SSL Misconfiguration

Overview SSL Misconfiguration causes a variety of issues such as sensitive pages being accessible via HTTP, use of weak SSL ciphers, and SSL stripping. Video Tutorials Discovery Methodology Use an SSL cipher audit tool such as SSLScan to test cipher strength. Observe how the site handles an HTTP request. If the site redirects the user to HTTPS, the site can be stripped. Exploitation For SSLStripping, after ARP poisoning the client and the gateway, use SSLStrip to remove SSL connection. To test cipher strength, the following tools are helpful sslscan sslscan --targets=hosts.txt NMap nmap -p 443 -v -Pn --script=ssl-enum-ciphers --open -iL hosts.txt Videos How to check HTTPS certificate from command line How to check HTTPS Certificates for common issues cURL Error: SSL Certificate Problem How to Set HTTP Headers Using Apache Server Check HTTP Headers with cURL How to Check HTTP Headers (Command Line) How to Check HTTP Headers from Browser What is HTTP Strict Transport Security (HSTS)? What is the HSTS Preload list? Cookies: Part 2 - How Secure Cookies Work SSLScan: Part 1 - How to test HTTPS, TLS, & SSL ciphers SSLScan: Part 2 - How to Interpret the Results How to Install SSLScan on Windows What is Certificate Transparency - Part 1 What is Certificate Transparency? - Part 2 - Expect-CT Header