Summary
TLS certificate verification is globally disabled (\�erify=False) across 4 locations in the backend codebase. All outbound HTTPS connections made by the crawler and modular scanners accept any TLS certificate, including self-signed, expired, or attacker-controlled certificates.
Affected Files
| File |
Line |
Code |
| \�ackend/secuscan/crawler.py\ |
89 |
\�erify=False\ |
| \�ackend/secuscan/scanners/xss_validation_scanner.py\ |
31 |
\�erify=False\ |
| \�ackend/secuscan/scanners/api_scanner.py\ |
55 |
\�erify=False\ |
| \�ackend/secuscan/scanners/network_vulnerability_scanner.py\ |
189 |
\�erify=False\ |
Impact
An attacker on the network path can intercept, modify, or inject responses into all scanner HTTPS traffic. This is a TLS Man-in-the-Middle vulnerability that:
- Breaks the confidentiality of scanner target communications
- Allows injection of malicious responses into scan results
- Undermines the integrity of the entire security scanning pipeline
- Bypasses all TLS security guarantees for scanner operations
Root Cause
The \�erify=False\ parameter is hardcoded in every \httpx.AsyncClient\ instantiation across the codebase. There is no configuration option to control this behavior.
Fix
A fix has been implemented in PR #... The solution:
- Adds \�erify_ssl: bool = True\ to \Settings\ in \config.py\ (configurable via \SECUSCAN_VERIFY_SSL\ env var)
- Updates all 4 \httpx.AsyncClient\ calls to use \�erify=settings.verify_ssl\ instead of \�erify=False\
This makes TLS verification secure by default while allowing operators to disable it explicitly when needed (e.g., for development with self-signed certificates).
Severity
Level: Advanced/Critical
CVSS 3.1: 8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Security Vulnerability
Area: Backend
Summary
TLS certificate verification is globally disabled (\�erify=False) across 4 locations in the backend codebase. All outbound HTTPS connections made by the crawler and modular scanners accept any TLS certificate, including self-signed, expired, or attacker-controlled certificates.
Affected Files
Impact
An attacker on the network path can intercept, modify, or inject responses into all scanner HTTPS traffic. This is a TLS Man-in-the-Middle vulnerability that:
Root Cause
The \�erify=False\ parameter is hardcoded in every \httpx.AsyncClient\ instantiation across the codebase. There is no configuration option to control this behavior.
Fix
A fix has been implemented in PR #... The solution:
This makes TLS verification secure by default while allowing operators to disable it explicitly when needed (e.g., for development with self-signed certificates).
Severity
Level: Advanced/Critical
CVSS 3.1: 8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Security Vulnerability
Area: Backend