Improper Certificate Validation
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-295: Improper Certificate Validation |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Validating X.509 certificates by comparing the subject name string is insecure, as subject names can be spoofed or manipulated. Instead, certificate validation should use built-in methods like X509Certificate2.Verify() to ensure authenticity.
Impact#
If certificates are validated only by subject name, attackers could present forged certificates with matching names to impersonate trusted parties. This can lead to unauthorized access, sensitive data exposure, and undermine the application’s trust and authentication mechanisms.