Skip to content

Commit e842acf

Browse files
atorralbaatorralba
committed
Improve qhelp
1 parent 5d4cd70 commit e842acf

File tree

1 file changed

+5
-8
lines changed

1 file changed

+5
-8
lines changed

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.qhelp

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,26 +4,23 @@
44
<qhelp>
55

66
<overview>
7-
<p>When SSLSocket or SSLEngine is created without a valid parameter of setEndpointIdentificationAlgorithm, hostname verification is disabled by default.</p>
8-
<p>Unsafe implementation of the interface X509TrustManager and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.</p>
9-
<p>This query checks whether setEndpointIdentificationAlgorithm is missing. The query also covers a special implementation com.rabbitmq.client.ConnectionFactory.</p>
7+
<p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier (the later is checked by the <code>java/insecure-hostname-verifier</code> query). Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p>
8+
<p>When <code>SSLSocket</code> or <code>SSLEngine</code> are created without a secure <code>setEndpointIdentificationAlgorithm</code>, hostname verification is disabled by default.</p>
9+
<p>This query checks whether a trust manager is set to trust all certificates or <code>setEndpointIdentificationAlgorithm</code> is missing, thereby making the application vulnerable to man-in-the-middle attacks. The query also covers insecure configurations of <code>com.rabbitmq.client.ConnectionFactory</code>.</p>
1010
</overview>
1111

1212
<recommendation>
13-
<p>Validate SSL certificate in SSL authentication.</p>
13+
<p>Validate SSL certificates in SSL authentication.</p>
1414
</recommendation>
1515

1616
<example>
1717
<p>The following two examples show two ways of configuring SSLSocket/SSLEngine. In the 'BAD' case,
18-
setEndpointIdentificationAlgorithm is not called, thus no hostname verification takes place. In the 'GOOD' case, setEndpointIdentificationAlgorithm is called.</p>
18+
<code>setEndpointIdentificationAlgorithm</code> is not called, thus no hostname verification takes place. In the 'GOOD' case, <code>setEndpointIdentificationAlgorithm</code> is called.</p>
1919
<sample src="UnsafeCertTrust.java" />
2020
</example>
2121

2222
<references>
2323
<li>
24-
<a href="https://cwe.mitre.org/data/definitions/273.html">CWE-273</a>
25-
</li>
26-
<li>
2724
<a href="https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md">Testing Endpoint Identify Verification (MSTG-NETWORK-3)</a>
2825
</li>
2926
<li>

0 commit comments

Comments
 (0)