CWE-296 Improper Certificate Validation

What this means

SiteShadow flagged TLS usage where certificate validation is missing or incomplete (accepting invalid certs, skipping hostname checks, or trusting any certificate).

Why it matters

Improper validation enables man-in-the-middle attacks.

Traffic interception/modification: attackers can tamper with API responses.
Credential/token theft: sessions and API keys can leak over intercepted connections.
This often starts as a "dev workaround" and accidentally ships.

Safer examples

1) Keep verification enabled

Use library defaults and avoid "insecure" flags.

2) Fix the trust chain properly

Install the correct CA bundle on the host/container.
Use correct hostnames that match certificates.

3) If you need custom trust, scope it tightly

Pin only the required internal CA(s) and never disable verification globally (see CERT01 / T01 / CWE-295).

How SiteShadow detects it (high level)

Flags known "disable certificate verification" settings and incomplete validation patterns.
Treats this as high severity outside explicit dev/test contexts.

References

CWE-296: https://cwe.mitre.org/data/definitions/296.html

---

← Back to Vulnerability Library

Request access View coverage