Skip to content

CWE-299: Improper Certificate Validation (Basic Constraints)

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application failed to check certificate revocation status (CRL/OCSP) when establishing TLS/SSL connections. Evidence includes successful connections using revoked certificates, lack of OCSP/CRL requests in network traffic, or the application proceeding despite revocation information indicating the certificate is invalid. This is typically discovered through traffic analysis of the application's outbound HTTPS connections.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings typically indicate that the application successfully established TLS connections using certificates that violate X.509 Basic Constraints, such as:

  • Accepting end-entity certificates as certificate authorities
  • Failing to enforce CA=true on intermediate certificates
  • Trusting improperly constrained certificate chains

Evidence is usually indirect and based on observed connection success where a compliant TLS client would reject the certificate chain.

Mapping DAST Findings to Source Code

CWE-299 does not map to a specific HTTP endpoint or request parameter.
The issue resides in outbound TLS client configuration and certificate trust validation logic.

When tracing this issue in code, look for:

  • Custom TrustManager / X509TrustManager implementations
  • TLS client configuration that disables or replaces default validation
  • Certificate validation callbacks that do not enforce Basic Constraints
  • Libraries or flags that accept non-CA certificates as issuers

Search for patterns such as:

  • Custom certificate validators
  • Overridden trust chain verification logic
  • Third-party TLS libraries with relaxed defaults

Remediation

Core Principle: Never establish a TLS connection unless the certificate chain is validated according to X.509 Basic Constraints; only certificates explicitly marked as certificate authorities may issue or sign other certificates.

Verification and Follow-Up Testing

After applying the fix:

Reproduce the Vulnerability

Trigger the application feature that performs an outbound TLS connection and verify the connection fails when the upstream presents a certificate that violates Basic Constraints.

Re-run DAST Scanner

Run your dynamic scanner again on the fixed endpoint to confirm remediation.

Additional Resources