Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 10fc2cf

Browse files
intrigus-lgtmsmowton
authored and
intrigus
committed
Apply suggestions from code review
Co-authored-by: Chris Smowton <[email protected]>
1 parent c88f07d commit 10fc2cf

2 files changed

Lines changed: 6 additions & 6 deletions

File tree

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,14 @@ An attack would look like this:
1515
5. Java wants to reject the certificate because the hostname does not match. Before doing this it checks whether there exists a <code>HostnameVerifier</code>.
1616
6. Your <code>HostnameVerifier</code> is called which returns <code>true</code> for any certificate so also for this one.
1717
7. Java proceeds with the connection since your <code>HostnameVerifier</code> accepted it.
18-
8. The attacker can now read the data (Man-in-the-middle) your program sends to <code>https://example.com</code> while the program thinks the connection is secure.
18+
8. The attacker can now read the data your program sends to <code>https://example.com</code> and/or alter its replies while the program thinks the connection is secure.
1919
</p>
2020
</overview>
2121

2222
<recommendation>
2323
<p>
24-
Do NOT use an unverifying <code>HostnameVerifier</code>!
25-
<li>If you use an unverifying verifier to solve a configuration problem with TLS/HTTPS you should solve the configuration problem instead.
24+
Do not use an open <code>HostnameVerifier</code>.
25+
<li>If you use an open verifier to solve a configuration problem with TLS/HTTPS you should solve the configuration problem instead.
2626
</li>
2727
</p>
2828

@@ -42,4 +42,4 @@ In the second (good) example, the <code>HostnameVerifier</code> only returns <co
4242
<li><a href="https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/">Further Information on Hostname Verification</a>.</li>
4343
<li>OWASP: <a href="https://cwe.mitre.org/data/definitions/297.html">CWE-297</a>.</li>
4444
</references>
45-
</qhelp>
45+
</qhelp>

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/**
22
* @name Disabled hostname verification
3-
* @description Accepting any certificate as valid for a host allows an attacker to perform a man-in-the-middle attack.
3+
* @description Accepting any certificate as valid for a host allows an attacker to perform a machine-in-the-middle attack.
44
* @kind path-problem
55
* @problem.severity error
66
* @precision high
@@ -29,7 +29,7 @@ private predicate alwaysReturnsTrue(HostnameVerifierVerify m) {
2929
}
3030

3131
/**
32-
* A class that overrides the `javax.net.ssl.HostnameVerifier.verify` method and **always** returns `true` (ignoring exceptional flow), thus
32+
* A class that overrides the `javax.net.ssl.HostnameVerifier.verify` method and **always** returns `true` (though it could also exit due to an uncaught exception), thus
3333
* accepting any certificate despite a hostname mismatch.
3434
*/
3535
class TrustAllHostnameVerifier extends RefType {

0 commit comments

Comments
 (0)