Why This Issue Is Important
The lack of target system certificate validation in Apigee proxies is a critical security flaw that can have severe consequences. When the TLS certificate of the target system is not validated, the communication channel between Apigee and the target system becomes vulnerable to Man-in-the-Middle (MITM) attacks. This means an attacker could intercept, alter, or eavesdrop on the data being transmitted, potentially leading to unauthorized access to sensitive information. Insecure communication could also allow attackers to spoof the identity of the target system, making it appear legitimate while compromising data integrity and confidentiality.
In essence, without proper certificate validation, the very foundation of secure communication—ensuring that the entity on the other end is who it claims to be—falls apart. This is particularly dangerous when handling non-public or sensitive data, as it can lead to significant breaches of trust, legal consequences, and financial losses for the business.
How This Issue Is Detected
The issue of lack of target system certificate validation is detected by analyzing the XML configuration of the TargetEndpoint in the Apigee proxy. The tool specifically looks for the presence of a TrustStore element within the SSLInfo section of the HTTPTargetConnection. This TrustStore element is crucial because it defines the set of trusted certificates that the proxy will use to validate the TLS certificate of the target system.
How to Fix the Issue
To fix this issue, simply upload the Certificate Authority (CA) certificate to the Apigee trust store and then reference this trust store in the TrustStore element within the SSLInfo section of your proxy’s TargetEndpoint configuration. This ensures that the TLS certificate of the target system is properly validated.
<HTTPTargetConnection>
<SSLInfo>
<Enabled>true</Enabled>
<IgnoreValidationErrors>false</IgnoreValidationErrors>
<TrustStore>ref://MainTrustStore</TrustStore>
</SSLInfo>
<URL>https://httpbin.org/anything/</URL>
</HTTPTargetConnection>