Missing SSL certificate verification

• Rule ID: python_lang_ssl_verification
• Languages: python
• Source: ssl_verification.yml

Description

Missing or optional SSL certificate verification can compromise the security of sensitive data. This vulnerability arises when an application fails to check for valid SSL certificates during data transmission, potentially allowing attackers to intercept or manipulate data and leading to Man-in-the-Middle attacks. To protect against these kinds of attacks and to maintain secure communication, SSL certificates should always be properly validated in production environments.

Remediations

• Do not disable SSL certificate verification in your HTTP client. Disabling it removes a critical layer of security and makes your application vulnerable to Man-in-the-Middle attacks.

urllib3.HTTPSConnectionPool(..., cert_reqs="CERT_NONE", ...) # unsafe
# or
requests.get(..., verify=False, ...) # unsafe

• Do ensure SSL certificate verification is enabled when configuring connections, as well as hostname checking. For example, use ssl.CERT_REQUIRED to ensure SSL certificates are verified.

  urllib3.HTTPSConnectionPool("my-host.com", cert_reqs=ssl.CERT_REQUIRED, assert_hostname=True ...)

• Do not create custom SSL contexts that disable certificate verification

ctx = urllib3.create_urllib3_context(cert_reqs=ssl.CERT_NONE) # unsafe

References

• Python 3 ssl module security considerations

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_ssl_verification