compromised if it fails to verify SSL certificates. This vulnerability occurs when your application communicates over HTTPS without validating the authenticity of the SSL certificate presented by the server. It exposes sensitive data to interception by attackers.

Remediations

• Do not disable SSL certificate validation in your HTTP client. Disabling it makes your application vulnerable to Man-in-the-Middle (MitM) attacks.
• Do ensure that your HTTP client is configured to verify both the SSL certificate's validity and the hostname. This step is crucial for establishing a secure connection.

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_ssl_verification