HostnameVerifier hostnameVerifier = new HostnameVerifier() {

@Override

public boolean verify(String hostname, SSLSession session) {

HostnameVerifier hv =

HttpsURLConnection.getDefaultHostnameVerifier();

return hv.verify("example.com", session); // OKAY-ISH: verify that the certificate matches

// example.com and only accept example.com as an alternative to example.org

// BETTER: fix the underlying configuration problem that causes example.org to present the certificate for the wrong domain.

}

};

URL url = new URL("https://example.org/");

HttpsURLConnection urlConnection =

(HttpsURLConnection)url.openConnection();

urlConnection.setHostnameVerifier(hostnameVerifier);

InputStream in = urlConnection.getInputStream();

<!DOCTYPE qhelp PUBLIC

"-//Semmle//qhelp//EN"

"qhelp.dtd">

<qhelp>

<overview>

<p>

If a HostnameVerifier always returns <code>true</code> it will not verify the hostname at all.

This allows an attacker to perform a man-in-the-middle attack on the application therefore breaking any security Transport Layer Security (TLS) gives.

</p>

</overview>

<recommendation>

<p>

DO NOT USE AN UNVERIFYING HostnameVerifier!

<li>If you use an unverifying verifier to a solve configuration problem with TLS/HTTPS you should solve the configuration problem instead.

</li>

<li>If you use an unverifying verifier to connect to a local host you should instead create a self-signed certificate for your local host and import that certificate to the java key store</li>

If you do not verify the hostname, you might as well not use TLS/HTTPS at all.

</p>

</recommendation>

<example>

<p>

In the first example, the <code>HostnameVerifier</code> always returns <code>true</code>.

This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname.

</p>

<sample src="AlwaysTrueHostnameVerifier.java" />

</example>

<references>

<li><a href="https://developer.android.com/training/articles/security-ssl">Android Security Guide for TLS/HTTPS</a>.</li>

<li><a href="https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/">Further Information on Hostname Verification</a>.</li>

<li>OWASP: <a href="https://cwe.mitre.org/data/definitions/295.html">CWE-295</a>.</li>

</references>

</qhelp>

import HostnameValidation

from AlwaysAcceptingVerifyMethod m

where not m.getDeclaringType() instanceof TestClass

select m

import java

import semmle.code.java.dataflow.TaintTracking

class TypeHostnameVerifier extends RefType {

TypeHostnameVerifier() { hasQualifiedName("javax.net.ssl", "HostnameVerifier") }

class HostnameVerifierVerifyMethod extends Method {

HostnameVerifierVerifyMethod() {

hasName("verify") and getDeclaringType() instanceof TypeHostnameVerifier

}

class OverridenVerifyMethod extends Method {

OverridenVerifyMethod() {

exists(HostnameVerifierVerifyMethod m | this.overridesOrInstantiates*(m))

}

/**

Parameter getHostnameParameter() { result = getParameter(0) }

/**

Parameter getSessionParameter() { result = getParameter(1) }

class TrueReturnStmt extends ReturnStmt {

TrueReturnStmt() { getResult().(BooleanLiteral).getBooleanValue() = true }

private predicate alwaysReturnsTrue(OverridenVerifyMethod m) {

forex(ReturnStmt rs | rs.getEnclosingCallable() = m | rs instanceof TrueReturnStmt)

abstract class DangerousVerifyMethod extends OverridenVerifyMethod {

/** A `Stmt` that makes this `HostnameVerifier` dangerous. */

abstract Stmt getADangerousStmt();

class AlwaysAcceptingVerifyMethod extends DangerousVerifyMethod {

AlwaysAcceptingVerifyMethod() { alwaysReturnsTrue(this) }

override Stmt getADangerousStmt() {

exists(TrueReturnStmt r | r.getEnclosingCallable() = this | result = r)

}

class StringEqualsMethodAccess extends MethodAccess {

StringEqualsMethodAccess() {

getMethod().getName().matches("equals%") and

getMethod().getDeclaringType() instanceof TypeString

}

// TODO there is probably a better name for "anEqualityPart" but I don't know any right now

/** Returns a part of this equality check, i.e. in the case of `foo.equals(bar)` this returns `foo` and `bar`. */

Expr getAnEqualityPart() { result = getQualifier() or result = getArgument(0) }

private IfStmt getNearestEnclosingIfStmt(Stmt stmt) {

exists(IfStmt ifStmt |

result = ifStmt and

ifStmt.getAChild+() = stmt and

/*

not exists(IfStmt enclosedIfStmt | enclosedIfStmt = ifStmt.getAChild+())

)

private class SslSessionGetPeerHostMethodAccess extends MethodAccess {

SslSessionGetPeerHostMethodAccess() {

getMethod().hasName("getPeerHost") and

getMethod().getDeclaringType().hasQualifiedName("javax.net.ssl", "SSLSession")

}

class SslSessionParameterIgnoringStringEqualsMethodAccess extends StringEqualsMethodAccess {

SslSessionParameterIgnoringStringEqualsMethodAccess() {

exists(Expr e, Parameter hostnameParameter, Parameter sslSessionParameter |

hostnameParameter = getEnclosingCallable().(OverridenVerifyMethod).getHostnameParameter() and

sslSessionParameter = getEnclosingCallable().(OverridenVerifyMethod).getSessionParameter() and

getAnEqualityPart().getAChildExpr*() = e

|

not TaintTracking::localExprTaint(sslSessionParameter.getAnAccess(), e) and

not e instanceof SslSessionGetPeerHostMethodAccess

)

}

class IncorrectHostnameVerifyMethod extends DangerousVerifyMethod {

Stmt dangerousStmt;

IncorrectHostnameVerifyMethod() {

/* We return `true` based on an if statement that verifies the `hostname` incorrectly.*/

exists(TrueReturnStmt r, IfStmt i |

getBody().getAChild*() = r and i = getNearestEnclosingIfStmt(r)

|

i.getCondition().getAChildExpr*() instanceof

SslSessionParameterIgnoringStringEqualsMethodAccess and

dangerousStmt = i

)

or

/* We return the result of an `equals` call that verifies the `hostname` incorrectly.*/

exists(ReturnStmt r | getBody().getAChild*() = r |

not r.getResult() instanceof BooleanLiteral and

r.getResult().getAChildExpr*() instanceof SslSessionParameterIgnoringStringEqualsMethodAccess and

dangerousStmt = r

)

}

override Stmt getADangerousStmt() { result = dangerousStmt }

<!DOCTYPE qhelp PUBLIC

"-//Semmle//qhelp//EN"

"qhelp.dtd">

<qhelp>

<overview>

<p>

If a HostnameVerifier always returns <code>true</code> it will not verify the hostname at all.

This allows an attacker to perform a man-in-the-middle attack on the application therefore breaking any security Transport Layer Security (TLS) gives.

</p>

</overview>

<recommendation>

<p>

DO NOT USE AN UNVERIFYING HostnameVerifier!

<li>If you use an unverifying verifier to a solve configuration problem with TLS/HTTPS you should solve the configuration problem instead.

</li>

<li>If you use an unverifying verifier to connect to a local host you should instead create a self-signed certificate for your local host and import that certificate to the java key store</li>

If you do not verify the hostname, might as well not use TLS/HTTPS at all.

<li>If the above solutions do not work you can implement a custom HostnameVerifier, if you **understand** the security impact of your implementation.</li>

<li>Ensure that you do not verify anything against the return value of the <code>session.getPeerHost()</code> method since it is not authenticated.</li>

Ensure that you at least verify the given <code>hostname</code> against the values that can be derived from the return value of the <code>session.getPeerCertificates()</code> method.

Verifying <code>hostname</code> against anything that is **not** derived from <code>session.getPeerCertificates()</code> usually is insecure.

Ensure that you use the default hostname verifier when using Android instead of verifying it yourself.

The default (OpenJDK) Java hostname verifier can not be used, since it always returns <code>false</code>.

</li>

</p>

</recommendation>

<example>

<p>

In the first example, the <code>HostnameVerifier</code> always returns <code>true</code>.

This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname.

</p>

<sample src="AlwaysTrueHostnameVerifier.java" />

<p>

In the second example, we want to connect to the example.org host, but the host presents a certificate for example.com.

Assuming that example.org and example.com are under our control (and only then this is ok) we can use the default <code>HostnameVerifier</code>

to verify that the certificate belongs to example.com.

Note that you should really fix the configuration problem that causes example.org to present the certificate for example.com instead of using this method.

This method **only** works on Android, on (OpenJDK) Java the default <code>HostnameVerifier</code> will always return <code>false</code>.

On (OpenJDK) Java you can use <a href="https://github.com/AsyncHttpClient/async-http-client/commit/3c9152e">this implementation</a> of a working

hostname verifier instead of the default <code>HostnameVerifier</code>.

</p>

<sample src="AndroidHostnameVerifier.java" />

</example>

<references>

<li><a href="https://developer.android.com/training/articles/security-ssl">Android Security Guide for TLS/HTTPS</a>.</li>

<li><a href="https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/">Further Information on Hostname Verification</a>.</li>

<li>OWASP: <a href="https://cwe.mitre.org/data/definitions/295.html">CWE-295</a>.</li>

</references>

</qhelp>

import HostnameValidation

from IncorrectHostnameVerifyMethod m

where not m.getDeclaringType() instanceof TestClass

select m.getADangerousStmt(), "This statement incorecctly verifies the hostname."

HostnameVerifier hostnameVerifier = new HostnameVerifier() {

@Override

public boolean verify(String hostname, SSLSession session) {

return hostname.equals("localhost"); // BAD, does not verify the certificate

}

};

HostnameVerifier hostnameVerifier = new HostnameVerifier() {

@Override

public boolean verify(String hostname, SSLSession session) {

return hostname.equals(session.getPeerHost()); // BAD, getPeerHost() is not authenticated

// and will always be equal to the hostname, therefore trusting ALL hostnames

}

};