OWASP Mutillidae II: Keep Calm and Pwn On
Version: 2.6.62 Security Level: 0 (Hosed) Hints: Enabled (1 - Try easier) Not Logged In
Home | Login/Register | Toggle Hints| Show Popup Hints | Toggle Security | Enforce SSL | Reset DB | View Log | View Captured Data
Want to Help?
SSL Misconfiguration
Expand Hints Hints and Videos
SSL Misconfiguration
Some web servers which require SSL to secure transmissions are misconfigured to allow users to browse over HTTP. The application may use redirection code to redirect users from HTTP to HTTPS. Mutillidae uses the following code in index.php.
if($_SERVER['HTTPS']!="on"){ $lSecureRedirect = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; header("Location: $lSecureRedirect"); exit(); }//end if
If a mallicious agent is able to set up a MITM connection in between the user browser and the web server, a program such as SSLStrip can detect the redirection from HTTP to HTTPS and downgrade the users connection.
Besides redirecting users from HTTP to HTTPS, other misconfigurations include using weak ciphers or using vulnerable, unpatched software (i.e. Heartbleed). Part of testing web application security is testing for misconfigured HTTPS.
Open "Hints and Videos" for more information