Lieutenant Lieutenant
Lieutenant
4694 views

Deciphering WebInspect Report

Can you tell me what in the following (from my WebInspect Compliance -DoD Application and Developer STIG v3R9- Report) would show me where a weak SSL Cipher is being used?

Transport Layer Protection: Weak SSL Cipher ( 11285 ) View Description

CWE: 319,326,327

Kingdom: Environment

Page: https://tservice.servername.us:443/AXXE/Scripts%5CSilverlight.js

Request:

GET /AXXE/Scripts%5CSilverlight.js HTTP/1.1

Report Date: 4/29/2015 7

Host: tservice.servername.us

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101

Firefox/30.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://tservice.servername.us/AXXE/default.aspx

Pragma: no-cache

Cookie: ASP.NET_SessionId=kz1brcrzlhxs4v5yiwbsnoty;

.ASPXAUTH=52366DDAFDBA4873E033188D62F655E1448C47710DA9C5FD5CA669FF6F370DA8C6

5CFD0A89955E1EB747A37B211446E901AA9E2D2E34DC8D80A7EB8322EC5AA4BC01DDEB34BC31

676497EED63D8FD21EFEF2520FC5B4C83FE01107E814DB7E675C9932B5C18BF906E2031E39CC

64D736E7B2210D6E95087DCAC2C5752B7D6F87FAB3B904A1FFB7438F01CC67DC1A075C

Connection: keep-alive

X-WIPP: AscVersion=10.40.244.10

X-Scan-Memo: Category="Crawl.EventMacro.Startup";

SID="00000000000000000000000000000000"; SessionType="StartMacro";

CrawlType="None";

X-RequestManager-Memo: Category="EventMacro.Login";

MacroName="AXXELoginMacro";

X-Request-Memo: ID="885cc9f2-c53f-4f70-acd0-3227d5951837"; ThreadId="71";

Response:

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Mon, 22 Sep 2014 16:54:16 GMT

Accept-Ranges: bytes

ETag: "601575d885d6cf1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

access-control-allow-origin: *

access-control-allow-headers: content-type

Date: Wed, 29 Apr 2015 21:38:16 GMT

Content-Length: 7684

//v2.0.30511.0

if(!window.Silverlight)window.Silverlight=

{};Silverlight._silverlightCount=0;Silverlight.__onSilverlightInstalledCalle

d=false;Silverlight.fwlinkRoot="https://go2.microsoft.com/fwlink/?

LinkID=";Silverlight.__installationEventFired=false;Silverlight.onGetSilverl

ight=null;Silverlight.onSilverlightInstalled=function()

{window.location.reload(false)};Silverlight.isInstalled=function(b){if

(b==undefined)b=null;var a=false,m=null;try{var i=null,j=false;if

(window.ActiveXObject)try{i=new ActiveXObject("AgControl.AgControl");if

(b===null)a=true;else if(i.IsVersionSupported(b))a=true;i=null}catch(l)

{j=true}else j=true;if(j){var k=navigator.plugins["Silverlight Plug-In"];if

(k)if(b===null)a=true;else{var h=k.description;if(h==="1.0.30226.2")

h="2.0.30226.2";var c=h.split(".");while(c.length>3)c.pop();while

(c.length<4)c.push(0);var e=b.split(".");while(e.length>4)e.pop();var

d,g,f=0;do{d=parseInt(e[f]);g=parseInt(c[f]);f++}while(f<e.length&&d===g);if

(d<=g&&!isNaN(d))a=true}}}catch(l){a=false}return

a};Silverlight.WaitForInstallCompletion=function(){if(!

  1. Silverlight.isBrowserRestartRequired&&Silverlight.onSilverlightInstalled)

{try{navigator.plugins.refresh()}catch(a){}if(Silverlight.isInstalled(null)

&&!Silverlight.__onSilverlightInstalledCalled)

{Silverlight.onSilverlightInstalled

();Silverlight.__onSilverlightInstalledCalled=true}else setTimeout

(Silverlight.WaitForInstallCompletion,3e3)}};Silverlight.__startup=function

(){navigator.plugins.refresh

();Silverlight.isBrowserRestartRequired=Silverlight.isInstalled(null);if(!

  1. Silverlight.isBrowserRestartRequired){Silverlight.WaitForInstallCompletion

(());;Sifi(l!vSeirlliveghrlt.i_g_hit.n_s_tailnlsatatilloanEtiveonnEtFveinretFd=irterdu)e{}S}eillsvee rilfight.onInstallRequired

Report Date: 4/29/2015 8

();Silverlight.__installationEventFired=true}}else if

(window.navigator.mimeTypes){var b=navigator.mimeTypes["application/xsilverlight-

2"],c=navigator.mimeTypes["application/x-silverlight-2-

b2"],d=navigator.mimeTypes["application/x-silverlight-2-b1"],a=d;if(c)a=c;if

(!b&&(d||c)){if(!Silverlight.__installationEventFired)

{Silverlight.onUpgradeRequired();Silverlight.__installat

ionEventFired=true}}else if(b&&a)if(b.enabledPlugin&&a.enabledPlugin)if

(b.enabledPlugin.description!=a.enabledPlugin.description)if(!

  1. Silverlight.__installationEventFired){Silverlight.onRestartRequired

();Silverlight.__installationEventFired=true}}if(!

  1. Silverlight.disableAutoStartup)if(window.removeEventListener)
  2. window.removeEventListener("load",Silverlight.__startup,false);else
  3. window.detachEvent("onload",Silverlight.__startup)};if(!
  4. Silverlight.disableAutoStartup)if(window.addEventListener)
  5. window.addEventListener("load",Silverlight.__startup,false);else
  6. window.attachEvent

("onload",Silverlight.__startup);Silverlight.createObject=function

(m,f,e,k,l,h,j){var d=

{},a=k,c=l;d.version=a.version;a.source=m;d.alt=a.alt;if(h)a.initParams=h;if

(a.isWindowless&&!a.windowless)a.windowless=a.isWindowless;if(a.framerate&&!

  1. a.maxFramerate)a.maxFramerate=a.framerate;if(e&&!a.id)a.id=e;delete
  2. a.ignoreBrowserVer;delete a.inplaceInstallPrompt;delete a.version;delete
  3. a.isWindowless;delete a.framerate;delete a.data;delete a.src;delete a.alt;if

(Silverlight.isInstalled(d.version)){for(var b in c)if(c[b]){if

(b=="onLoad"&&typeof c[b]=="function"&&c[b].length!=1){var i=c[b];c[b]

=function(a){return i(document.getElementById(e),j,a)}}var

g=Silverlight.__getHandlerName(c[b]);if(g!=null){a[b]=g;c[b]=null}else

throw"typeof events."+b+" must be 'function' or 'string'";}

Labels (1)
0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

I believe this check is based on background activity by the scanner and so its details are not captured as part of the web page's HTTP Response, and therefore not present in the Report.  This particular check also came up in a public User Forum last year, with almost the same question.

From the Policy Manager, searching for check# 11285, it reads that the Execution was, "Each weak cipher was enumerated by establishing an SSL connection with the target host and specifying the cipher to test in the Client Hello message of the SSL handshake."  The cipher is in the server itself, not necessarily this particular web page.  It may just be at this page when WebInspect decided to check the cipher strengths, I do not know.

To check this I would open the Server Analyzer tool found in WebInspect's Tools menu and run that against the host/web site.

Here is some material taken from that older discussion.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

An alternative way to review this issue, and prior to the creation of the TLS checks - the only way, would be to run the Server Analyzer tool against the site.  This will display the certificates encountered during that brief test as well as the encryption levels accepted by the server.  It is then up to your organization to know what is the minimum level of encryption you wish to accept or provide to you users, based on industry best practices.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

According to the document, these are true postitives. WI is flagging weak protocol because the server has SSLv2 enabled. SSLv2 is broken and should be disabled completely. Weak cipher is flagging because RC4 and 3DES are enabled. These are are recommended to be disabled in favor of stronger algorithms such as AES. For more information on testing for weak ciphers and protocols, please review this OWASP wiki page:

https://www.owasp.org/index.php/Testing_for_Weak_SSL/TSL_Ciphers,_Insufficient_Transport_Layer_Prote...

As for how to fixthis in IIS 7.5, I have not tried it, but see if this Stack Overflow thread helps:

http://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

es.  The solution work and issues have resolved. I also get the fixed step from IIS:

http://forums.iis.net/t/1151822.aspx.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Yes, we analyze ciphers for all protocol suites, SSLv2, SSLv3, TLS1, and in WebInspect 10.20+ TLS1.1 and TLS1.2.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Absent Member.
Absent Member.

If you want more specifics about which particular ciphers are failing you could also run nmap and have it check for weak ssl ciphers. Here are the scripts I specify:

nmap -p 22,80,443,465,585,990,993,995 -v --script ssh2-enum-algos,sshv1,ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-known-key,sslv2 <target Host/IP>

This should return which are strong/weak and you can configure the server disallow the weak ones. You can run IIS Crypto from NARTAC and see what's currently configured on the server and make changes (reboot afterwards if you make changes)

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.