Weak SSL/TLS Ciphers Insufficient Transport Layer Protection

SSL certificates, SSLscan, Nmap NSE

• Testing for Weak SSL/TLS Ciphers Insufficient Transport Layer Protection (WSTG-CRYP-01)
• SSL Certificates

💡 See Credentials Transported over an Encrypted Channel.

Testing

SSL Configuration and validation of certificates

Use SSLscan.

Nmap NSE

ls -la /usr/share/nmap/scripts/ssl*
-rw-r--r-- 1 root root 10112 Jan  9 23:24 /usr/share/nmap/scripts/ssl-ccs-injection.nse
-rw-r--r-- 1 root root  3900 Jan  9 23:24 /usr/share/nmap/scripts/ssl-cert-intaddr.nse
-rw-r--r-- 1 root root 10347 Jan  9 23:24 /usr/share/nmap/scripts/ssl-cert.nse
-rw-r--r-- 1 root root  6807 Jan  9 23:24 /usr/share/nmap/scripts/ssl-date.nse
-rw-r--r-- 1 root root 39897 Jan  9 23:24 /usr/share/nmap/scripts/ssl-dh-params.nse
-rw-r--r-- 1 root root 39964 Jan  9 23:24 /usr/share/nmap/scripts/ssl-enum-ciphers.nse
-rw-r--r-- 1 root root  7768 Jan  9 23:24 /usr/share/nmap/scripts/ssl-heartbleed.nse
-rw-r--r-- 1 root root  4331 Jan  9 23:24 /usr/share/nmap/scripts/ssl-known-key.nse
-rw-r--r-- 1 root root 11201 Jan  9 23:24 /usr/share/nmap/scripts/ssl-poodle.nse
-rw-r--r-- 1 root root 11249 Jan  9 23:24 /usr/share/nmap/scripts/sslv2-drown.nse
-rw-r--r-- 1 root root  1575 Jan  9 23:24 /usr/share/nmap/scripts/sslv2.nse

IP=x.x.x.x
nmap -sV --script ssl-enum-ciphers -p 443 $IP

# If output is too long for screenshot 
nmap -sV --script ssl-enum-ciphers -p 443 $IP | grep -E "SSLv|TLSv"

If exposed on the internet

Qualys SSL Labs - Test strength of SSL Certificates
https://www.ssllabs.com/ssltest/

Mozilla Observatory - SSL Certificates / Response Headers
https://observatory.mozilla.org/

Reporting

CVSS Score v3	Variable depending on resource, 0 (Info)
CVSS Vector v3	N/A

English

Title	Mixed Active Content (HTTP + HTTPS)
Description	Mixed Active Content is when active resources (such as scripts to CSS) are loaded over unencrypted HTTP and included into a secure (HTTPS) page. This is dangerous because it would allow an attacker to modify these files (as they are sent unencrypted), which could allow them to execute arbitrary code (JavaScript or CSS) in the page. Passive content (such as images) loaded over an insecure connection can also leak information or allow an attacker to deface the page, although it is less likely to lead to a full compromise. Note: modern browsers will block active content being loaded from insecure sources into secure pages.
Steps to reproduce	Include screenshots.
Remediation	It is recommended to only access ressources over HTTPS in applications using HTTPS (no mix of HTTP and HTTPS requests in the application). Difficulty level to fix this vulnerability is assessed at “Simple”.

French

Title	Combinaison HTTP & HTTPS (Mixed Active Content)
Description	Mixed Active Content survient lorsqu’une ressource (telle qu’un script ou du CSS) est chargée via HTTP et est incluse dans une page sécurisée (HTTPS). Ceci représente un risque car un attaquant pourrait modifier certains fichiers (alors qu’ils sont non encryptés en transit) – ce qui permet à l’attaquant d’exécuter du code arbitraire (JavaScript ou CSS) dans la page. Le contenu passif (comme les images) chargé en utilisant une connexion insécure peut également exfiltrer des données ou permettre à l’attaquant de modifier l’apparence de la page (defacement), bien qu’il soit moins susceptible de conduire à un compromis complet de l’application. Note : Les navigateurs modernes bloquent le contenu HTTP chargé dans les pages sécurisées (HTTPS).
Steps to reproduce	Include screenshots.
Remediation	Il est recommandé d’accéder uniquement les ressources via HTTPS lorsqu’une application utilise HTTPS (ne pas mélanger des requêtes HTTP et HTTPS dans l’application). La difficulté de correction est évaluée à “Simple”.