Skip to content

[SECURITY] TLS certificate verification globally disabled across all scanners and crawler (Critical) #1735

Description

@namann5

Summary

TLS certificate verification is globally disabled (\�erify=False) across 4 locations in the backend codebase. All outbound HTTPS connections made by the crawler and modular scanners accept any TLS certificate, including self-signed, expired, or attacker-controlled certificates.

Affected Files

File Line Code
\�ackend/secuscan/crawler.py\ 89 \�erify=False\
\�ackend/secuscan/scanners/xss_validation_scanner.py\ 31 \�erify=False\
\�ackend/secuscan/scanners/api_scanner.py\ 55 \�erify=False\
\�ackend/secuscan/scanners/network_vulnerability_scanner.py\ 189 \�erify=False\

Impact

An attacker on the network path can intercept, modify, or inject responses into all scanner HTTPS traffic. This is a TLS Man-in-the-Middle vulnerability that:

  • Breaks the confidentiality of scanner target communications
  • Allows injection of malicious responses into scan results
  • Undermines the integrity of the entire security scanning pipeline
  • Bypasses all TLS security guarantees for scanner operations

Root Cause

The \�erify=False\ parameter is hardcoded in every \httpx.AsyncClient\ instantiation across the codebase. There is no configuration option to control this behavior.

Fix

A fix has been implemented in PR #... The solution:

  1. Adds \�erify_ssl: bool = True\ to \Settings\ in \config.py\ (configurable via \SECUSCAN_VERIFY_SSL\ env var)
  2. Updates all 4 \httpx.AsyncClient\ calls to use \�erify=settings.verify_ssl\ instead of \�erify=False\

This makes TLS verification secure by default while allowing operators to disable it explicitly when needed (e.g., for development with self-signed certificates).

Severity

Level: Advanced/Critical
CVSS 3.1: 8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Security Vulnerability
Area: Backend

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions