You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
<overview>
6
6
<p>
7
7
If a <code>HostnameVerifier</code> always returns <code>true</code> it will not verify the hostname at all.
8
-
This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a Man-in-the-middle attack against the application.
8
+
This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.
9
9
</p>
10
10
11
11
<p>
@@ -14,10 +14,10 @@ An attack might look like this:
14
14
15
15
<ol>
16
16
<li>The program connects to <code>https://example.com</code>.</li>
17
-
<li>The attacker intercepts this connection and presents one of their valid certificates they control, for example one from Let's Encrypt.</li>
18
-
<li>Java verifies that the certificate has been issued by a trusted certificate authority.</li>
19
-
<li>Java verifies that the certificate has been issued for the host <code>example.com</code>, which will fail because the certificate has been issued for <code>malicious.domain</code>.</li>
20
-
<li>Java wants to reject the certificate because the hostname does not match. Before doing this it checks whether there exists a <code>HostnameVerifier</code>.</li>
17
+
<li>The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.</li>
18
+
<li>The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.</li>
19
+
<li>Java checks whether the certificate has been issued for the host <code>example.com</code>. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: <code>malicious.domain</code>.</li>
20
+
<li>Java wants to reject the certificate because the hostname does not match. Before doing this it checks whether a <code>HostnameVerifier</code> exists.</li>
21
21
<li>Your <code>HostnameVerifier</code> is called which returns <code>true</code> for any certificate so also for this one.</li>
22
22
<li>Java proceeds with the connection since your <code>HostnameVerifier</code> accepted it.</li>
23
23
<li>The attacker can now read the data your program sends to <code>https://example.com</code>
0 commit comments