Protocol: TLS Protocol Configuration¶

Identifier: tls_configuration_key

Scanner(s) Support¶

Description¶

TLS configuration issues occur when sensitive data is sent over the network without proper protection, and developers might accidentally leave weak settings in place. This means that although HTTPS is supposed to keep data safe and verify server identity through certificates, bad configurationslike outdated protocols, weak encryption ciphers, or mismanaged certificatescan open the door to attackers. Essentially, if HTTPS isnt set up correctly, attackers might sniff data or even perform impersonation attacks, making it risky for transmitting credentials or other private information. Developers often overlook the details in setting up the right protocols and checking certificates, leading to vulnerabilities that could be exploited if not fixed.

References:

• https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
• https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection
• https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

Configuration¶

Example¶

Example configuration:

---
security_tests:
  tls_configuration_key:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.