newsapps / beeswithmachineguns

A utility for arming (creating) many bees (micro EC2 instances) to attack (load test) targets (web applications).
http://apps.chicagotribune.com/
MIT License
6.44k stars 632 forks source link

Cryptographic API Misuse Vulnerability #240

Open lialon opened 2 months ago

lialon commented 2 months ago

Description:

In the "beeswithmachineguns/beeswithmachineguns/bees.py", I have identified security vulnerabilities about insecure SSL/TLS Verification and configuration. Bypassing certificate verification or accepting all host names are considered insecure. "ssl._create_unverified_context()" shouldn't be used to create SSL/TLS context.

Location:

https://github.com/newsapps/beeswithmachineguns/blob/master/beeswithmachineguns/bees.py#L393

context = ssl._create_unverified_context()

https://github.com/newsapps/beeswithmachineguns/blob/master/beeswithmachineguns/bees.py#L942

context = ssl._create_unverified_context()

Reference

Recommendations:

Use a SECURE SSL context with proper verification.