Insufficient Transport Layer Protection Vulnerabilities: YouDown With ITLP? (Yeah you know me!)

Quick, name that hip hop group! (OK, that might not have been the exact song lyrics, but some of you may have gotten it.)

What is an Insufficient Transport Layer Protection Vulnerability?

This is a security weakness that happens when applications do not protect network traffic, which can lead to sensitive data being exposed, intercepted, and used to steal information. The lack of protection can occur due to a number of reasons, such as the use of weak encryption algorithms or the use of unsecured protocols, such as HTTP instead of HTTPS. Fortunately, Insufficient Transport Layer Protections are easy to prevent! Let’s dig in and learn about ITLPs.

Examples:

• Not using SSL for all pages that require authentication,

• Using an improperly configured SSL certificate

• Using a standard database connection

• Supporting weak algorithms

• Using expired or invalid certificates

Which can lead to...

• Man-in-the-Middle (MITM) Attacks: intercepting communication between the client and server, and the ability to read or modify the data being passed, stealing all the bad things.

• Session Hijacking: stealing the session ID/token used by the client and then using it to impersonate the client and do all the bad things on their behalf.

• Code Injection of a malicious nature: an attacker injects malicious code that can steal sensitive data or redirect the user to a malicious website.

• Password Snooping: intercepting the client’s credentials and gaining access to their account without them knowing by sniffing network traffic.

• Sniffing network traffic: through packet sniffing tools to extract sensitive information

• Intercepting cookies: intercepting cookies with the network sniffing tools and gaining access to accounts.

• Session fixation: tricking a user into using a session ID/token that only the attacker knows and can use to gain access to the victim’s account in the same session, sometimes done via phishing email.

• SSL Stripping: where the attacker can intercept a client’s HTTPS request and downgrade to an HTTP request that is unencrypted and steal all the sensitive information in plain text, and of course, gain access to their account.

How do I know if our web application is vulnerable?

1. Check for proper encryption for all connections, not just the servers we own

2. Check that all SSL certificates are in date.

3. Check that all SSL certificates are self-signed.

4. Check that SSL uses high-strength ciphers.

Well, this is just...ick. But I DID say it’s easy to prevent!

How to mitigate and protect from ITLPs:

1. Use SSL/TLS encryption and ensure the configuration is strong and up to date. Using the latest version of SSL/TLS ensures that encryption protocols and algorithms are strong and up to date. Disable weak cipher suites to ensure that SSL/TLS is super strong

2. Implement certificate validation to verify the server’s SSL/TLS certificate has not expired, is signed by a trusted authority, and matches the server’s domain. Make sure a certificate is valid and issued by a trusted authority.

3. Use HSTS to ensure all communication is encrypted using SSL/TLS. Use HSTS on the web server to prevent downgrade attacks.

4. Use strong passwords and MFA to prevent unauthorized access to servers and web apps that use SSL/TLS encryption.

5. Remove code that allows the application to accept all certificates.

6. Use secure cookies marked with the “secure” and “HTTPOnly” flags.

7. Use the content security policy (CSP) security feature to specify which domains are allowed to execute scripts, load resources, or other features on a web page.

8. Use network segmentation to prevent attacks on sensitive data and systems

9. Keep all software up to date, including SSL/TLS libraries and web app frameworks.

10. Educate your clients/users on how to identify and avoid phishing and social engineering so they don’t become victims!

11. Implement an intrusion detection and prevention system.

12. Use automated vulnerability assessment testing such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), or Application Programming Interface (API) Testing.