RPI Labs: OWASP Mutillidae II
|
Version: 2.11.14 Security Level: 0 (Hosed)
Hints: Enabled
Not Logged In
|
Home
|
Login/Register |
Toggle Hints | Toggle Security
|
Enforce TLS
|
Reset DB
|
View Log
|
View Captured Data
|
|
SSL Misconfiguration
|
Some web servers which require SSL to secure transmissions are misconfigured
to allow users to browse over HTTP. The application may use redirection code
to redirect users from HTTP to HTTPS. Mutillidae uses the following code in
index.php.
if($_SERVER['HTTPS']!="on"){
$lSecureRedirect = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header("Location: $lSecureRedirect");
exit();
}//end if
If a mallicious agent is able to set up a MITM connection in between the user browser
and the web server, a program such as SSLStrip can detect the redirection from HTTP to
HTTPS and downgrade the users connection.
|
Besides redirecting users from HTTP to HTTPS, other misconfigurations include
using weak ciphers or using vulnerable, unpatched software (i.e. Heartbleed). Part
of testing web application security is testing for misconfigured HTTPS.
|
Open "Hints and Videos" for more information |
|
|
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PHP Version: 8.1.27 |