security vulnerability report :- Improper Validation of Certificate #1649
Comments
|
Any update team ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Vulnerability :- Improper Validation of Certificate with Host Mismatch [CWE-297]
Severity :- Medium
Description :- The primary concept of SSL/TLS security is a trust built between the two parties of the intercommunication process: the client and the server, where each party has proven its identity.
Inability to establish a trust relationship due to skipping all necessary verification steps jeopardizes the security of entire client-server communication and introduces an opportunity for the attacker to perform a Man-in-the-Middle (MitM) attack.
As a result, the attacker is able to decrypt and modify all data, transferred via a supposedly encrypted channel.
Improper verification of certificate with host mismatch is a weakness, related to how software treats digital certificate, issued for another domain.
E.g. the application is trying to establish secure communication with the http://www.example.com/website, however, the webserver returns a certificated issued for the www.example.net domain. This certificate can be valid and signed with a trusted CA, but it still should be rejected by the client application.
Step To Reproduce:-
wpcom.comingsoon.no
Impact:- The attacker can perform a MitM attack and intercept all communication between your application and the server.
This means that all data transferred via this connection can be decrypted and modified. In the case of a banking app, for example, the attacker might be able to gain full access to the victim’s banking account
The text was updated successfully, but these errors were encountered: