Missing SSL certificate verification

• Rule ID: php_lang_ssl_verification
• Languages: php
• Source: ssl_verification.yml

Description

Missing SSL certificate verification can compromise the security of sensitive data. This vulnerability arises when an application fails to check for valid SSL certificates during data transmission, potentially allowing attackers to intercept or manipulate data.

Remediations

• Do not disable SSL certificate validation in your HTTP client. Disabling it removes a critical layer of security and makes your application vulnerable to Man-in-the-Middle attacks..
• Do ensure that both peer and hostname verification are enabled in your HTTP client. This step is crucial for establishing secure connections and protecting data in transit.

  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
  curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_ssl_verification