Improper Validation of Host-specific Certificate Data
|ID: 297||Date: (C)2012-05-14 (M)2017-10-12|
|Type: weakness||Status: INCOMPLETE|
|Abstraction Type: Base|
Host-specific certificate data is not validated or is
incorrectly validated, so while the certificate read is valid, it may not be for
the site originally requested.
Extended DescriptionIf the host-specific data contained in a certificate is not checked, it
may be possible for a redirection or spoofing attack to allow a malicious
host with a valid certificate to provide data, impersonating a trusted host.
While the attacker in question may have a valid certificate, it may simply
be a valid certificate for a different site. In order to ensure data
integrity, we must check that the certificate is valid and that it pertains
to the site that we wish to access.
Likelihood of Exploit: High
Applicable PlatformsLanguage Class: All
Time Of Introduction
|Access_Control ||Gain privileges / assume
identity ||The data read from the system vouched for by the certificate may not
be from the expected system. |
|AuthenticationOther ||Other ||Trust afforded to the system in question -- based on the expired
certificate -- may allow for spoofing or redirection attacks. |
|Architecture and Design || ||Check for expired certificates and provide the user with adequate
information about the nature of the problem and how to proceed. || || |
|CWE-297 ChildOf CWE-898 ||Category ||CWE-888 || |
White Box Definitions None
Black Box Definitions None
|CLASP || ||Failure to validate host-specific certificate
data || |
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 23: Improper Use of PKI, Especially SSL." Page
347'. Published on 2010.