LeapFixSeverity: Medium
Score: 5.8
Accurracy: Confirmed
Language: JavaScript
CVSS v3.1: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Improper certificate validation detected.
Disabling certificate validation can expose the application to man-in-the-middle (MITM) attacks.
...
const options = {
hostname: 'example.com',
port: 443,
path: '/',
method: 'GET',
rejectUnauthorized: false // Vulnerable: disables SSL certificate verification
};
const req = https.request(options, (res) => {
// handle response
});
req.end();
This example "how to fix your code!"
Ensure that SSL/TLS certificate validation is properly configured. In the rejectUnauthorized line we set it to true and implement a certificate for data security.
This is just example:
...
// Load CA certificate (replace with the path to your CA bundle or certificate)
const caCert = fs.readFileSync(path.join(__dirname, 'ca-cert.pem'));
// Make an HTTPS request with proper certificate validation
const options = {
hostname: 'example.com',
port: 443,
path: '/',
method: 'GET',
ca: caCert, // Secure: Specify CA certificate to validate server certificate
rejectUnauthorized: true // Ensure certificate validation is enforced
};
const req = https.request(options, (res) => {
let data = '';
res.on('data', (chunk) => {
data += chunk;
});
res.on('end', () => {
console.log('Response:', data);
});
});
req.on('error', (e) => {
console.error('Request error:', e);
});
req.end();