The scanner encountered one or more insecure redirects during the application crawl which means the redirection chain is not fully done with HTTPS. During an insecure redirection anyone could establish a man-in-the-middle attack against the remote host.

The remote host supports SSL/TLS key exchanges that are cryptographically weaker than recommended. Key exchanges must be recommended by IANA and should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

As for web applications, allowing unencrypted protocols to access an API leaves it open to Man in the Middle attacks (MITM), impacting both the confidentiality and the integrity of the traffic. The scanner analyzed an OpenAPI file and detected the lack of encryption in the API endpoints URL used.

The remote server presents an SSL/TLS certificate with wildcard entries. The use of a wildcard character in a entry permits a certificate to cover a number of subdomains of a domain.

The remote server TLS certificate does not have a Extended Key Usage (EKU) extension specifying the id-kp-serverAuth OID.

The remote server is not configured with a SSL/TLS cipher suite preference list, making the cipher suite selection during the negotiation use the ordered list from the client.

The remote server is configured with a SSL/TLS cipher suite preference list used to determine the cipher suite during the negotiation with the client.

The remote server certificate has a lifetime greater than 398 days and was issued after September 1st 2020. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, some browser SSL implementations may reject certificates with a validity period greater than 398 days issued after September 1, 2020.

The remote host use at least one SSL/TLS ciphers that does not offer forward secrecy (FS) also known as perfect forward secrecy (PFS). It's a feature that provides assurances the session keys will not be compromised even if the server’s private key is compromised.

The remote server does not offer TLS 1.2 protocol which is required to provide good encryption security

HTTPS is enabled on the website however HTTP requests are not redirected to HTTPS. Communications are not encrypted if users doesn't explicitly access to HTTPS version of the website.

Note: This plugin does not handle customs ports, and therefore only performs checks when a scan is run on standard ports (80/443).

HTTPS is a protocol that protects the integrity and confidentiality of data between client and server. HTTPS is highly recommended to protect connections to website regardless of its content.

The remote server presents a SSL/TLS certificate for which the Common Name and the Subject Alternative Name don't match the server's hostname.

The remote server uses an SSL/TLS certificate that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.

The remote server certificate has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits. Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.

The remote host supports the use of SSL/TLS ciphers that offer weak encryption (including RC4 and 3DES encryption).

The remote host supports the use of SSL/TLS ciphers that offer insecure encryption (export cipher suites and encryption less than 128 bits).

The remote host supports the use of SSL/TLS ciphers that offer no encryption at all.

The remote host supports the use of SSL/TLS ciphers that offer no authentication at all.

This plugin displays supported SSL/TLS cipher suites.

The remote server presents a self-signed SSL/TLS certificate not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL/TLS as anyone could establish a man-in-the-middle attack against the remote host.

The remote server presents an expired SSL/TLS certificate.

This plugin displays information about the SSL/TLS versions supported by remote server for HTTPS connection.

The remote server offers deprecated TLS 1.0 protocol which can lead to weaknesses.

The remote server offers insecure SSL protocol version which can lead to vulnerability exploitation.

This plugin displays information about the X.509 certificate extracted from the HTTPS connection.

The remote server offers deprecated TLS 1.1 protocol.

ID	Name	Severity
113219	Insecure Redirect Chain	medium
113316	SSL/TLS Weak Key Exchange Supported	low
113143	OpenAPI Unencrypted Traffic Allowed	high
113045	SSL/TLS Certificate Contains Wildcard Entries	info
112650	TLS Web Server Authentication Extension Not Supported	info
112599	SSL/TLS Server Cipher Suite Preference Not Detected	info
112598	SSL/TLS Server Cipher Suite Preference	info
112563	SSL/TLS Certificate Lifetime Greater Than 398 Days	low
98617	SSL/TLS Forward Secrecy Cipher Suites Not Supported	medium
98616	TLS 1.2 Not Supported Protocol	low
112544	HTTP to HTTPS Redirect Not Enabled	medium
112543	HTTPS Not Detected	high
112541	SSL/TLS Certificate Common Name Mismatch	medium
112542	SSL/TLS Certificate Signed Using Weak Hashing Algorithm	medium
112540	SSL/TLS Certificate RSA Keys Less Than 2048 bits	low
112539	SSL/TLS Weak Cipher Suites Supported	low
112538	SSL/TLS Insecure Cipher Suites Supported	medium
112537	SSL/TLS Null Cipher Suites Supported	medium
112536	SSL/TLS Anonymous Cipher Suites Supported	medium
115491	SSL/TLS Cipher Suites Supported	info
112495	SSL/TLS Self-Signed Certificate	medium
112493	SSL/TLS Certificate Expired	medium
112530	SSL/TLS Versions Supported	info
112496	TLS 1.0 Weak Protocol	high
112494	SSL Insecure Protocols	medium
112491	SSL/TLS Certificate Information	info
112546	TLS 1.1 Weak Protocol	medium

Detections

Analytics

SSL/TLS Family for Web App Scanning

medium

low

high

info

info

info

info

low

medium

low

medium

high

medium

medium

low

low

medium

medium

medium

info

medium

medium

info

high

medium

info

medium