Missing SSL certificate verification

• Rule ID: ruby_lang_ssl_verification
• Languages: ruby
• Source: ssl_verification.yml

Description

Missing SSL certificate verification can compromise the security of sensitive data. This vulnerability arises when an application fails to check for valid SSL certificates during data transmission, potentially allowing attackers to intercept or manipulate data.

Remediations

• Do not disable SSL certificate verification. Disabling it, as shown below, makes your application vulnerable to Man-in-the-Middle attacks.

  require "net/https"
  require "uri"
  
  uri = URI.parse("https://ssl-site.com/")
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE # unsafe

• Do ensure SSL certificate verification is enabled by setting the verification mode to VERIFY_PEER. This ensures the authenticity of the SSL certificate presented by the server.

  http.verify_mode = OpenSSL::SSL::VERIFY_PEER

References

• Ruby OpenSSL module

Associated CWE

• CWE-295: Improper Certificate Validation

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_ssl_verification