Exercise 16: Insufficient Transport Layer Protection (Insecure HTTPS)

Objective

Learn how to exploit Insufficient Transport Layer Protection caused by weak or misconfigured SSL/TLS encryption to intercept sensitive information. Understand best practices for securing SSL/TLS configurations.

Scenario

You are evaluating a web application that uses outdated SSL/TLS configurations. Due to the use of weak ciphers and protocols, attackers can intercept and decrypt sensitive data, such as login credentials and session tokens. Your task is to exploit this misconfiguration and learn how to secure transport layer communication.

Lab Setup

Prerequisites:

• Basic knowledge of SSL/TLS protocols.
• XAMPP/LAMP/WAMP stack with SSL module enabled.
• Wireshark and Burp Suite installed.
• A code editor (e.g., VSCode, Sublime Text).

Step 1: Configure a Vulnerable Web Server

Enable SSL Module in Apache (XAMPP/LAMP):

Edit the Apache configuration file (httpd-ssl.conf):

Listen 443
<VirtualHost *:443>
    DocumentRoot "C:/xampp/htdocs/insecure"
    ServerName localhost

    SSLEngine on
    SSLCertificateFile "C:/xampp/apache/conf/ssl.crt/server.crt"
    SSLCertificateKeyFile "C:/xampp/apache/conf/ssl.key/server.key"

    SSLProtocol all -SSLv3 -TLSv1.1
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
</VirtualHost>

Vulnerability: SSLv2/SSLv3 or weak ciphers enabled.

Restart Apache Server:

sudo apachectl restart

Create a Login Page:

Create login.php in htdocs/insecure:

<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $username = $_POST['username'];
    $password = $_POST['password'];
    echo "<h2>Welcome, $username!</h2>";
}
?>

<form method="POST" action="">
    Username: <input type="text" name="username" required><br>
    Password: <input type="password" name="password" required><br>
    <button type="submit">Login</button>
</form>

Access the Application:

Open https://localhost/login.php.

Exploitation Steps

Step 1: Intercept SSL/TLS Traffic Using Burp Suite

1. Open Burp Suite and enable the proxy.
2. Configure the browser to use Burp Suite as the proxy (127.0.0.1:8080).
3. Visit https://localhost/login.php and submit the form.

Expected Result:

• Burp Suite captures the HTTPS request, displaying the plaintext username and password.

Step 2: Analyze Network Traffic with Wireshark

1. Open Wireshark and capture packets on the network interface.
2. Filter by ssl or tls to analyze encrypted traffic.
3. Observe weak cipher negotiation in the SSL handshake.

Expected Result:

• Encrypted traffic uses outdated protocols or weak ciphers, exposing sensitive data.

Solution and Prevention

Problem Analysis

• The server allows insecure SSL/TLS protocols and weak ciphers, enabling traffic interception.

Fixing the Vulnerability

Enforce Strong Protocols (TLS 1.2/1.3):

Update the Apache configuration:

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
SSLHonorCipherOrder on

Use Strong Certificates:

Generate a valid SSL certificate using Let’s Encrypt.

Implement HTTP Strict Transport Security (HSTS):

Add to Apache configuration:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

SSL/TLS Pinning:

Implement SSL/TLS pinning in mobile and web applications to prevent MITM attacks.

Regular Vulnerability Scanning:

Use tools like SSL Labs to scan and improve SSL/TLS configurations.

Testing After Fix

1. Restart the server with updated SSL configurations.
2. Attempt to intercept traffic using Burp Suite and Wireshark.
3. Expected Result:
   • Burp Suite and Wireshark fail to capture or decrypt data due to strong encryption.

Conclusion

In this lab, you exploited an Insufficient Transport Layer Protection vulnerability to intercept sensitive data. You also learned how to secure SSL/TLS configurations by enforcing strong protocols, using secure ciphers, implementing HSTS, and adopting SSL/TLS pinning.