Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5435

Using Python standard libraries to perform HTTPS requests is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Closed
    • Resolution: Won't Do
    • Labels:
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      Python
    • Irrelevant for Languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Analysis Scope:
      Main Sources
    • OWASP:
      A3, A9

      Description

      On Python versions earlier than 2.7.9 and 3.4.3, standard libraries that perform HTTPS request have a vulnerable SSL/TLS configuration by default. In the past, it has led to the following vulnerabilities:

      By default, those library would simply ignore verification of X509 certificate signatures, as well as hostname verification. This mean that nothing is preventing an attacker to intercept network traffic. He would then be able to read and modify sensitive information that should normally be safe from this threat.

      This rule raises an issue when one of the following standard library is used for networking with its default SSL/TLS configuration: urllib, urllib, http or httplib.

      Ask Yourself Whether

      • Your application is using urllib, urllib2, http, and httplib modules to perform HTTPS requests
      • You rely on the library default SSL/TLS configuration.
      • You are using a version of Python prior to 2.7.9 or 3.4.3.

      You are at risk if you answered yes to all those questions.

      Recommended Secure Coding Practices

      • Avoid versions of Python where standard library have vulnerable SSL/TLS configuration by default. Your Python version should be at least 2.7.9 or 3.4.3.
      • Prefer using Requests package which has secure SSL/TLS configuration by default.

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            pierre-loup.tristant Pierre-Loup Tristant
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: