You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See here to securely allow self-signed certificates and other common cases.
Please share with us your opinions/comments if there is any:
Is the bug report helpful?
The text was updated successfully, but these errors were encountered:
Vulnerability Description:
We found a security vulnerability in file LittleProxy/src/main/java/org/littleshoot/proxy/extras/SelfSignedSslEngineSource.java. The customized TrustManger (at Line 125) allows all certificates to pass the verification.
Security Impact:
The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
Useful Resources:
https://cwe.mitre.org/data/definitions/295.html
https://developer.android.com/training/articles/security-ssl
Solution we suggest:
Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See here to securely allow self-signed certificates and other common cases.
Please share with us your opinions/comments if there is any:
Is the bug report helpful?
The text was updated successfully, but these errors were encountered: