Security Test: TLS Configuration Server Defaults¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

When TLS isn’t set up with proper care, even a connection that looks secure might let attackers peek or tamper with messages. Developers often rely on defaults when configuring TLS, but if the protocols, keys, or certificates aren’t carefully managed or updated, an attacker could trick the system, intercept sensitive credentials, or impersonate a server. In other words, a poorly configured TLS setup opens the door to potential man-in-the-middle attacks, misused certificates, and overall loss of confidence in secure communications, which could ultimately lead to data breaches or unauthorized access.

Reference:

https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection
- https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

Configuration¶

Identifier: protocol/tls_configuration_server_default

Examples¶

All configuration available:

checks:
  protocol/tls_configuration_server_default:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`4.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.10.1`
NIST	`SP800-52`
FedRAMP	`SC-8`
CWE	`319`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
CVSS Score	`5.3`