SSL/TLS security testing

Web App Security
November 13, 2017

Did you ever think why some websites use http:// and some use https:// in the URL address?
For example, why websites like Amazon and Facebook have addresses https://www.amazon.in/ and https://www.facebook.com instead of http://www.amazon.in and http://www.facebook.com?

How does a single ‘s‘ makes the difference? If you are a security researcher, you must be already knowing the difference of HTTP from HTTPS. But why is it necessary and how does it help the users of a web application to do transactions and other communications securely? So we will look all about it in this blog post.

Let’ solve this mystery

HTTP stands for HyperText Transfer Protocol whereas HTTPS stands for HyperText Transfer Protocol Secure. The ‘s’ stands for the secured part. Now how do we get HTTPS from HTTP?

Here is a simple equation:
HTTP + SSL = HTTPS

Cool, a new term SSL? Where did that come from dude?

HTTP is a communication protocol but the communication is not secure because the data sent through it is in plain text.That means if you are trying to login to a webpage which follows HTTP protocol, it will be easy for the attackers to just learn the credentials by eavesdropping on the data and the user won’t even know about it. These attacks are called Man in the Middle attacks(MITM). To learn more about MITM, see this page.

To prevent this, HTTP communications were done within a connection encrypted by Secure Sockets Layer(SSL). It provides bidirectional encryption of communications between a client and server, which protect against eavesdropping and tampering with the contents of the communication.

This all comes to the conclusion that SSL or it’s more recent version TLS are cryptographic tools that provide security to communications.

Why is it necessary to test for SSL/TLS?

As a company who has their main business on a web application, you should take appropriate steps so that each page on all the domains follow the HTTPS protocol to prevent the violation of user’s privacy and integrity of data. Even one communication which isn’t secure enough can lead to Man in the Middle attacks.
Also, there is a security difference between SSL and TLS. TLS is the upgrade version of SSL. SSL 3.0 was vulnerable to the Poodle attackand other vulnerabilities, and that’s why TLS was developed. So during the testing, it’s necessary to determine if any of the services on the application are still using SSL. To learn more about Poodle attacks see

Ok, I get all the theoretical details but how do I test it?

There are different tools and scripts available for SSL Testing. Some of them give you a plethora of details from the SSL version used to the vulnerabilities they might be responsible to also about the different encryption mechanism used.
We will go through it one by one.

  • Nmap scan for SSL RecognitionThe “-sV” scan option in the Nmap scanner is able to identify SSL services. For example, a command like this will return the services which are using SSL:nmap -F -sV http://www.targetwebsite.comThis will help you recognize the different services so that you can then try checking the obtained ports and services for the SSL version and whether they are vulnerable to any SSL attacks.

  • Use of vulnerability scannersVulnerability scanners like Nessus and Burpsuite Pro also include checks against weak ciphers. They will report that a weak cipher is being used by scanning SSL on different ports and services. These tools are quite useful so do give them a try. Nessus has a trial period for its free scanning while Burpsuite’s free version doesn’t support scanning.

We will suggest some better methods. Just keep reading.:)
The above two methods are good but when you need to specifically test for SSL, there are two more methods which we preferably use to scan all services at once.

  • Method 1:Download and run the testssl.sh script file using the below command.git clone --depth 1 https://github.com/drwetter/testssl.sh.gitLook at this Github page for the command and instructions.
    After downloading, you will find a script file named testssl.sh inside it.
  • Just run the below commands from the directory where you have downloaded testssl to do SSL testing using this script.
  • First, make the script executable by
  • chmod +x testssl.sh
  • After that run the script on the target.
  • ./testssl.sh http://www.targetwebsite.com
  • The above command is the default option which gives all the information but there are a lot more specific options which you can see on this page here.
    This is one of the best tools at your hand completely free and trustworthy. Remember to check it out.
  • Method 2:Method 1 was simple and easy. But there is another method which is even easier than this. People at ssllabs have made a website in which you just need to enter the hostname and it will give the whole ssl testing details.
    Here is a screenshot for the interface

  • This also gives almost the same details as the above one and gives an overall rating to your application’s SSL security. It is quite hassle-free and simple. Give it a try, it’s worth it.

Final Points:

  • Websites nowadays shouldn’t use SSL or even TLS version 1.0. The best approach will be to use more recent versions like 1.1 or 1.2. The above methods will tell you about the version of SSL as well as about the ciphers the encryption method is using.

  • The most important thing is to remember that sites secured using TLS are the first line of defense against any attack on the application. Many companies like Comodo and GoDaddy are providing SSL certificates at reasonable prices. Make sure to make the web application more secured using HTTPS.

  • Also, keep in mind that as a user you are using the latest release of your browser. Do remember to update it as soon as the latest version releases. Browsers such as Chrome and Firefox have inbuilt preventive measures against insecure websites and will remind you if you are visiting one of them because sharing details like Credit card numbers and passwords on that website can be sniffed using Man in the Middle attacks.

To read about more methods and testing for different ssl-tls criteria see this page from OWASP.

https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)

In case you are having troubles with any setup or aren’t able to understand something, feel free to comment below and someone will reply to you as soon we can.

Till then Keep learning and Keep Hacking.:)

Related posts :
Web App Security
Web App Security
June 6, 2018

A User can change the personal details of any other user broken access control

Broken Access Control Hi everyone. Welcome to this new post from ENCIPHERS. So recently, our team at ENCIPHERS conducted …
Read More
Web App Security
March 3, 2018

Some quick checks to do in the password reset implementation during a pentest

Hello and welcome everyone to this new post from ENCIPHERS. Passwords are the first line of defense against any security …
Read More
Web App Security
May 25, 2021

Setting Up Web App Penetration Testing Lab Using ThreadsApp

Introduction With the sheer number of cyber threats which occur every day, a lot of individuals want to tackle that and to …
Read More

Mobile App Security

Mobile App Security
April 17, 2022

An analysis of the modern mobile applications for data security

Mobile phones have become an imperative portion of our daily lives. People nowadays prefer to keep every bit of information regarding personal and professional life on their mobile phones.
Read More
Mobile App Security
November 26, 2019

Awesome Android Application Security

Android Application Security This is a write-up of Android Application Security resources and tools which helps in Android...
Read More
Mobile App Security
October 25, 2019

Awesome iOS Application Security

This is a repository of iOS Security resources and tools which can be used in iOS pentesting and security research. It’s a ...
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2024, All Rights Reserved