SSL certificates, SSLscan, Nmap NSE
- Testing for Weak SSL/TLS Ciphers Insufficient Transport Layer Protection (WSTG-CRYP-01)
- SSL Certificates
đĄ See Credentials Transported over an Encrypted Channel.
Testing
SSL Configuration and validation of certificates
Use SSLscan.
Nmap NSE
ls -la /usr/share/nmap/scripts/ssl*
-rw-r--r-- 1 root root 10112 Jan 9 23:24 /usr/share/nmap/scripts/ssl-ccs-injection.nse
-rw-r--r-- 1 root root 3900 Jan 9 23:24 /usr/share/nmap/scripts/ssl-cert-intaddr.nse
-rw-r--r-- 1 root root 10347 Jan 9 23:24 /usr/share/nmap/scripts/ssl-cert.nse
-rw-r--r-- 1 root root 6807 Jan 9 23:24 /usr/share/nmap/scripts/ssl-date.nse
-rw-r--r-- 1 root root 39897 Jan 9 23:24 /usr/share/nmap/scripts/ssl-dh-params.nse
-rw-r--r-- 1 root root 39964 Jan 9 23:24 /usr/share/nmap/scripts/ssl-enum-ciphers.nse
-rw-r--r-- 1 root root 7768 Jan 9 23:24 /usr/share/nmap/scripts/ssl-heartbleed.nse
-rw-r--r-- 1 root root 4331 Jan 9 23:24 /usr/share/nmap/scripts/ssl-known-key.nse
-rw-r--r-- 1 root root 11201 Jan 9 23:24 /usr/share/nmap/scripts/ssl-poodle.nse
-rw-r--r-- 1 root root 11249 Jan 9 23:24 /usr/share/nmap/scripts/sslv2-drown.nse
-rw-r--r-- 1 root root 1575 Jan 9 23:24 /usr/share/nmap/scripts/sslv2.nse
IP=x.x.x.x
nmap -sV --script ssl-enum-ciphers -p 443 $IP
# If output is too long for screenshot
nmap -sV --script ssl-enum-ciphers -p 443 $IP | grep -E "SSLv|TLSv"
If exposed on the internet
Qualys SSL Labs - Test strength of SSL Certificates
https://www.ssllabs.com/ssltest/
Mozilla Observatory - SSL Certificates / Response Headers
https://observatory.mozilla.org/
Reporting
CVSS Score v3 | Variable depending on resource, 0 (Info) |
CVSS Vector v3 | N/A |
English
Title | Mixed Active Content (HTTP + HTTPS) |
Description | Mixed Active Content is when active resources (such as scripts to CSS) are loaded over unencrypted HTTP and included into a secure (HTTPS) page. This is dangerous because it would allow an attacker to modify these files (as they are sent unencrypted), which could allow them to execute arbitrary code (JavaScript or CSS) in the page. Passive content (such as images) loaded over an insecure connection can also leak information or allow an attacker to deface the page, although it is less likely to lead to a full compromise. Note: modern browsers will block active content being loaded from insecure sources into secure pages. |
Steps to reproduce | Include screenshots. |
Remediation | It is recommended to only access ressources over HTTPS in applications using HTTPS (no mix of HTTP and HTTPS requests in the application). Difficulty level to fix this vulnerability is assessed at “Simple”. |
French
Title | Combinaison HTTP & HTTPS (Mixed Active Content) |
Description | Mixed Active Content survient lorsqu’une ressource (telle qu’un script ou du CSS) est chargĂ©e via HTTP et est incluse dans une page sĂ©curisĂ©e (HTTPS). Ceci reprĂ©sente un risque car un attaquant pourrait modifier certains fichiers (alors qu’ils sont non encryptĂ©s en transit) – ce qui permet Ă l’attaquant d’exĂ©cuter du code arbitraire (JavaScript ou CSS) dans la page. Le contenu passif (comme les images) chargĂ© en utilisant une connexion insĂ©cure peut Ă©galement exfiltrer des donnĂ©es ou permettre Ă l’attaquant de modifier l’apparence de la page (defacement), bien qu’il soit moins susceptible de conduire Ă un compromis complet de l’application. Note : Les navigateurs modernes bloquent le contenu HTTP chargĂ© dans les pages sĂ©curisĂ©es (HTTPS). |
Steps to reproduce | Include screenshots. |
Remediation | Il est recommandĂ© d’accĂ©der uniquement les ressources via HTTPS lorsqu’une application utilise HTTPS (ne pas mĂ©langer des requĂȘtes HTTP et HTTPS dans l’application). La difficultĂ© de correction est Ă©valuĂ©e Ă “Simple”. |