不安全的 HostnameVerifier
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别:MASVS-CODE:代码质量
概览
HostnameVerifier
实现负责验证服务器证书中的主机名是否与客户端尝试连接的服务器的主机名相匹配。
Android 应用中的不安全 HostnameVerifier
实现是指实现无法正确验证与应用通信的服务器的主机名。这会使得攻击者能够冒充合法服务器,诱使应用向攻击者发送敏感数据。
之所以存在此漏洞,是因为 HostnameVerifier
类的函数调用可以跳过 X.509 证书的主机名验证,只验证该证书的哈希值。一个常见的误解是,SSLSession#isValid
函数会执行一项与安全相关的操作,但实际上,其目的只是检查会话是否有效且以及是否可以恢复或加入,这二者均不会验证会话的安全性。HostnameVerifier
类已被 NetworkSecurityConfig 所取代。
影响
不安全的 HostnameVerifier
实现可能会导致漏洞,攻击者可以利用这些漏洞对来自受害应用的网络流量实施 MiTM(中间人)攻击。利用此不安全代码的影响是,如果触发此代码,用户的应用网络数据可能会因为遭受(远程或本地)网络攻击而泄露。具体影响取决于无意中被泄露的网络流量的内容(个人身份信息、私密信息、敏感会话值、服务凭据等)。
缓解措施
使用 NetworkSecurityConfig.xml 功能来确保正确处理所有生产、测试、调试和开发阶段连接,而不是使用或实现自定义 TLS/SSL 证书验证代码。
资源
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2023-12-13。
[null,null,["最后更新时间 (UTC):2023-12-13。"],[],[],null,["# Unsafe HostnameVerifier\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-CODE: Code Quality](https://mas.owasp.org/MASVS/10-MASVS-CODE)\n\nOverview\n--------\n\nThe [`HostnameVerifier`](/reference/javax/net/ssl/HostnameVerifier#verify(java.lang.String,%20javax.net.ssl.SSLSession)) implementation is responsible for verifying that the\nhostname in the server's certificate matches the hostname of the server that the\nclient is trying to connect to.\n\nAn unsafe HostnameVerifier implementation in an Android application is an\nimplementation that does not properly verify the hostname of the server with\nwhich the application is communicating. This can allow an attacker to\nimpersonate a legitimate server and trick the application into sending sensitive\ndata to the attacker.\n\nThis vulnerability exists because the `HostnameVerifier` class has function\ncalls that can skip X.509 certificate hostname validation and, instead, only\nverify the hash of the certificate. A common misconception is that the\n[`SSLSession#isValid`](/reference/javax/net/ssl/SSLSession#isValid()) function performs a security-related operation, when\nin reality its purpose is only to check if a session is valid and available for\nresuming or joining; neither of which validate the *security* of a session. The\nHostnameVerifier class has been superseded by [NetworkSecurityConfig](/training/articles/security-config).\n\nImpact\n------\n\nUnsafe HostnameVerifier implementations can lead to vulnerabilities which can be\nused to perform MiTM (Man-in-The-Middle) attacks on network traffic from the\nvictim application. The impact of exploiting this insecure code is that a user's\napplication network data can be compromised by network attackers (remotely or\nlocally) if this code is triggered. The impact is dependent on the content of\nthe network traffic being inadvertently exposed (PII, private information,\nsensitive session values, service credentials, etc).\n\nMitigations\n-----------\n\nUse the [NetworkSecurityConfig.xml](/training/articles/security-config) to ensure that all\nproduction, testing, debugging, and dev stage connections are properly handled\nrather than using or implementing custom TLS/SSL certificate validation code.\n\nResources\n---------\n\n- [Network Security Configuration Documentation](/training/articles/security-config)\n- [This check looks for implementations of HostnameVerifier whose verify method always returns true (thus trusting any hostname)](https://googlesamples.github.io/android-custom-lint-rules/checks/BadHostnameVerifier.md.html)\n- [Developer documentation for the HostnameVerifier class](/reference/javax/net/ssl/HostnameVerifier#verify(java.lang.String,%20javax.net.ssl.SSLSession))\n- [AllowAllHostnameVerifierDetector class in Android](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/AllowAllHostnameVerifierDetector.java)"]]