Cleartext Transmission of Sensitive Information
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code disables SSL certificate verification in cURL requests by setting CURLOPT_SSL_VERIFYPEER to false, 0, or null. This allows connections to proceed even if the server’s SSL certificate is invalid or untrusted.
Impact#
Disabling SSL verification exposes sensitive data to interception and man-in-the-middle attacks. Attackers could impersonate trusted servers, steal credentials, or alter data in transit, compromising the security of your application and its users.