C#: Add query for insecure certificate validation #838
Assignees
Labels
All For One
Submissions to the All for One, One for All bounty
Comments
intrigus-lgtm
added
the
All For One
|
Created Hackerone report 2817126 for bounty 635269 : [838] C#: Add query for insecure certificate validation |
|
Hey @intrigus-lgtm don't forget to claim your reward, the program is shutting down soon! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Query PR
github/codeql#16824
Language
C#
CVE(s) ID list
CVE in disclosure process
CWE
CWE-295
Report
If a
RemoteCertificateValidationCallbackdelegate always returnstrueand is used in e.g.ServicePointManager.ServerCertificateValidationCallback, it trusts any certificate.As the RemoteCertificateValidationCallback trusts any certificate, an attacker can create a self-signed certificate that will be accepted as any certificate is trusted. This leads to a MiTM attack against the connection thereby stealing sensitive secrets such as login data or other tokens is possible.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response
The text was updated successfully, but these errors were encountered: