Missing or permissive SSL hostname verifier

• Rule ID: java_lang_ssl_hostname_verifier
• Languages: java
• Source: ssl_hostname_verifier.yml

Description

It is best security practice to always verify the hostname when establishing a SSL/TLS connection. Failure to do so exposes your application to Man-in-the-Middle attacks. This vulnerability arises when the application fails to confirm that the server's hostname matches the hostname in the server's SSL certificate.

Remediations

• Do not use ALLOW_ALL_HOSTNAME_VERIFIER or any similarly permissive hostname verifiers. These verifiers do not properly check if the server's hostname matches the SSL certificate, undermining the security of your connection.

  HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
  HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); // unsafe

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_ssl_hostname_verifier

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_ssl_hostname_verifier