Getting a comprehensive report of all SSL information on Kali Linux is very easy. Using a simple utility makes this a simple task and is very rewarding.
Install this simple utility.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.28.58)┋ sudo apt install o-saft
Then we may begin scanning websites to find all information about the SSL configuration. Here I am printing all of the used ciphers on the web server.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.28.58)┋ o-saft +cipher --enabled lihi3.com !!Hint: +cipher : functionality changed, please see 'o-saft.pl --help=TECHNIC' **WARNING: 409: SSLv2 does not support SNI; cipher checks are done without SNI === Ciphers: Checking SSLv2 === = Total number of checked ciphers 59 **WARNING: 409: SSLv3 does not support SNI; cipher checks are done without SNI === Ciphers: Checking SSLv3 === = Total number of checked ciphers 2640 === Ciphers: Checking TLSv1 === ECDHE-ECDSA-AES128-SHA yes HIGH ECDHE-ECDSA-AES256-SHA yes HIGH = Total number of checked ciphers 2640 === Ciphers: Checking TLSv11 === ECDHE-ECDSA-AES128-SHA yes HIGH ECDHE-ECDSA-AES256-SHA yes HIGH = Total number of checked ciphers 2640 === Ciphers: Checking TLSv12 === ECDHE-ECDSA-AES128-GCM-SHA256 yes HIGH ECDHE-ECDSA-CHACHA20-POLY1305-SHA256-OLD yes HIGH ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 yes HIGH ECDHE-ECDSA-AES128-SHA yes HIGH ECDHE-ECDSA-AES256-GCM-SHA384 yes HIGH ECDHE-ECDSA-AES256-SHA yes HIGH ECDHE-ECDSA-AES128-SHA256 yes HIGH ECDHE-ECDSA-AES256-SHA384 yes HIGH = Total number of checked ciphers 2640 === Ciphers: Checking TLSv13 === TLS13-AES128-GCM-SHA256 yes HIGH TLS13-AES256-GCM-SHA384 yes HIGH TLS13-CHACHA20-POLY1305-SHA256 yes HIGH = Total number of checked ciphers 2640 SSLv3: 0 0 0 0 0 0 TLSv1: 2 0 0 0 2 2 ECDHE-ECDSA-AES128-SHA TLSv11: 2 0 0 0 2 2 ECDHE-ECDSA-AES128-SHA TLSv12: 8 0 0 0 8 8 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv13: 3 0 0 0 0 3 TLS13-AES128-GCM-SHA256 Selected Cipher: ECDHE-ECDSA-CHACHA20-POLY1305 HIGH
It is also possible to print a full report of all SSL configurations on the website.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.28.58)┋ o-saft +info lihi3.com **WARNING: 066: 1 data and check outputs are disbaled due to use of '--no-out': !!Hint: use '--v' for more information !!Hint: do not use '--ignore-out=*' or '--no-out=*' **WARNING: 202: Can't do DNS reverse lookup: for 'lihi3.com': <>; ignored !!Hint: use '--no-dns' to disable this check Given hostname: lihi3.com IP for given hostname: 172.67.206.35 Reverse resolved hostname: < > DNS entries for given hostname: 172.67.206.35 < >; 172.67.206.35 < >; **WARNING: 409: SSLv2 does not support SNI; cipher checks are done without SNI **WARNING: 409: SSLv3 does not support SNI; cipher checks are done without SNI **WARNING: 303: SSL version 'SSLv2': not supported by Net::SSLeay **WARNING: 304: SSL version 'SSLv3': not supported by Net::SSLeay **WARNING: 204: Can't make a connection to 'lihi3.com:443' without SNI; no initial data (compare with and without SNI not possible) **WARNING: 203: connection without SNI succeded with errors; errors ignored !!Hint: use '--v' to show more information about Net::SSLinfo::do_ssl_open() errors Selected Cipher: ECDHE-ECDSA-CHACHA20-POLY1305 HIGH Certificate Fingerprint MD5: 28281466820B3D7DDB59F9053F98F5A0 Certificate Fingerprint: SHA1 Fingerprint=E8A91D943DB70B91510190A42F25FE428B8DD5A9 Certificate OCSP Hashes: Subject OCSP hash: 5C56D16CA34EE88B0BFB82EC70FF4CFA768DB95A; Public key OCSP hash: BBAA1E0AC7735D9113009520EEB698183360D610 Target's TLS Session Start Time EPOCH: 139663162729168 Target's DH Parameter: X25519, 253 bits Target's OCSP Response Next Update: Target default DTLS 1.0 cipher: < > Target's Master-Key: Certificate Subject Name Hash: 55f110a5 !!Hint: use '--v' to print multiline data of '+pem' for '+info' HTTPS STS in http-equiv: Certificate valid since: Dec 25 08:33:22 2023 GMT Target default SSL 2.0 cipher: Certificate OCSP Subject Hash: 5C56D16CA34EE88B0BFB82EC70FF4CFA768DB95A Certificate Fingerprint SHA1: E8A91D943DB70B91510190A42F25FE428B8DD5A9 !!Hint: use '--v' to print multiline data of '+text' for '+info' HTTP Alt-Svc header: h3=":443"; ma=86400 HTTPS Status line: d Certificate Fingerprint Algorithm: SHA1 Target's fallback SSL Protocol: TLSv1_3 Target default SSL 3.0 cipher: Target default DTLS 1.2 cipher: < > Target default DTLS 0.9 cipher: < > Certificate extensions Basic Constraints: critical CA:FALSE Target's OCSP Response This Update: Jan 14 15:30:00 2024 GMT CA Chain Verification error in level: Validity Certificate Chain: 0 (ok) !!Hint: use '--v' to print multiline data of '+ocsp_response_data' for '+info' !!Hint: use '--v' to print multiline data of '+chain_verify' for '+info' CA Chain Verification error: ok Certificate trusted: Certificate Public Key Algorithm: id-ecPublicKey Certificate extensions Authority Information Access: OCSP - URI:http://e1.o.lencr.org CA Issuers - URI:http://e1.i.lencr.org/ Certificate Validity (date): Dec 25 08:33:22 2023 GMT .. Mar 24 08:33:21 2024 GMT Target's Server public key length: 256 bit HTTP Location header: https://lihi3.com/ Certificate Validity (signature): 0 (ok) Certificate Serial Number: 03:6a:2d:dc:77:d1:1b:c2:66:02:ce:c2:0d:c9:35:0f:ea:38 Certificate Signature Key Length: 872 !!Hint: use '--v' to print multiline data of '+chain' for '+info' HTTPS STS MaxAge: Target's advertised protocols: Certificate extensions Certificate Policies: Policy: 2.23.140.1.2.1 Certificate Serial Number (int): 297467748684193435851985736710485867227704 Certificate extensions Certificate Policies: CPS: Policy: 2.23.140.1.2.1 Target's selected protocol (NPN): Target supports Expansion: NONE Target's Session-ID-ctx: Certificate Serial Number (hex): 036A2DDC77D11BC26602CEC20DC9350FEA38 Target default --dummy-- cipher: < > Certificate Trust Information: Certificate Fingerprint SHA2: 5616FD4D6BDAA26ED5EE843B19A37B4837A51CA569CB9E41BEB2D9FD022E0675 Certificate extensions Issuer Alternative Name: Certificate extensions Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Certificate Public Key Exponent: prime256v1 NIST CURVE: P-256 Target supports Heartbeat: HTTPS Alt-Svc header: Target's TLS Session Ticket Lifetime: Certificate Email Addresses: internal used SSL options bitmask: 0x0000000080160850 Target supports PSK: Target supports Extended Master Secret: HTTPS STS include sub-domains: !!Hint: use '--v' to print multiline data of '+extensions' for '+info' Target default --dummy-- cipher: < > HTTP Alternate-Protocol: Certificate Type (bitmask): 0x458 < > Target default TLS 1.1 cipher: ECDHE-ECDSA-AES128-SHA Target default TLS 1.3 cipher: TLS_AES_256_GCM_SHA384 Certificate Common Name: lihi3.com Target's supported ALPNs: Target supports Resumption: no Target supports SRP: Target's selected protocol (ALPN): Target's supported NPNs: Target default DTLS 1.3 cipher: < > HTTPS STS preload: Target's OCSP Response Status: successful (0x0) Certificate Public Key Value: 04781550e7169bdd10524f99dcf826d69f683bad04f66627dd1769cb338e47ee54a79fb1deec2757f0ec509d3f5dd0937f14bcf3d08271519b05bbe664d967972d Target's TLS Session Start Time locale: Mon Jun 12 06:19:28 4427719 Validity Alternate Names: Given hostname 'lihi3.com' matches alternate name 'lihi3.com' in certificate HTTPS STS header: Target's selected SSL Protocol: TLSv12 HTTP Status line: HTTP/1.1 301 Moved Permanently Certificate extensions Authority key Identifier: 5AF3ED2BFC36C23779B95230EA546FCF55CB2EAC Certificate Subject: /CN=lihi3.com Certificate Public Key Length: 140 Target's OCSP Response Cert Status: good HTTPS Alternate-Protocol: Target supports PSK Identity Hint: TLS extensions (debug): TLS server extension "key share" (id=51), len=36 TLS server extension "supported versions" (id=43), len=2 TLS server extension "server name" (id=0), len=0 TLS server extension "status request" (id=5), len=348 Certificate Version: 3 (0x2) Certificate extensions Certificate Policies: Policy: 2.23.140.1.2.1 HTTPS Server banner: Certificate extensions Subject Key Identifier: BBAA1E0AC7735D9113009520EEB698183360D610 HTTPS Public-Key-Pins header: Certificate Issuer Name Hash: 8082542d Selected SSL Protocol: TLSv12 Target supports Krb5: HTTP Refresh header: Certificate extensions Key Usage: critical Digital Signature Target's TLS Session Ticket: Validity Hostname: Given hostname 'lihi3.com' matches CN 'lihi3.com' in certificate Certificate Signature Key Value: Signature Value30640230603aa0f6b45874b60984cb9ac4661e0cffa11536a59c6b1a06e718e916888595c3f9f50f27072598fa88f132dc152e3d023036da09e1f5232713f79ef2d3b5a4594fd35e8622b16149bda91b1d3cfb2c4bc9513ce3b62e9eb0a5c0f6450ff5e48e4d HTTPS Error alerts: Target supports Renegotiation: renegotiation. !!Hint: checks only if renegotiation is implemented serverside according RFC 5746 Certificate OCSP Public Key Hash: BBAA1E0AC7735D9113009520EEB698183360D610 Target default DTLS 1.1 cipher: < > Certificate OCSP Responder URL: http://e1.o.lencr.org !!Hint: use '--v' to print multiline data of '+sigdump' for '+info' HTTPS Location header: Certificate valid until: Mar 24 08:33:21 2024 GMT HTTPS Refresh header: !!Hint: use '--v' to print multiline data of '+pubkey' for '+info' Certificate extensions CRL Distribution Points: X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: BBAA1E0AC7735D9113009520EEB698183360D610 X509v3 Authority Key Identifier: 5AF3ED2BFC36C23779B95230EA546FCF55CB2EAC Authority Information Access: OCSP - http://e1.o.lencr.org CA Issuers - http://e1.i.lencr.org/ X509v3 Subject Alternative Name: DNS:*.lihi3.com, DNS:lihi3.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 3B5377753E2DB9804E8B305B06FE403B: 67D84FC3F4C7BD000D2D726FE1FAD417 Timestamp : Dec 25 093322.861 2023 GMT Extensions: none Signature : ecdsa-with-SHA256 30450221008807AE335A26474553DFDD: 2901AD6739822103BF8B7ED380320608: 8951E90DCC022077601FF6CB4F3094C0: 2347ED0EC67F94AF5B383C144DD2B5E0: 2087E2875A0B38 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 76FF883F0AB6FB9551C261CCF587BA34: B4A4CDBB29DC68420A9FE6674C5A3A74 Timestamp : Dec 25 093322.970 2023 GMT Extensions: none Signature : ecdsa-with-SHA256 3046022100FDCF085C012457FD68CB54: FC4D235F5FCBCD5F819A9073B52980D4: 9ADB7DC6CC022100B0DCFEA6782A520F: E2F0AEDAC1BEC8379DBC5654852A33C2: 559107D3352EFC0D X509 Certificate Signature Algorithm: ecdsa-with-SHA384 Certificate extensions Netscape Cert Type: Target default TLS 1.2 cipher: ECDHE-ECDSA-CHACHA20-POLY1305 Target supports Compression: NONE Certificate Subject's Alternate Names: DNS:*.lihi3.com DNS:lihi3.com Target's OCSP Response: Response Status: successful (0x0); Cert Status: good; This Update: Jan 14 15:30:00 2024 GMT; Next Update: Target's TLS Session Timeout: 20 Target default TLS 1.0 cipher: ECDHE-ECDSA-AES128-SHA TLS extensions: key share; supported versions; server name; status request HTTP STS header: Certificate extensions Certificate Policies: User Notice: Policy: 2.23.140.1.2.1 Target's Session-ID: Certificate Fingerprint Hash Value: E8A91D943DB70B91510190A42F25FE428B8DD5A9 Certificate Issuer: /C=US/O=Let's Encrypt/CN=E1
This is a lot of information, but very cool.
It is also possible to use another tool to manipulate an SSL connection.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.28.58)┋ sudo apt install thc-ssl-dos
This can be used to attempt to DOS an SSL-enabled server, this could be useful against all of those SMS scams with fake websites purporting to be a telephone company or a credit agency.
Here is an example of usage. This will attempt to renegotiate an SSL connection over and over. This is very costly on the server.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.16.220)┋ thc-ssl-dos -l 100 85.190.158.78 8443 --accept ______________ ___ _________ \__ ___/ | \ \_ ___ \ | | / ~ \/ \ \/ | | \ Y /\ \____ |____| \___|_ / \______ / \/ \/ http://www.thc.org Twitter @hackerschoice Greetingz: the french underground Waiting for script kiddies to piss off..........
And there is yet another tool, this is sslyze. This can analyze the SSL configuration of a web server.
Install this tool.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.16.220)┋ sudo apt install sslyze
And then find a target to scan. This website seems to have an OK SSL configuration.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.16.220)┋ sslyze lihi3.com CHECKING CONNECTIVITY TO SERVER(S) ---------------------------------- lihi3.com:443 => 172.67.206.35 SCAN RESULTS FOR LIHI3.COM:443 - 172.67.206.35 ---------------------------------------------- * Certificates Information: Hostname sent for SNI: lihi3.com Number of certificates detected: 1 Certificate #0 ( _EllipticCurvePublicKey ) SHA1 Fingerprint: e8a91d943db70b91510190a42f25fe428b8dd5a9 Common Name: lihi3.com Issuer: E1 Serial Number: 297467748684193435851985736710485867227704 Not Before: 2023-12-25 Not After: 2024-03-24 Public Key Algorithm: _EllipticCurvePublicKey Signature Algorithm: sha384 Key Size: 256 Curve: secp256r1 SubjAltName - DNS Names: ['*.lihi3.com', 'lihi3.com'] Certificate #0 - Trust Hostname Validation: OK - Certificate matches server hostname Android CA Store (13.0.0_r9): OK - Certificate is trusted Apple CA Store (iOS 16.5, iPadOS 16.5, macOS 13.5, tvOS 16.5, and watchOS 9.5):OK - Certificate is trusted Java CA Store (jdk-13.0.2): OK - Certificate is trusted Mozilla CA Store (2023-07-27): OK - Certificate is trusted Windows CA Store (2023-06-11): OK - Certificate is trusted Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate Received Chain: lihi3.com --> E1 --> ISRG Root X2 --> ISRG Root X1 Verified Chain: lihi3.com --> E1 --> ISRG Root X2 --> ISRG Root X1 Received Chain Contains Anchor: OK - Anchor certificate not sent Received Chain Order: OK - Order is valid Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain Certificate #0 - Extensions OCSP Must-Staple: NOT SUPPORTED - Extension not found Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more Certificate #0 - OCSP Stapling OCSP Response Status: SUCCESSFUL Validation w/ Mozilla Store: OK - Response is trusted Responder Name: CN=E1,O=Let's Encrypt,C=US Cert Status: GOOD Cert Serial Number: 297467748684193435851985736710485867227704 This Update: 2024-01-14 Next Update: 2024-01-21 * SSL 2.0 Cipher Suites: Attempted to connect using 7 cipher suites; the server rejected all cipher suites. * SSL 3.0 Cipher Suites: Attempted to connect using 80 cipher suites; the server rejected all cipher suites. * TLS 1.0 Cipher Suites: Attempted to connect using 80 cipher suites. The server accepted the following 2 cipher suites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm OK - Not Supported * TLS 1.1 Cipher Suites: Attempted to connect using 80 cipher suites. The server accepted the following 2 cipher suites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm OK - Not Supported * TLS 1.2 Cipher Suites: Attempted to connect using 156 cipher suites. The server accepted the following 7 cipher suites: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 ECDH: prime256v1 (256 bits) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy OK - Supported Legacy RC4 Algorithm OK - Not Supported * TLS 1.3 Cipher Suites: Attempted to connect using 5 cipher suites. The server accepted the following 3 cipher suites: TLS_CHACHA20_POLY1305_SHA256 256 ECDH: X25519 (253 bits) TLS_AES_256_GCM_SHA384 256 ECDH: X25519 (253 bits) TLS_AES_128_GCM_SHA256 128 ECDH: X25519 (253 bits) * Deflate Compression: OK - Compression disabled * OpenSSL CCS Injection: OK - Not vulnerable to OpenSSL CCS injection * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * ROBOT Attack: OK - Not vulnerable, RSA cipher suites not supported. * Session Renegotiation: Client Renegotiation DoS Attack: OK - Not vulnerable Secure Renegotiation: OK - Supported * Elliptic Curve Key Exchange: Supported curves: X25519, prime256v1, secp384r1, secp521r1 Rejected curves: X448, prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1 SCANS COMPLETED IN 12.448191 S ------------------------------ COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION -------------------------------------------- Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See https://ssl-config.mozilla.org/ for more details. lihi3.com:443: FAILED - Not compliant. * tls_versions: TLS versions {'TLSv1.1', 'TLSv1'} are supported, but should be rejected. * ciphers: Cipher suites {'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'} are supported, but should be rejected.
Getting web vulnerability information.
Getting a nice HTML report describing any vulnerabilities in your website is the job of the wapiti application. This will scan a web server and print an HTML report of any discovered vulnerabilities.
Install this app.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.18.175)┋ sudo apt install wapiti
Then run a scan to generate a lovely HTML report.
╭──(john㉿DESKTOP-PF01IEE)───╮ ╰───────────────────────────╾╯(~)-(172.26.18.175)┋ wapiti -u https://www.lihi3.com ██╗ ██╗ █████╗ ██████╗ ██╗████████╗██╗██████╗ ██║ ██║██╔══██╗██╔══██╗██║╚══██╔══╝██║╚════██╗ ██║ █╗ ██║███████║██████╔╝██║ ██║ ██║ █████╔╝ ██║███╗██║██╔══██║██╔═══╝ ██║ ██║ ██║ ╚═══██╗ ╚███╔███╔╝██║ ██║██║ ██║ ██║ ██║██████╔╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝╚═════╝ Wapiti-3.0.4 (wapiti.sourceforge.io) [*] Saving scan state, please wait... Note ======== This scan has been saved in the file /home/john/.wapiti/scans/www.lihi3.com_folder_4364d531.db [*] Wapiti found 1 URLs and forms during the scan [*] Loading modules: backup, blindsql, brute_login_form, buster, cookieflags, crlf, csp, csrf, exec, file, htaccess, http_headers, methods, nikto, permanentxss, redirect, shellshock, sql, ssrf, wapp, xss, xxe Problem with local wapp database. Downloading from the web... [*] Launching module csp CSP is not set [*] Launching module http_headers Checking X-Frame-Options : OK Checking X-XSS-Protection : X-XSS-Protection is not set Checking X-Content-Type-Options : X-Content-Type-Options is not set Checking Strict-Transport-Security : OK [*] Launching module cookieflags Checking cookie : lihi_session HttpOnly flag is not set in the cookie : lihi_session Secure flag is not set in the cookie : lihi_session Checking cookie : 1P_JAR HttpOnly flag is not set in the cookie : 1P_JAR Checking cookie : AEC Checking cookie : NID [*] Launching module exec [*] Launching module file [*] Launching module sql [*] Launching module xss [*] Launching module ssrf [*] Asking endpoint URL https://wapiti3.ovh/get_ssrf.php?id=7seero for results, please wait... [*] Launching module redirect [*] Launching module blindsql [*] Launching module permanentxss Report ------ A report has been generated in the file /home/john/.wapiti/generated_report Open /home/john/.wapiti/generated_report/www.lihi3.com_01172024_2309.html with a browser to see this report.
The sample scan report is shown below.
Wapiti vulnerability report
Target: https://www.lihi3.com/
Date of the scan: Wed, 17 Jan 2024 23:09:01 +0000. Scope of the scan: folder
Summary
Category | Number of vulnerabilities found |
---|---|
Backup file | 0 |
Blind SQL Injection | 0 |
Weak credentials | 0 |
CRLF Injection | 0 |
Content Security Policy Configuration | 1 |
Cross Site Request Forgery | 0 |
Potentially dangerous file | 0 |
Command execution | 0 |
Path Traversal | 0 |
Htaccess Bypass | 0 |
HTTP Secure Headers | 2 |
HttpOnly Flag cookie | 2 |
Open Redirect | 0 |
Secure Flag cookie | 1 |
SQL Injection | 0 |
Server Side Request Forgery | 0 |
Cross Site Scripting | 0 |
XML External Entity | 0 |
Internal Server Error | 0 |
Resource consumption | 0 |
Fingerprint web technology | 0 |
Content Security Policy Configuration
DescriptionContent Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
Vulnerability found in /
DescriptionHTTP RequestcURL command lineCSP is not setSolutionsConfiguring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control what resources the user agent is allowed to load for that page.
References
- Mozilla: Content Security Policy (CSP)
- OWASP: Content Security Policy Cheat Sheet
- OWASP: How to do Content Security Policy (PDF)
HTTP Secure Headers
DescriptionHTTP security headers tell the browser how to behave when handling the website’s content.
Vulnerability found in /
DescriptionHTTP RequestcURL command lineX-XSS-Protection is not set
Vulnerability found in /
DescriptionHTTP RequestcURL command lineX-Content-Type-Options is not setSolutionsUse the recommendations for hardening your HTTP Security Headers.
References
- Netsparker: HTTP Security Headers: An Easy Way to Harden Your Web Applications
- KeyCDN: Hardening Your HTTP Security Headers
- OWASP: HTTP SECURITY HEADERS (Protection For Browsers) (PDF)
HttpOnly Flag cookie
DescriptionHttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
Vulnerability found in /
DescriptionHTTP RequestcURL command lineHttpOnly flag is not set in the cookie : lihi_session
Vulnerability found in /
DescriptionHTTP RequestcURL command lineHttpOnly flag is not set in the cookie : 1P_JARSolutionsWhile creation of the cookie, make sure to set the HttpOnly Flag to True.
References
Secure Flag cookie
DescriptionThe secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.
Vulnerability found in /
DescriptionHTTP RequestcURL command lineSecure flag is not set in the cookie : lihi_sessionSolutionsWhen generating the cookie, make sure to set the Secure Flag to True.