How to get comprehensive SSL information about a web server with Kali Linux.

Getting a comprehensive report of all SSL information on Kali Linux is very easy. Using a simple utility makes this a simple task and is very rewarding.

Install this simple utility.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.28.58)┋ sudo apt install o-saft

Then we may begin scanning websites to find all information about the SSL configuration. Here I am printing all of the used ciphers on the web server.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.28.58)┋ o-saft +cipher --enabled lihi3.com
!!Hint: +cipher : functionality changed, please see 'o-saft.pl --help=TECHNIC'
**WARNING: 409: SSLv2 does not support SNI; cipher checks are done without SNI

=== Ciphers: Checking SSLv2 ===
=   Total number of checked ciphers     59
**WARNING: 409: SSLv3 does not support SNI; cipher checks are done without SNI

=== Ciphers: Checking SSLv3 ===
=   Total number of checked ciphers     2640

=== Ciphers: Checking TLSv1 ===
    ECDHE-ECDSA-AES128-SHA              yes     HIGH
    ECDHE-ECDSA-AES256-SHA              yes     HIGH
=   Total number of checked ciphers     2640

=== Ciphers: Checking TLSv11 ===
    ECDHE-ECDSA-AES128-SHA              yes     HIGH
    ECDHE-ECDSA-AES256-SHA              yes     HIGH
=   Total number of checked ciphers     2640

=== Ciphers: Checking TLSv12 ===
    ECDHE-ECDSA-AES128-GCM-SHA256       yes     HIGH
    ECDHE-ECDSA-CHACHA20-POLY1305-SHA256-OLD    yes     HIGH
    ECDHE-ECDSA-CHACHA20-POLY1305-SHA256        yes     HIGH
    ECDHE-ECDSA-AES128-SHA              yes     HIGH
    ECDHE-ECDSA-AES256-GCM-SHA384       yes     HIGH
    ECDHE-ECDSA-AES256-SHA              yes     HIGH
    ECDHE-ECDSA-AES128-SHA256           yes     HIGH
    ECDHE-ECDSA-AES256-SHA384           yes     HIGH
=   Total number of checked ciphers     2640

=== Ciphers: Checking TLSv13 ===
    TLS13-AES128-GCM-SHA256             yes     HIGH
    TLS13-AES256-GCM-SHA384             yes     HIGH
    TLS13-CHACHA20-POLY1305-SHA256      yes     HIGH
=   Total number of checked ciphers     2640
SSLv3:    0   0   0   0   0   0                                 
TLSv1:    2   0   0   0   2   2 ECDHE-ECDSA-AES128-SHA          
TLSv11:   2   0   0   0   2   2 ECDHE-ECDSA-AES128-SHA          
TLSv12:   8   0   0   0   8   8 ECDHE-ECDSA-AES128-GCM-SHA256   
TLSv13:   3   0   0   0   0   3 TLS13-AES128-GCM-SHA256         
Selected Cipher:                        ECDHE-ECDSA-CHACHA20-POLY1305 HIGH

It is also possible to print a full report of all SSL configurations on the website.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.28.58)┋ o-saft +info lihi3.com
**WARNING: 066: 1 data and check outputs are disbaled due to use of '--no-out':
!!Hint: use '--v' for more information
!!Hint: do not use '--ignore-out=*' or '--no-out=*'
**WARNING: 202: Can't do DNS reverse lookup: for 'lihi3.com': <>; ignored
!!Hint: use '--no-dns' to disable this check
Given hostname:                         lihi3.com
IP for given hostname:                  172.67.206.35
Reverse resolved hostname:              <>
DNS entries for given hostname:         172.67.206.35 <>; 172.67.206.35 <>; 
**WARNING: 409: SSLv2 does not support SNI; cipher checks are done without SNI
**WARNING: 409: SSLv3 does not support SNI; cipher checks are done without SNI
**WARNING: 303: SSL version 'SSLv2': not supported by Net::SSLeay
**WARNING: 304: SSL version 'SSLv3': not supported by Net::SSLeay
**WARNING: 204: Can't make a connection to 'lihi3.com:443' without SNI; no initial data (compare with and without SNI not possible)
**WARNING: 203: connection without SNI succeded with errors; errors ignored
!!Hint: use '--v' to show more information about Net::SSLinfo::do_ssl_open() errors
Selected Cipher:                        ECDHE-ECDSA-CHACHA20-POLY1305 HIGH
Certificate Fingerprint  MD5:           28281466820B3D7DDB59F9053F98F5A0
Certificate Fingerprint:                SHA1 Fingerprint=E8A91D943DB70B91510190A42F25FE428B8DD5A9
Certificate OCSP Hashes:                Subject OCSP hash: 5C56D16CA34EE88B0BFB82EC70FF4CFA768DB95A; Public key OCSP hash: BBAA1E0AC7735D9113009520EEB698183360D610
Target's TLS Session Start Time EPOCH:  139663162729168
Target's DH Parameter:                  X25519, 253 bits
Target's OCSP Response Next Update: 
Target default DTLS 1.0 cipher:         <>
Target's Master-Key:                
Certificate Subject Name Hash:          55f110a5
!!Hint: use '--v' to print multiline data of '+pem' for '+info'
HTTPS STS in http-equiv:            
Certificate valid since:                Dec 25 08:33:22 2023 GMT
Target default SSL 2.0  cipher:     
Certificate OCSP Subject Hash:          5C56D16CA34EE88B0BFB82EC70FF4CFA768DB95A
Certificate Fingerprint SHA1:           E8A91D943DB70B91510190A42F25FE428B8DD5A9
!!Hint: use '--v' to print multiline data of '+text' for '+info'
HTTP Alt-Svc header:                    h3=":443"; ma=86400
HTTPS Status line:                      d
Certificate Fingerprint Algorithm:      SHA1
Target's fallback SSL Protocol:         TLSv1_3
Target default SSL 3.0  cipher:     
Target default DTLS 1.2 cipher:         <>
Target default DTLS 0.9 cipher:         <>
Certificate extensions Basic Constraints:       critical CA:FALSE 
Target's OCSP Response This Update:     Jan 14 15:30:00 2024 GMT
CA Chain Verification error in level:
Validity Certificate Chain:             0 (ok)
!!Hint: use '--v' to print multiline data of '+ocsp_response_data' for '+info'
!!Hint: use '--v' to print multiline data of '+chain_verify' for '+info'
CA Chain Verification error:            ok
Certificate trusted:                
Certificate Public Key Algorithm:       id-ecPublicKey
Certificate extensions Authority Information Access:    OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ 
Certificate Validity (date):            Dec 25 08:33:22 2023 GMT .. Mar 24 08:33:21 2024 GMT
Target's Server public key length:      256 bit
HTTP Location header:                   https://lihi3.com/
Certificate Validity (signature):       0 (ok)
Certificate Serial Number:              03:6a:2d:dc:77:d1:1b:c2:66:02:ce:c2:0d:c9:35:0f:ea:38
Certificate Signature Key Length:       872
!!Hint: use '--v' to print multiline data of '+chain' for '+info'
HTTPS STS MaxAge:                   
Target's advertised protocols:      
Certificate extensions Certificate Policies:    Policy: 2.23.140.1.2.1 
Certificate Serial Number (int):        297467748684193435851985736710485867227704
Certificate extensions Certificate Policies: CPS:       Policy: 2.23.140.1.2.1 
Target's selected protocol  (NPN):  
Target supports Expansion:              NONE
Target's Session-ID-ctx:            
Certificate Serial Number (hex):        036A2DDC77D11BC26602CEC20DC9350FEA38
Target default --dummy-- cipher:        <>
Certificate Trust Information:      
Certificate Fingerprint SHA2:           5616FD4D6BDAA26ED5EE843B19A37B4837A51CA569CB9E41BEB2D9FD022E0675
Certificate extensions Issuer Alternative Name:
Certificate extensions Extended Key Usage:      TLS Web Server Authentication, TLS Web Client Authentication 
Certificate Public Key Exponent:        prime256v1
                NIST CURVE: P-256
Target supports Heartbeat:          
HTTPS Alt-Svc header:               
Target's TLS Session Ticket Lifetime:
Certificate Email Addresses:        
internal used SSL options bitmask:      0x0000000080160850
Target supports PSK:                
Target supports Extended Master Secret:
HTTPS STS include sub-domains:      
!!Hint: use '--v' to print multiline data of '+extensions' for '+info'
Target default --dummy-- cipher:        <>
HTTP Alternate-Protocol:            
Certificate Type (bitmask):             0x458  <>
Target default TLS 1.1  cipher:         ECDHE-ECDSA-AES128-SHA
Target default TLS 1.3  cipher:         TLS_AES_256_GCM_SHA384
Certificate Common Name:                lihi3.com
Target's supported ALPNs:           
Target supports Resumption:             no
Target supports SRP:                
Target's selected protocol (ALPN):  
Target's supported  NPNs:           
Target default DTLS 1.3 cipher:         <>
HTTPS STS preload:                  
Target's OCSP Response Status:          successful (0x0)
Certificate Public Key Value:           04781550e7169bdd10524f99dcf826d69f683bad04f66627dd1769cb338e47ee54a79fb1deec2757f0ec509d3f5dd0937f14bcf3d08271519b05bbe664d967972d
Target's TLS Session Start Time locale: Mon Jun 12 06:19:28 4427719
Validity Alternate Names:               Given hostname 'lihi3.com' matches alternate name 'lihi3.com' in certificate
HTTPS STS header:                   
Target's selected SSL Protocol:         TLSv12
HTTP Status line:                       HTTP/1.1 301 Moved Permanently
Certificate extensions Authority key Identifier:        5AF3ED2BFC36C23779B95230EA546FCF55CB2EAC 
Certificate Subject:                    /CN=lihi3.com
Certificate Public Key Length:          140
Target's OCSP Response Cert Status:     good
HTTPS Alternate-Protocol:           
Target supports PSK Identity Hint:  
TLS extensions (debug):             
TLS server extension "key share" (id=51), len=36
TLS server extension "supported versions" (id=43), len=2
TLS server extension "server name" (id=0), len=0
TLS server extension "status request" (id=5), len=348
Certificate Version:                    3 (0x2)
Certificate extensions Certificate Policies: Policy:    2.23.140.1.2.1
HTTPS Server banner:                
Certificate extensions Subject Key Identifier:  BBAA1E0AC7735D9113009520EEB698183360D610 
HTTPS Public-Key-Pins header:       
Certificate Issuer Name Hash:           8082542d
Selected SSL Protocol:                  TLSv12
Target supports Krb5:               
HTTP Refresh header:                
Certificate extensions Key Usage:       critical Digital Signature 
Target's TLS Session Ticket:        
Validity Hostname:                      Given hostname 'lihi3.com' matches CN 'lihi3.com' in certificate
Certificate Signature Key Value:        Signature Value30640230603aa0f6b45874b60984cb9ac4661e0cffa11536a59c6b1a06e718e916888595c3f9f50f27072598fa88f132dc152e3d023036da09e1f5232713f79ef2d3b5a4594fd35e8622b16149bda91b1d3cfb2c4bc9513ce3b62e9eb0a5c0f6450ff5e48e4d
HTTPS Error alerts:                 
Target supports Renegotiation:          renegotiation.
!!Hint: checks only if renegotiation is implemented serverside according RFC 5746 
Certificate OCSP Public Key Hash:       BBAA1E0AC7735D9113009520EEB698183360D610
Target default DTLS 1.1 cipher:         <>
Certificate OCSP Responder URL:         http://e1.o.lencr.org
!!Hint: use '--v' to print multiline data of '+sigdump' for '+info'
HTTPS Location header:              
Certificate valid until:                Mar 24 08:33:21 2024 GMT
HTTPS Refresh header:               
!!Hint: use '--v' to print multiline data of '+pubkey' for '+info'
Certificate extensions CRL Distribution Points:  X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: BBAA1E0AC7735D9113009520EEB698183360D610 X509v3 Authority Key Identifier: 5AF3ED2BFC36C23779B95230EA546FCF55CB2EAC Authority Information Access: OCSP - http://e1.o.lencr.org CA Issuers - http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.lihi3.com, DNS:lihi3.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 3B5377753E2DB9804E8B305B06FE403B: 67D84FC3F4C7BD000D2D726FE1FAD417 Timestamp : Dec 25 093322.861 2023 GMT Extensions: none Signature : ecdsa-with-SHA256 30450221008807AE335A26474553DFDD: 2901AD6739822103BF8B7ED380320608: 8951E90DCC022077601FF6CB4F3094C0: 2347ED0EC67F94AF5B383C144DD2B5E0: 2087E2875A0B38 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 76FF883F0AB6FB9551C261CCF587BA34: B4A4CDBB29DC68420A9FE6674C5A3A74 Timestamp : Dec 25 093322.970 2023 GMT Extensions: none Signature : ecdsa-with-SHA256 3046022100FDCF085C012457FD68CB54: FC4D235F5FCBCD5F819A9073B52980D4: 9ADB7DC6CC022100B0DCFEA6782A520F: E2F0AEDAC1BEC8379DBC5654852A33C2: 559107D3352EFC0D X509
Certificate Signature Algorithm:        ecdsa-with-SHA384
Certificate extensions Netscape Cert Type:
Target default TLS 1.2  cipher:         ECDHE-ECDSA-CHACHA20-POLY1305
Target supports Compression:            NONE
Certificate Subject's Alternate Names:   DNS:*.lihi3.com DNS:lihi3.com
Target's OCSP Response:                 Response Status: successful (0x0); Cert Status: good; This Update: Jan 14 15:30:00 2024 GMT; Next Update: 
Target's TLS Session Timeout:           20
Target default TLS 1.0  cipher:         ECDHE-ECDSA-AES128-SHA
TLS extensions:                         key share; supported versions; server name; status request
HTTP STS header:                    
Certificate extensions Certificate Policies: User Notice:       Policy: 2.23.140.1.2.1 
Target's Session-ID:                
Certificate Fingerprint Hash Value:     E8A91D943DB70B91510190A42F25FE428B8DD5A9
Certificate Issuer:                     /C=US/O=Let's Encrypt/CN=E1

This is a lot of information, but very cool.

It is also possible to use another tool to manipulate an SSL connection.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.28.58)┋ sudo apt install thc-ssl-dos

This can be used to attempt to DOS an SSL-enabled server, this could be useful against all of those SMS scams with fake websites purporting to be a telephone company or a credit agency.

Here is an example of usage. This will attempt to renegotiate an SSL connection over and over. This is very costly on the server.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.16.220)┋ thc-ssl-dos -l 100 85.190.158.78 8443 --accept
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/
            http://www.thc.org

          Twitter @hackerschoice

Greetingz: the french underground

Waiting for script kiddies to piss off..........

And there is yet another tool, this is sslyze. This can analyze the SSL configuration of a web server.

Install this tool.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.16.220)┋ sudo apt install sslyze

And then find a target to scan. This website seems to have an OK SSL configuration.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.16.220)┋ sslyze lihi3.com

 CHECKING CONNECTIVITY TO SERVER(S)
 ----------------------------------

   lihi3.com:443             => 172.67.206.35 


 SCAN RESULTS FOR LIHI3.COM:443 - 172.67.206.35
 ----------------------------------------------

 * Certificates Information:
       Hostname sent for SNI:             lihi3.com
       Number of certificates detected:   1


     Certificate #0 ( _EllipticCurvePublicKey )
       SHA1 Fingerprint:                  e8a91d943db70b91510190a42f25fe428b8dd5a9
       Common Name:                       lihi3.com
       Issuer:                            E1
       Serial Number:                     297467748684193435851985736710485867227704
       Not Before:                        2023-12-25
       Not After:                         2024-03-24
       Public Key Algorithm:              _EllipticCurvePublicKey
       Signature Algorithm:               sha384
       Key Size:                          256
       Curve:                             secp256r1
       SubjAltName - DNS Names:           ['*.lihi3.com', 'lihi3.com']

     Certificate #0 - Trust
       Hostname Validation:               OK - Certificate matches server hostname
       Android CA Store (13.0.0_r9):      OK - Certificate is trusted
       Apple CA Store (iOS 16.5, iPadOS 16.5, macOS 13.5, tvOS 16.5, and watchOS 9.5):OK - Certificate is trusted
       Java CA Store (jdk-13.0.2):        OK - Certificate is trusted
       Mozilla CA Store (2023-07-27):     OK - Certificate is trusted
       Windows CA Store (2023-06-11):     OK - Certificate is trusted
       Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
       Received Chain:                    lihi3.com --> E1 --> ISRG Root X2 --> ISRG Root X1
       Verified Chain:                    lihi3.com --> E1 --> ISRG Root X2 --> ISRG Root X1
       Received Chain Contains Anchor:    OK - Anchor certificate not sent
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      OK - No SHA1-signed certificate in the verified certificate chain

     Certificate #0 - Extensions
       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
       Certificate Transparency:          WARNING - Only 2 SCTs included but Google recommends 3 or more

     Certificate #0 - OCSP Stapling
       OCSP Response Status:              SUCCESSFUL
       Validation w/ Mozilla Store:       OK - Response is trusted
       Responder Name:                    CN=E1,O=Let's Encrypt,C=US
       Cert Status:                       GOOD
       Cert Serial Number:                297467748684193435851985736710485867227704
       This Update:                       2024-01-14
       Next Update:                       2024-01-21

 * SSL 2.0 Cipher Suites:
     Attempted to connect using 7 cipher suites; the server rejected all cipher suites.

 * SSL 3.0 Cipher Suites:
     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

 * TLS 1.0 Cipher Suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 2 cipher suites:
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              128       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported


 * TLS 1.1 Cipher Suites:
     Attempted to connect using 80 cipher suites.

     The server accepted the following 2 cipher suites:
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              128       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported


 * TLS 1.2 Cipher Suites:
     Attempted to connect using 156 cipher suites.

     The server accepted the following 7 cipher suites:
        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256     256       ECDH: X25519 (253 bits)
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384           256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256           128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256           128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              128       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:
       Forward Secrecy                    OK - Supported
       Legacy RC4 Algorithm               OK - Not Supported


 * TLS 1.3 Cipher Suites:
     Attempted to connect using 5 cipher suites.

     The server accepted the following 3 cipher suites:
        TLS_CHACHA20_POLY1305_SHA256                      256       ECDH: X25519 (253 bits)
        TLS_AES_256_GCM_SHA384                            256       ECDH: X25519 (253 bits)
        TLS_AES_128_GCM_SHA256                            128       ECDH: X25519 (253 bits)


 * Deflate Compression:
                                          OK - Compression disabled

 * OpenSSL CCS Injection:
                                          OK - Not vulnerable to OpenSSL CCS injection

 * OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed

 * ROBOT Attack:
                                          OK - Not vulnerable, RSA cipher suites not supported.

 * Session Renegotiation:
       Client Renegotiation DoS Attack:   OK - Not vulnerable
       Secure Renegotiation:              OK - Supported

 * Elliptic Curve Key Exchange:
       Supported curves:                  X25519, prime256v1, secp384r1, secp521r1
       Rejected curves:                   X448, prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1

 SCANS COMPLETED IN 12.448191 S
 ------------------------------

 COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
 --------------------------------------------

    Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See https://ssl-config.mozilla.org/ for more details.

    lihi3.com:443: FAILED - Not compliant.
        * tls_versions: TLS versions {'TLSv1.1', 'TLSv1'} are supported, but should be rejected.
        * ciphers: Cipher suites {'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'} are supported, but should be rejected.

Getting web vulnerability information.

Getting a nice HTML report describing any vulnerabilities in your website is the job of the wapiti application. This will scan a web server and print an HTML report of any discovered vulnerabilities.

Install this app.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.18.175)┋ sudo apt install wapiti

Then run a scan to generate a lovely HTML report.

╭──(john㉿DESKTOP-PF01IEE)───╮
╰───────────────────────────╾╯(~)-(172.26.18.175)┋ wapiti -u https://www.lihi3.com

 ██╗    ██╗ █████╗ ██████╗ ██╗████████╗██╗██████╗
 ██║    ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║╚════██╗
 ██║ █╗ ██║███████║██████╔╝██║   ██║   ██║ █████╔╝
 ██║███╗██║██╔══██║██╔═══╝ ██║   ██║   ██║ ╚═══██╗
 ╚███╔███╔╝██║  ██║██║     ██║   ██║   ██║██████╔╝
  ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚═╝   ╚═╝   ╚═╝╚═════╝  
Wapiti-3.0.4 (wapiti.sourceforge.io)
[*] Saving scan state, please wait...

 Note
========
This scan has been saved in the file /home/john/.wapiti/scans/www.lihi3.com_folder_4364d531.db
[*] Wapiti found 1 URLs and forms during the scan
[*] Loading modules:
         backup, blindsql, brute_login_form, buster, cookieflags, crlf, csp, csrf, exec, file, htaccess, http_headers, methods, nikto, permanentxss, redirect, shellshock, sql, ssrf, wapp, xss, xxe
Problem with local wapp database.
Downloading from the web...

[*] Launching module csp
CSP is not set

[*] Launching module http_headers
Checking X-Frame-Options :
OK
Checking X-XSS-Protection :
X-XSS-Protection is not set
Checking X-Content-Type-Options :
X-Content-Type-Options is not set
Checking Strict-Transport-Security :
OK

[*] Launching module cookieflags
Checking cookie : lihi_session
HttpOnly flag is not set in the cookie : lihi_session
Secure flag is not set in the cookie : lihi_session
Checking cookie : 1P_JAR
HttpOnly flag is not set in the cookie : 1P_JAR
Checking cookie : AEC
Checking cookie : NID

[*] Launching module exec

[*] Launching module file

[*] Launching module sql

[*] Launching module xss

[*] Launching module ssrf
[*] Asking endpoint URL https://wapiti3.ovh/get_ssrf.php?id=7seero for results, please wait...

[*] Launching module redirect

[*] Launching module blindsql

[*] Launching module permanentxss

Report
------
A report has been generated in the file /home/john/.wapiti/generated_report
Open /home/john/.wapiti/generated_report/www.lihi3.com_01172024_2309.html with a browser to see this report.

The sample scan report is shown below.

Wapiti vulnerability report

Target: https://www.lihi3.com/

Date of the scan: Wed, 17 Jan 2024 23:09:01 +0000. Scope of the scan: folder

---

Summary

Category	Number of vulnerabilities found
Backup file	0
Blind SQL Injection	0
Weak credentials	0
CRLF Injection	0
Content Security Policy Configuration	1
Cross Site Request Forgery	0
Potentially dangerous file	0
Command execution	0
Path Traversal	0
Htaccess Bypass	0
HTTP Secure Headers	2
HttpOnly Flag cookie	2
Open Redirect	0
Secure Flag cookie	1
SQL Injection	0
Server Side Request Forgery	0
Cross Site Scripting	0
XML External Entity	0
Internal Server Error	0
Resource consumption	0
Fingerprint web technology	0

---

Content Security Policy Configuration

DescriptionContent Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Vulnerability found in /

DescriptionHTTP RequestcURL command lineCSP is not setSolutionsConfiguring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control what resources the user agent is allowed to load for that page.

References

• Mozilla: Content Security Policy (CSP)
• OWASP: Content Security Policy Cheat Sheet
• OWASP: How to do Content Security Policy (PDF)

---

HTTP Secure Headers

DescriptionHTTP security headers tell the browser how to behave when handling the website’s content.

Vulnerability found in /

DescriptionHTTP RequestcURL command lineX-XSS-Protection is not set

Vulnerability found in /

DescriptionHTTP RequestcURL command lineX-Content-Type-Options is not setSolutionsUse the recommendations for hardening your HTTP Security Headers.

References

• Netsparker: HTTP Security Headers: An Easy Way to Harden Your Web Applications
• KeyCDN: Hardening Your HTTP Security Headers
• OWASP: HTTP SECURITY HEADERS (Protection For Browsers) (PDF)

---

HttpOnly Flag cookie

DescriptionHttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

Vulnerability found in /

DescriptionHTTP RequestcURL command lineHttpOnly flag is not set in the cookie : lihi_session

Vulnerability found in /

DescriptionHTTP RequestcURL command lineHttpOnly flag is not set in the cookie : 1P_JARSolutionsWhile creation of the cookie, make sure to set the HttpOnly Flag to True.

References

• OWASP: Testing for Cookies Attributes
• OWASP: HttpOnly

---

Secure Flag cookie

DescriptionThe secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

Vulnerability found in /

DescriptionHTTP RequestcURL command lineSecure flag is not set in the cookie : lihi_sessionSolutionsWhen generating the cookie, make sure to set the Secure Flag to True.

References

• OWASP: Testing for Cookies Attributes
• OWASP: Secure Cookie Attribute