Security Penetration Testing Blog

Disable deprecated SSL Protocol Versions
Apr 03, 2021 / Borislav Kiprin

An SSL/TLS version offered by the server is outdated. The deprecated versions contain weak implementations that cannot be considered secure anymore. Make sure that your web server offers only recent and strong protocol versions.

Configure SSL Cipher Order
/ Borislav Kiprin

There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipher. This means, that an attacker could make use of an insecure SSL/TLS connection.

Manage TLS Warning
/ Borislav Kiprin

Your website produces an SSL/TLS warning. A warning from the SSL/TLS scanner does not indicate a direct vulnerability but highlights a potential issue that needs to be manually reviewed.

Enable Security Headers
/ Borislav Kiprin

Security headers can effectively prevent a variety of hacking attempts. You should consider headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options or X-XSS-Protection.

Disable SSL RC4
Apr 02, 2021 / Borislav Kiprin

The server supports RC4 (Rivest Cipher 4), which is a cipher stream that is considered insecure due to multiple known vulnerabilities.

Disable SSL Insecure Algorithm
/ Borislav Kiprin

One of your used encryption algorithms has severe security issues.

Prevent Ticketbleed
/ Borislav Kiprin

The proprietary F5 TLS stack is vulnerable to ticketbleed. It exposes 31 bytes per request to the attacker and will ultimately invalidate the encryption.

/ Borislav Kiprin

DROWN (Decrypting RSA with Obsolete and Weakened encryption) is an attack on the old SSL v2 protocol version. Read here, how you can prevent SSL DROWN.

Prevent SSL SWEET32
/ Borislav Kiprin

Short block sizes make the webserver vulnerable to hit the same hash for multiple inputs. By observing the data for a longer period of time, an attacker can recover secure HTTP cookies.

/ Borislav Kiprin

ROBOT (Return of Bleichenbacher’s Oracle Threat) is the reappearance of a vulnerability in SSL/TLS that appeared first in 1998. This article explains, how you can prevent SSL ROBOT.