fluidasserts.proto.ssl module

This module allows to check SSL vulnerabilities.

Heartbleed code inspired from original PoC by Jared Stafford (jspenguin@jspenguin.org)

fluidasserts.proto.ssl.allows_anon_ciphers(site, port=443)

Check if site accepts anonymous cipher suites.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if we were able to connect via SSL using an anonymous cipher suite.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.allows_insecure_downgrade(site, port=443)

Check if site has support for TLS_FALLBACK_SCSV extension.

See: TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if server does not support TLS_FALLBACK_SCSV.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.allows_modified_mac(site, port=443)

Check if site allows messages with modified MAC.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if the server accepts a socket with a modified MAC.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.allows_weak_ciphers(site, port=443)

Check if site accepts weak cipher suites.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if we are able to connect via RC4, Triple DES, or Null cipher suites.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_beast(site, port=443)

Check if site allows BEAST attack.

See our blog entry on BEAST.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if CBC mode is used together with SSL.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_breach(site, port=443)

Check if BREACH category of vulnerabilities is present.

Remember that to be vulnerable, a web application must:

  • Be served from a server that uses HTTP-level compression.

  • Reflect user-input in HTTP response bodies.

  • Reflect a secret (such as a CSRF token) in HTTP response bodies.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if the page is served with HTTP compression enabled, requirements two and three are up to the human to be verified.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_freak(site, port=443)

Check if site allows FREAK attack.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if we are able to make the server return a response with a length longer than sent (a.k.a. FREAK Attack).

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_heartbleed(site, port=443)

Check if site allows Heartbleed attack.

See our blog entry on Heartbleed.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if we are able to make the server return a response with a length longer than sent (a.k.a. Heartbleed Attack).

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_poodle_sslv3(site, port=443)

Check if POODLE SSLv3 is present.

See our blog entry on POODLE.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if the server is vulnerable to POODLE SSL v3 Attack.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_poodle_tls(site, port=443)

Check if POODLE TLS is present.

See our blog entry on POODLE.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if the server is vulnerable to POODLE TLS Attack.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_sweet32(site, port=443)

Check if server is vulnerable to SWEET32.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if server supports Triple DES ciphers.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.has_tls13_downgrade_vuln(site, port=443)

Check if server is prone to TLSv1.3 downgrade attack.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if server supports multiple TLS versions and supports RSA keys without (EC)DH(E) cipher suites.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.is_pfs_disabled(site, port=443)

Check if the Key Exchange algorithm used provide Perfect Forward Secrecy.

Currently, this algorithms are:

  • Ephemeral Diffie-Hellman with RSA (DHE-RSA)

  • Elliptic Curve Digital Signature Algorithm with RSA (ECDSA-RSA)

  • Elliptic-curve Diffie–Hellman Anonymous (ECDH-Anon)

  • Diffie–Hellman Anonymous (DH-Anon)

See: RFC-4492.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if the Key Exchange algorithms used while communicating with the server is one of DHE-RSA, ECDSA-RSA, ECDH-Anon, or DH-Anon (Which provide Perfect Forward Secrecy).

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.is_sslv3_enabled(site, port=443)

Check if SSL v3 suites are enabled.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if we are able to stablish a connection using SSL v3 to the server.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.is_tlsv11_enabled(site, port=443)

Check if TLSv1.1 suites are enabled.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if we are able to connect to the server using TLS v1.1.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.is_tlsv1_enabled(site, port=443)

Check if TLSv1 suites are enabled.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if we are able to connect to the server using TLS v1.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.not_tls13_enabled(site, port=443)

Check if server supports connections via TLS v1.3.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if server has support for TLS v1.3.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.proto.ssl.tls_uses_cbc(site, port=443)

Check if TLS connection uses CBC mode of operation.

Using TLS with ciphers in CBC mode may yield to GOLDENDOODLE and Zombie POODLE attacks.

Parameters
  • site (str) – Address to connect to.

  • port (int) – If necessary, specify port to connect to.

Returns

  • OPEN if server supports ciphers in CBC mode.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result