Missing TLS validation

• Rule ID: java_lang_ssl_verification
• Languages: java
• Source: ssl_verification.yml

Description

Your code is vulnerable to Man-in-the-Middle attacks if it doesn't validate TLS certificates. This issue arises when your application establishes a connection without verifying the server's hostname, making it susceptible to data interception and other security risks. Using deprecated elements like DefaultHttpClient, which lacks hostname verification, or the SSL protocol, known for its security flaws, exacerbates these vulnerabilities.

Remediations

• Do use newer HTTP Clients such as java.net.http.HttpClient that automatically include TLS validation.
• Do opt for the newer TLS protocol over SSL, wherever possible, to secure connections. Ensure your application explicitly requests TLS to avoid the vulnerabilities associated with SSL.

  SSLContext.getInstance("TLS");

• Do not rely on deprecated HTTP clients, such as DefaultHttpClient, for your application's networking needs. These clients do not perform necessary security checks like TLS validation, putting your application at risk.

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_ssl_verification