Lieutenant Lieutenant

Deciphering WebInspect Report

Can you tell me what in the following (from my WebInspect Compliance -DoD Application and Developer STIG v3R9- Report) would show me where a weak SSL Cipher is being used?

Transport Layer Protection: Weak SSL Cipher ( 11285 ) View Description

CWE: 319,326,327

Kingdom: Environment



GET /AXXE/Scripts%5CSilverlight.js HTTP/1.1

Report Date: 4/29/2015 7


User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101


Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate


Pragma: no-cache

Cookie: ASP.NET_SessionId=kz1brcrzlhxs4v5yiwbsnoty;





Connection: keep-alive

X-WIPP: AscVersion=

X-Scan-Memo: Category="Crawl.EventMacro.Startup";

SID="00000000000000000000000000000000"; SessionType="StartMacro";


X-RequestManager-Memo: Category="EventMacro.Login";


X-Request-Memo: ID="885cc9f2-c53f-4f70-acd0-3227d5951837"; ThreadId="71";


HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Mon, 22 Sep 2014 16:54:16 GMT

Accept-Ranges: bytes

ETag: "601575d885d6cf1:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

access-control-allow-origin: *

access-control-allow-headers: content-type

Date: Wed, 29 Apr 2015 21:38:16 GMT

Content-Length: 7684








(b==undefined)b=null;var a=false,m=null;try{var i=null,j=false;if

(window.ActiveXObject)try{i=new ActiveXObject("AgControl.AgControl");if

(b===null)a=true;else if(i.IsVersionSupported(b))a=true;i=null}catch(l)

{j=true}else j=true;if(j){var k=navigator.plugins["Silverlight Plug-In"];if

(k)if(b===null)a=true;else{var h=k.description;if(h==="1.0.30226.2")

h="2.0.30226.2";var c=h.split(".");while(c.length>3)c.pop();while

(c.length<4)c.push(0);var e=b.split(".");while(e.length>4)e.pop();var




  1. Silverlight.isBrowserRestartRequired&&Silverlight.onSilverlightInstalled)




();Silverlight.__onSilverlightInstalledCalled=true}else setTimeout




  1. Silverlight.isBrowserRestartRequired){Silverlight.WaitForInstallCompletion

(());;Sifi(l!vSeirlliveghrlt.i_g_hit.n_s_tailnlsatatilloanEtiveonnEtFveinretFd=irterdu)e{}S}eillsvee rilfight.onInstallRequired

Report Date: 4/29/2015 8

();Silverlight.__installationEventFired=true}}else if

(window.navigator.mimeTypes){var b=navigator.mimeTypes["application/xsilverlight-





ionEventFired=true}}else if(b&&a)if(b.enabledPlugin&&a.enabledPlugin)if


  1. Silverlight.__installationEventFired){Silverlight.onRestartRequired


  1. Silverlight.disableAutoStartup)if(window.removeEventListener)
  2. window.removeEventListener("load",Silverlight.__startup,false);else
  3. window.detachEvent("onload",Silverlight.__startup)};if(!
  4. Silverlight.disableAutoStartup)if(window.addEventListener)
  5. window.addEventListener("load",Silverlight.__startup,false);else
  6. window.attachEvent


(m,f,e,k,l,h,j){var d=



  1. a.maxFramerate)a.maxFramerate=a.framerate;if(e&&!;delete
  2. a.ignoreBrowserVer;delete a.inplaceInstallPrompt;delete a.version;delete
  3. a.isWindowless;delete a.framerate;delete;delete a.src;delete a.alt;if

(Silverlight.isInstalled(d.version)){for(var b in c)if(c[b]){if

(b=="onLoad"&&typeof c[b]=="function"&&c[b].length!=1){var i=c[b];c[b]

=function(a){return i(document.getElementById(e),j,a)}}var


throw"typeof events."+b+" must be 'function' or 'string'";}

Labels (1)
2 Replies
Micro Focus Expert
Micro Focus Expert

I believe this check is based on background activity by the scanner and so its details are not captured as part of the web page's HTTP Response, and therefore not present in the Report.  This particular check also came up in a public User Forum last year, with almost the same question.

From the Policy Manager, searching for check# 11285, it reads that the Execution was, "Each weak cipher was enumerated by establishing an SSL connection with the target host and specifying the cipher to test in the Client Hello message of the SSL handshake."  The cipher is in the server itself, not necessarily this particular web page.  It may just be at this page when WebInspect decided to check the cipher strengths, I do not know.

To check this I would open the Server Analyzer tool found in WebInspect's Tools menu and run that against the host/web site.

Here is some material taken from that older discussion.


An alternative way to review this issue, and prior to the creation of the TLS checks - the only way, would be to run the Server Analyzer tool against the site.  This will display the certificates encountered during that brief test as well as the encryption levels accepted by the server.  It is then up to your organization to know what is the minimum level of encryption you wish to accept or provide to you users, based on industry best practices.


According to the document, these are true postitives. WI is flagging weak protocol because the server has SSLv2 enabled. SSLv2 is broken and should be disabled completely. Weak cipher is flagging because RC4 and 3DES are enabled. These are are recommended to be disabled in favor of stronger algorithms such as AES. For more information on testing for weak ciphers and protocols, please review this OWASP wiki page:,_Insufficient_Transport_Layer_Prote...

As for how to fixthis in IIS 7.5, I have not tried it, but see if this Stack Overflow thread helps:


es.  The solution work and issues have resolved. I also get the fixed step from IIS:


Yes, we analyze ciphers for all protocol suites, SSLv2, SSLv3, TLS1, and in WebInspect 10.20+ TLS1.1 and TLS1.2.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums –
Absent Member.
Absent Member.

If you want more specifics about which particular ciphers are failing you could also run nmap and have it check for weak ssl ciphers. Here are the scripts I specify:

nmap -p 22,80,443,465,585,990,993,995 -v --script ssh2-enum-algos,sshv1,ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-known-key,sslv2 <target Host/IP>

This should return which are strong/weak and you can configure the server disallow the weak ones. You can run IIS Crypto from NARTAC and see what's currently configured on the server and make changes (reboot afterwards if you make changes)

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.